RE: Snort not catching /bin/sh

["Barnes, Ross P ERDC-ITL-MS Contractor" <Ross.P.Barnes () erdc usace army mil>]

That is not the case. My other IDS will show the entire packet payload that
triggered the alert and the exploit definitely contains both strings of
content. It is just that the other IDS picks up on /bin/sh and Snort picks
up on _RLD only.

Ross


might be a silly question but are you sure both contents
where in the same packet when you tested - if they where
split across two packets then this rule would not match
them.
 
    Tom

-----Original Message-----
From: Barnes, Ross P ERDC-ITL-MS Contractor
[mailto:Ross.P.Barnes () erdc usace army mil]
Sent: 10 October 2001 22:26
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Snort not catching /bin/sh



Hello all, 

        I am running Snort 1.8 on a box with another IDS to
monitor traffic(no packet loss on either IDS). We have been
catching some telnetd buffer overflow attempts on the other
IDS with the signature content being /bin/sh, but not on
Snort. Both IDS are on the same box seeing the same traffic.
In the telnet.rules file, the corresponding rule that should
pick it up is

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI
telnetd format bug" 
; flags: A+; content:"_RLD";
content:"/bin/sh";reference:arachnids,304;) 

        Immediately, I thought that looked odd to have two
contents. I took out the content:"_RLD" and it still did not
show up as I attempted to hack a system while the other IDS
caught it. I then took out the content:"/bin/sh" and it
worked off the "_RLD" content. Now, both strings are in the
packet payload so why is Snort not picking up something as
clear as /bin/sh? Any help is greatly appreciated.