[Oisf-users] Suricata: fail to detect reverse shell?

Cooper F. Nelson cnelson at ucsd.edu
Wed Nov 27 18:32:14 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These are not reverse shells (at least, not in the lexicon I'm familiar
with).  Gh0stRAT and poison ivy are remote administration tools.  The ET
sigs to detect them look for their CnC traffic, not the initial
connection.  You need to actually send commands to the RAT to trigger
the ET sigs.

- -Coop

On 11/26/2013 7:57 PM, James Harrison wrote:
> Here is some more information:
> 
> Which reverse shell attack is it?
>  - gh0stRAT
>  - wce
>  - poison ivy


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSljquAAoJEKIFRYQsa8FWZ6EH/0afTDR0H5ZU6lV4gnDOpSrO
DgZI98dM3aQlHftKout6kMeE3jHz9U9sUrD8OsI7+Mr6gJ5itJZ73OZt/0eK1+nJ
8Gw91pYU0bbu7kJbS7W9fFNHNiliTSXuagcp1lqprOIJWYzXGxEGHEzb/m1wOhzH
dkxha4z1kiJMIGLts+16UI3wbWqpMp9PzTf5oZ6CxC1snvfz/GWMA5rVDVOGJUsL
lh6Ko8eg9hVAycjTrH3llcWhgU98dyPJEb5DmrTnVg/EYsrvJ6ZD7fjWuG6VslxX
b6+iMPwSfQw6+JXJdi/WKdV00NQSPFKWLb9AFTGf2BNPIGn5Iwjoe4xhxI7O3lg=
=euPp
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list