Snort not catching /bin/sh

["Barnes, Ross P ERDC-ITL-MS Contractor" <Ross.P.Barnes () erdc usace army mil>]

Hello all,

        I am running Snort 1.8 on a box with another IDS to monitor
traffic(no packet loss on either IDS). We have been catching some telnetd
buffer overflow attempts on the other IDS with the signature content being
/bin/sh, but not on Snort. Both IDS are on the same box seeing the same
traffic. In the telnet.rules file, the corresponding rule that should pick
it up is

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI telnetd format
bug"
; flags: A+; content:"_RLD"; content:"/bin/sh";reference:arachnids,304;)

        Immediately, I thought that looked odd to have two contents. I took
out the content:"_RLD" and it still did not show up as I attempted to hack a
system while the other IDS caught it. I then took out the content:"/bin/sh"
and it worked off the "_RLD" content. Now, both strings are in the packet
payload so why is Snort not picking up something as clear as /bin/sh? Any
help is greatly appreciated.