[Oisf-users] Suricata: fail to detect reverse shell?

corenor corenor at gmail.com
Wed Nov 27 14:44:34 UTC 2013


Generally wondering why the default config ignores port 80, is that a major
impact to performance?




On Tue, Nov 26, 2013 at 10:57 PM, James Harrison <jharr139 at jhu.edu> wrote:

> Here is some more information:
>
> Which reverse shell attack is it?
>  - gh0stRAT
>  - wce
>  - poison ivy
> Is there a rule for that type of attack being loaded when Suri starts?
>  - not that we can find specifically, but we uncommented all of the rules
> that should pertain.
> Are all your networks configured correctly? (HOME EXTERNAL)
>  -  yes
> How do you mean "Suricata saw" the PDF transfer? Did you save it to
> disk with file extraction?
>  - the http.log recorded the http session retrieving the file from an
> 'attacker' web server
> What/which rule set do you load with Suricata?
>  - emerging from 19 October
>
> PCAP output of a successful download and reverse shell can be found at
>
> https://drive.google.com/folderview?id=0B2bABk25EpPRZHktMHphbkVVajA&usp=sharing
> ________________________________________
> From: Peter Manev <petermanev at gmail.com>
> Sent: Monday, November 25, 2013 4:00 AM
> To: James Harrison
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata: fail to detect reverse shell?
>
> On Mon, Nov 25, 2013 at 4:01 AM, James Harrison <jharr139 at jhu.edu> wrote:
> > Hello,
> >
> > My class team recently setup the Suricata IDS on a test network. Using
> > metasploit, a reverse shell was obtained through a PDF vulnerability.
> > Suricata saw the PDF transfer, but failed to see the shell open.
> >
> > We felt that this was not a special attack, and should have been easily
> > detected. Are we wrong to think this? Is there a configuration setting we
> > missed?
>
> Hi,
>
> Which reverse shell attack is it?
> Is there a rule for that type of attack being loaded when Suri starts?
> Are all your networks configured correctly? (HOME EXTERNAL)
> How do you mean "Suricata saw" the PDF transfer? Did you save it to
> disk with file extraction?
> What/which rule set do you load with Suricata?
>
>
>
> >
> > Our network is designed so that the IDS is also the gateway into our
> > "internal network". All network traffic with the "outside world" goes
> > through this machine.
>
> Is all offloading disabled on the network card that the IDS uses?
>
> Thanks
>
> >
> > Thanks,
> > James
> >
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131127/968b5722/attachment-0002.html>


More information about the Oisf-users mailing list