RE: Snort not catching /bin/sh

[Thomas Whipp <tkw () objectronix co uk>]

might be a silly question but are you sure both contents
where in the same packet when you tested - if they where
split accross two packets then this rule would not match
them.
 
    Tom

-----Original Message-----
From: Barnes, Ross P ERDC-ITL-MS Contractor
[mailto:Ross.P.Barnes () erdc usace army mil]
Sent: 10 October 2001 22:26
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Snort not catching /bin/sh



Hello all, 

        I am running Snort 1.8 on a box with another IDS to
monitor traffic(no packet loss on either IDS). We have been
catching some telnetd buffer overflow attempts on the other
IDS with the signature content being /bin/sh, but not on
Snort. Both IDS are on the same box seeing the same traffic.
In the telnet.rules file, the corresponding rule that should
pick it up is

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI
telnetd format bug" 
; flags: A+; content:"_RLD";
content:"/bin/sh";reference:arachnids,304;) 

        Immediately, I thought that looked odd to have two
contents. I took out the content:"_RLD" and it still did not
show up as I attempted to hack a system while the other IDS
caught it. I then took out the content:"/bin/sh" and it
worked off the "_RLD" content. Now, both strings are in the
packet payload so why is Snort not picking up something as
clear as /bin/sh? Any help is greatly appreciated.