[Oisf-users] Suricata: fail to detect reverse shell?

James Harrison jharr139 at jhu.edu
Wed Nov 27 03:57:10 UTC 2013


Here is some more information:

Which reverse shell attack is it?
 - gh0stRAT
 - wce
 - poison ivy
Is there a rule for that type of attack being loaded when Suri starts?
 - not that we can find specifically, but we uncommented all of the rules
that should pertain.
Are all your networks configured correctly? (HOME EXTERNAL)
 -  yes
How do you mean "Suricata saw" the PDF transfer? Did you save it to
disk with file extraction?
 - the http.log recorded the http session retrieving the file from an
'attacker' web server
What/which rule set do you load with Suricata?
 - emerging from 19 October

PCAP output of a successful download and reverse shell can be found at 
https://drive.google.com/folderview?id=0B2bABk25EpPRZHktMHphbkVVajA&usp=sharing
________________________________________
From: Peter Manev <petermanev at gmail.com>
Sent: Monday, November 25, 2013 4:00 AM
To: James Harrison
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata: fail to detect reverse shell?

On Mon, Nov 25, 2013 at 4:01 AM, James Harrison <jharr139 at jhu.edu> wrote:
> Hello,
>
> My class team recently setup the Suricata IDS on a test network. Using
> metasploit, a reverse shell was obtained through a PDF vulnerability.
> Suricata saw the PDF transfer, but failed to see the shell open.
>
> We felt that this was not a special attack, and should have been easily
> detected. Are we wrong to think this? Is there a configuration setting we
> missed?

Hi,

Which reverse shell attack is it?
Is there a rule for that type of attack being loaded when Suri starts?
Are all your networks configured correctly? (HOME EXTERNAL)
How do you mean "Suricata saw" the PDF transfer? Did you save it to
disk with file extraction?
What/which rule set do you load with Suricata?



>
> Our network is designed so that the IDS is also the gateway into our
> "internal network". All network traffic with the "outside world" goes
> through this machine.

Is all offloading disabled on the network card that the IDS uses?

Thanks

>
> Thanks,
> James
>

--
Regards,
Peter Manev



More information about the Oisf-users mailing list