Suricata and reverse_https shell

Hi,

I’m trying to detect Metasploit reverse_https shell using Suricata. I assume this can’t be done without decrypting the traffic and for decryption I need to rely on 3rd party proxies, but that are useful only when if it is browser (TLS) traffic, but what about msfvenom binary with reverse_https payload which is creating completely encrypted traffic between victim and msfconsole?

Kindly share suggestions how to detect such HTTPS malicious traffic.

That’s tricky. You could try to see if in the encrypted traffic is any specific pattern that you can use for that or specific targets or if you see something in the initial connection attempt that might not be completely encrypted yet.

Yes, HTTPS headers can be detected but I am looking to feed decrypted traffic to Suricata. I tried MITM proxy but that is serving only browser traffic.

What about Ja3?

Hí,

Let’s see if this can help you

6.2.2 Detecting Metasploit HTTPS Reverse Shell traffic…

1 Like