How do I review audit logs for reverse shell traffic? Unfortunately, reviewing audit logs for reverse shell traffic
can be very difficult. Seriously, some of the reverse shell techniques being used are quite stealthy. The best way is to first ensure that your firewall is locked down for both incoming and outgoing packets. Yes, you want to lock down the outgoing packets to only those ports and protocols that you really need to use. Also, you need to be logging your outgoing traffic for suspicious packets. For example, if you log your outgoing HTTP traffic and an attacker has managed to install a reverse shell that uses that port, the reverse shell packets should look rather different from real HTTP traffic. Detecting this attack is rather difficult on an automated basis and involves a lot of time to do by hand. You are probably better off examining the running processes on the systems you suspect might be compromised. Be aware though, if the attacker could install a reverse proxy, they probably installed a rootkit too and covered their tracks. They may have messed with the system tools that would tell you what processes are running.
Your best bet for detection is to have an IDS that is up to date with its intrusion-detection strings. Hopefully, the IDS vendor can identify the typical reverse shells that are being used and develop a way to detect their outgoing packets. Of course, if you aren't monitoring your outbound traffic, you are completely out of luck.
For more info on this topic, visit these SearchSecurity.com resources:
Dig deeper on Monitoring Network Traffic and Network Forensics
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.