[Oisf-users] Suricata: fail to detect reverse shell?
Edward Fjellskål
edwardfjellskaal at gmail.com
Mon Nov 25 10:02:26 UTC 2013
A pcap would be nice :)
On Mon, Nov 25, 2013 at 10:00 AM, Peter Manev <petermanev at gmail.com> wrote:
> On Mon, Nov 25, 2013 at 4:01 AM, James Harrison <jharr139 at jhu.edu> wrote:
> > Hello,
> >
> > My class team recently setup the Suricata IDS on a test network. Using
> > metasploit, a reverse shell was obtained through a PDF vulnerability.
> > Suricata saw the PDF transfer, but failed to see the shell open.
> >
> > We felt that this was not a special attack, and should have been easily
> > detected. Are we wrong to think this? Is there a configuration setting we
> > missed?
>
> Hi,
>
> Which reverse shell attack is it?
> Is there a rule for that type of attack being loaded when Suri starts?
> Are all your networks configured correctly? (HOME EXTERNAL)
> How do you mean "Suricata saw" the PDF transfer? Did you save it to
> disk with file extraction?
> What/which rule set do you load with Suricata?
>
>
>
> >
> > Our network is designed so that the IDS is also the gateway into our
> > "internal network". All network traffic with the "outside world" goes
> > through this machine.
>
> Is all offloading disabled on the network card that the IDS uses?
>
> Thanks
>
> >
> > Thanks,
> > James
> >
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
--
Edward Bjarte Fjellskål
Senior Security Analyst
http://www.gamelinux.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131125/ae720fde/attachment-0002.html>
More information about the Oisf-users
mailing list