Problem solve Get help with specific problems with your technologies, process and projects.

How do I review audit logs for reverse shell traffic?

How do I review audit logs for reverse shell traffic? Unfortunately, reviewing audit logs for reverse shell traffic...

can be very difficult. Seriously, some of the reverse shell techniques being used are quite stealthy. The best way is to first ensure that your firewall is locked down for both incoming and outgoing packets. Yes, you want to lock down the outgoing packets to only those ports and protocols that you really need to use. Also, you need to be logging your outgoing traffic for suspicious packets. For example, if you log your outgoing HTTP traffic and an attacker has managed to install a reverse shell that uses that port, the reverse shell packets should look rather different from real HTTP traffic. Detecting this attack is rather difficult on an automated basis and involves a lot of time to do by hand. You are probably better off examining the running processes on the systems you suspect might be compromised. Be aware though, if the attacker could install a reverse proxy, they probably installed a rootkit too and covered their tracks. They may have messed with the system tools that would tell you what processes are running.

Your best bet for detection is to have an IDS that is up to date with its intrusion-detection strings. Hopefully, the IDS vendor can identify the typical reverse shells that are being used and develop a way to detect their outgoing packets. Of course, if you aren't monitoring your outbound traffic, you are completely out of luck.

  • Network Security Tip: Snort makes IDS worth the time and effort
  • Ask the Expert: The ABCs of intrusion detection
  • Infosec Bookshelf: Intrusion Detection & Prevention
  • For more info on this topic, visit these SearchSecurity.com resources:
    This was last published in May 2004

    Dig Deeper on Real-time network monitoring and forensics