Configure Reverse Shell Detection
Configure Reverse Shell Detection on SRX Series Firewall
A reverse shell allows the attacker to bypass firewalls and other security mechanisms to open the ports to the target system. It takes advantage of the vulnerabilities in the target system to start a shell session and access the system remotely. Reverse shell detection helps you to detect shell attacks and prevent potential data thefts. For more information, see Juniper Advanced Threat Prevention Cloud User Guide.
To enable reverse shell detection on SRX Series Firewalls, include the following CLI configurations:
-
Configure the SecIntel profile and policy.
services security-intelligence profile RevShellProfile category Reverse-Shell services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 7 services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 8 services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 9services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 10 services security-intelligence profile RevShellProfile rule RevShellRule1 then action permit services security-intelligence profile RevShellProfile rule RevShellRule1 then logservices security-intelligence policy secintel_policy Reverse-Shell RevShellProfile
-
Assign the SecIntel policy to a security firewall policy.
set security policies from-zone trust to-zone untrust policy atp_policy then permit application-services security-intelligence-policy secintel_policyset security policies from-zone untrust to-zone trust policy atp_policy then permit application-services security-intelligence-policy secintel_policy
Use the show services security-intelligence statistics
command to view the
security intelligence statistics.
show services security-intelligence statistics
show services security-intelligence statistics Logical system: root-logical-system Category Whitelist: Profile Whitelist: Total processed sessions: 1816 Permit sessions: 0 Reverse shell permit sessions: 0 Category Blacklist: Profile Blacklist: Total processed sessions: 1816 Block drop sessions: 0 Category CC: Profile feed-cc-log-only: Total processed sessions: 0 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Profile secintel_profile: Total processed sessions: 116 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Category Infected-Hosts: Profile ih_profile: Total processed sessions: 116 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Category Reverse-Shell: Profile RevShellProfile: Total processed sessions: 116 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0
Use the show services security-intelligence category summary
command to
view the summary of security intelligence category.
show services security-intelligence category summary
show services security-intelligence category summary Category name :Whitelist Status :Enable Description :Whitelist data Update interval :300s TTL :3456000s Feed name :whitelist_domain logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230714.1 Objects number:0 Create time :2023-07-14 10:05:33 PDT Update time :2023-09-06 13:21:14 PDT Update status :N/A Expired :Yes Status :Active Options :N/A Feed name :whitelist_ip logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230714.1 Objects number:0 Create time :2023-07-14 10:05:31 PDT Update time :2023-09-06 13:21:14 PDT Update status :N/A Expired :Yes Status :Active Options :N/A Feed name :whitelist_reverse_shell_domain logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230629.2 Objects number:1 Create time :2023-08-22 21:05:02 PDT Update time :2023-09-06 13:21:14 PDT Update status :Store succeeded Expired :No Status :Active Options :N/A Feed name :whitelist_reverse_shell_ip logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230823.2 Objects number:1 Create time :2023-08-22 21:04:48 PDT Update time :2023-09-06 13:21:14 PDT Update status :Store succeeded Expired :No Status :Active Options :N/A