I have installed a snort system under linux.
Now i need to write a rule to detect a "shutdown" command which came from remote telnet, also alert and log it.
what i wrote is like this:
alert tcp any any -> 192.168.115.130/24 (content: "shutdown"; msg: "someone shut down!!"
but when i used another computer to telnet my system and send a "shutdown" command, the snort system cannot detect any "shutdown" command using this rule. However, if i change the keyword in content from "shutdown" to "root" and try a "root" command from remote telnet, then the "root" command can be detected. I don't know why.
I really need help about how to write this rule to alert some information if there are attempts to shut down my system using telnet remotely.
Thanks in advance!!