Snort mailing list archives
RE: Snort not catching /bin/sh
From: "Barnes, Ross P ERDC-ITL-MS Contractor" <Ross.P.Barnes () erdc usace army mil>
Date: Thu, 11 Oct 2001 12:34:45 -0500
That is not the case. My other IDS will show the entire packet payload that triggered the alert and the exploit definitely contains both strings of content. It is just that the other IDS picks up on /bin/sh and Snort picks up on _RLD only. Ross might be a silly question but are you sure both contents where in the same packet when you tested - if they where split across two packets then this rule would not match them. Tom -----Original Message----- From: Barnes, Ross P ERDC-ITL-MS Contractor [mailto:Ross.P.Barnes () erdc usace army mil] Sent: 10 October 2001 22:26 To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Snort not catching /bin/sh Hello all, I am running Snort 1.8 on a box with another IDS to monitor traffic(no packet loss on either IDS). We have been catching some telnetd buffer overflow attempts on the other IDS with the signature content being /bin/sh, but not on Snort. Both IDS are on the same box seeing the same traffic. In the telnet.rules file, the corresponding rule that should pick it up is alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI telnetd format bug" ; flags: A+; content:"_RLD"; content:"/bin/sh";reference:arachnids,304;) Immediately, I thought that looked odd to have two contents. I took out the content:"_RLD" and it still did not show up as I attempted to hack a system while the other IDS caught it. I then took out the content:"/bin/sh" and it worked off the "_RLD" content. Now, both strings are in the packet payload so why is Snort not picking up something as clear as /bin/sh? Any help is greatly appreciated.
Current thread:
- Snort not catching /bin/sh Barnes, Ross P ERDC-ITL-MS Contractor (Oct 10)
- <Possible follow-ups>
- RE: Snort not catching /bin/sh Thomas Whipp (Oct 11)
- RE: Snort not catching /bin/sh Barnes, Ross P ERDC-ITL-MS Contractor (Oct 11)