[Snort-sigs] Reverse shell

Castle, Shane scastle at ...3555...
Mon Mar 25 11:24:06 EDT 2013

Default deny outbound is a hard sell around here (inbound was cake). For an organization highly concerned with security, DLP, etc., maybe not so much, but I have yet to get any traction for it. Sigh.

I've been trying to do it by groups: DMZ, servers, network gear are at least getting some outbound deny protection now, but it's not complete.

Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Jamie Riden [mailto:jamie.riden at ...2420...] 
Sent: Monday, March 25, 2013 01:46
To: Aisling Brennan
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Reverse shell

You can detect most of these with signatures, but it's better to block
them frankly - just use a default DENY policy outbound on your
firewall. For example HTTP should only be allowed outbound from your
web proxy, DNS from your DNS resolvers, probably no SSH access needed


On 25 March 2013 07:04, Aisling Brennan <aislingbrennan21 at ...2420...> wrote:
> Reverse shells allow access to internal systems without having incoming access to the network.
> Reverse shells force an internal system to actively connect out to an external system.
> Reverse shells can operate using any protocol/port combination that is allowed out of your network.
> Netcat - any TCP/UDP port
> Cryptcat - any TCP/UDP port with encryption
> Loki & Ping Tunnel - ICMP
> Reverse WWW Shell - HTTP
> DNS Tunnel - DNS
> Sneakin - Telnet
> Stunnel - SSL
> Secure Shell - SSH
> Custom Reverse Shell
> It is a method a hacker would use to access our systems that are behind a firewall.

Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...

Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!

More information about the Snort-sigs mailing list