[Oisf-users] Suricata: fail to detect reverse shell?

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did you try...

Using the emerging-shellcode.rules ruleset?

Uncommenting all the shellcode rules?

What port was the reverse shell over?  Suricata will ignore shellcode
over port 80 via this directive in the default yaml file:

>SHELLCODE_PORTS: "!80"

- -Coop

On 11/24/2013 7:01 PM, James Harrison wrote:
> Hello,
> 
> My class team recently setup the Suricata IDS on a test network.
> Using metasploit, a reverse shell was obtained through a PDF
> vulnerability. Suricata saw the PDF transfer, but failed to see the
> shell open.
> 
> We felt that this was not a special attack, and should have been
> easily detected. Are we wrong to think this? Is there a configuration
> setting we missed?
> 
> Our network is designed so that the IDS is also the gateway into our
> "internal network". All network traffic with the "outside world" goes
> through this machine.
> 
> Thanks, James
> 
> 
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSlRoYAAoJEKIFRYQsa8FWQUoIALUU9GZSTGiP3+3+o7M8INkN
juRYnEph2DidqFJpAjzGsjbl7SuJasC6c15ttjInVC0A7spN3Q0C/ZCaE8DMGLXX
lkDvPr/NE9ZFIg5vxGMLAs8eEBwva3qPTgwbC7LDzoQhMixeZKWrqpnidWLIamHI
EwjGfdffiWlbL5HRLBVrGT1GdQfON01GEeMT63zXZbAjA9+6CaJEc8kkQPz5wTxa
+0YVMoVcYLQ8Brvi/IVhbxn15qwk6BeO8o/66ShS89lVIAKx8ud5zYBKC+8qMHeF
2GnW0Wn8WL5bIJstJIGeoQfPKX6lbwd0j01CWAkIGsR0pszUDnXAFr+d6vh+eyk=
=Kw7t
-----END PGP SIGNATURE-----