Q

How do I review audit logs for reverse shell traffic?

How do I review audit logs for reverse shell traffic? Unfortunately, reviewing audit logs for reverse shell traffic

can be very difficult. Seriously, some of the reverse shell techniques being used are quite stealthy. The best way is to first ensure that your firewall is locked down for both incoming and outgoing packets. Yes, you want to lock down the outgoing packets to only those ports and protocols that you really need to use. Also, you need to be logging your outgoing traffic for suspicious packets. For example, if you log your outgoing HTTP traffic and an attacker has managed to install a reverse shell that uses that port, the reverse shell packets should look rather different from real HTTP traffic. Detecting this attack is rather difficult on an automated basis and involves a lot of time to do by hand. You are probably better off examining the running processes on the systems you suspect might be compromised. Be aware though, if the attacker could install a reverse proxy, they probably installed a rootkit too and covered their tracks. They may have messed with the system tools that would tell you what processes are running.

Your best bet for detection is to have an IDS that is up to date with its intrusion-detection strings. Hopefully, the IDS vendor can identify the typical reverse shells that are being used and develop a way to detect their outgoing packets. Of course, if you aren't monitoring your outbound traffic, you are completely out of luck.


For more info on this topic, visit these SearchSecurity.com resources:
  • Network Security Tip: Snort makes IDS worth the time and effort
  • Ask the Expert: The ABCs of intrusion detection
  • Infosec Bookshelf: Intrusion Detection & Prevention
  • This was first published in May 2004

    Dig deeper on Monitoring Network Traffic and Network Forensics

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close