![snort logo](/images/snort-logo.png)
Snort mailing list archives
RE: Snort not catching /bin/sh
From: Thomas Whipp <tkw () objectronix co uk>
Date: Thu, 11 Oct 2001 09:11:12 +0100
might be a silly question but are you sure both contents where in the same packet when you tested - if they where split accross two packets then this rule would not match them. Tom -----Original Message----- From: Barnes, Ross P ERDC-ITL-MS Contractor [mailto:Ross.P.Barnes () erdc usace army mil] Sent: 10 October 2001 22:26 To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Snort not catching /bin/sh Hello all, I am running Snort 1.8 on a box with another IDS to monitor traffic(no packet loss on either IDS). We have been catching some telnetd buffer overflow attempts on the other IDS with the signature content being /bin/sh, but not on Snort. Both IDS are on the same box seeing the same traffic. In the telnet.rules file, the corresponding rule that should pick it up is alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI telnetd format bug" ; flags: A+; content:"_RLD"; content:"/bin/sh";reference:arachnids,304;) Immediately, I thought that looked odd to have two contents. I took out the content:"_RLD" and it still did not show up as I attempted to hack a system while the other IDS caught it. I then took out the content:"/bin/sh" and it worked off the "_RLD" content. Now, both strings are in the packet payload so why is Snort not picking up something as clear as /bin/sh? Any help is greatly appreciated.
Current thread:
- Snort not catching /bin/sh Barnes, Ross P ERDC-ITL-MS Contractor (Oct 10)
- <Possible follow-ups>
- RE: Snort not catching /bin/sh Thomas Whipp (Oct 11)
- RE: Snort not catching /bin/sh Barnes, Ross P ERDC-ITL-MS Contractor (Oct 11)