[Oisf-users] Suricata: fail to detect reverse shell?

Peter Manev petermanev at gmail.com
Mon Nov 25 09:00:13 UTC 2013

On Mon, Nov 25, 2013 at 4:01 AM, James Harrison <jharr139 at jhu.edu> wrote:
> Hello,
> My class team recently setup the Suricata IDS on a test network. Using
> metasploit, a reverse shell was obtained through a PDF vulnerability.
> Suricata saw the PDF transfer, but failed to see the shell open.
> We felt that this was not a special attack, and should have been easily
> detected. Are we wrong to think this? Is there a configuration setting we
> missed?


Which reverse shell attack is it?
Is there a rule for that type of attack being loaded when Suri starts?
Are all your networks configured correctly? (HOME EXTERNAL)
How do you mean "Suricata saw" the PDF transfer? Did you save it to
disk with file extraction?
What/which rule set do you load with Suricata?

> Our network is designed so that the IDS is also the gateway into our
> "internal network". All network traffic with the "outside world" goes
> through this machine.

Is all offloading disabled on the network card that the IDS uses?


> Thanks,
> James

Peter Manev

More information about the Oisf-users mailing list