Ask the Expert

How do I review audit logs for reverse shell traffic?

How do I review audit logs for reverse shell traffic?

    Requires Free Membership to View

Unfortunately, reviewing audit logs for reverse shell traffic can be very difficult. Seriously, some of the reverse shell techniques being used are quite stealthy. The best way is to first ensure that your firewall is locked down for both incoming and outgoing packets. Yes, you want to lock down the outgoing packets to only those ports and protocols that you really need to use. Also, you need to be logging your outgoing traffic for suspicious packets. For example, if you log your outgoing HTTP traffic and an attacker has managed to install a reverse shell that uses that port, the reverse shell packets should look rather different from real HTTP traffic. Detecting this attack is rather difficult on an automated basis and involves a lot of time to do by hand. You are probably better off examining the running processes on the systems you suspect might be compromised. Be aware though, if the attacker could install a reverse proxy, they probably installed a rootkit too and covered their tracks. They may have messed with the system tools that would tell you what processes are running.

Your best bet for detection is to have an IDS that is up to date with its intrusion-detection strings. Hopefully, the IDS vendor can identify the typical reverse shells that are being used and develop a way to detect their outgoing packets. Of course, if you aren't monitoring your outbound traffic, you are completely out of luck.

For more info on this topic, visit these resources:
  • Network Security Tip: Snort makes IDS worth the time and effort
  • Ask the Expert: The ABCs of intrusion detection
  • Infosec Bookshelf: Intrusion Detection & Prevention

    This was first published in May 2004

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: