Configure Reverse Shell Detection
Configure Reverse Shell Detection on SRX Series Firewall
A reverse shell allows the attacker to bypass firewalls and other security mechanisms to open the ports to the target system. It takes advantage of the vulnerabilities in the target system to start a shell session and access the system remotely. Reverse shell detection helps you to detect shell attacks and prevent potential data thefts. For more information, see Juniper Advanced Threat Prevention Cloud User Guide.
To enable reverse shell detection on SRX Series Firewalls, include the following CLI configurations:
-
Configure the SecIntel profile and policy.
[edit] user@host# set services security-intelligence profile RevShellProfile category Reverse-Shell user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 7 user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 8 user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 9 user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 10 user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 then action permit user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 then log user@host# set services security-intelligence policy secintel_policy Reverse-Shell RevShellProfile
-
Assign the SecIntel policy to a security firewall policy.
[edit] user@host# set security policies from-zone trust to-zone untrust policy atp_policy then permit application-services security-intelligence-policy secintel_policy user@host# set security policies from-zone untrust to-zone trust policy atp_policy then permit application-services security-intelligence-policy secintel_policy
Use the show services security-intelligence statistics
command to view the
security intelligence statistics.
show services security-intelligence statistics
user@host> show services security-intelligence statistics Logical system: root-logical-system Category Whitelist: Profile Whitelist: Total processed sessions: 1816 Permit sessions: 0 Reverse shell permit sessions: 0 Category Blacklist: Profile Blacklist: Total processed sessions: 1816 Block drop sessions: 0 Category CC: Profile feed-cc-log-only: Total processed sessions: 0 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Profile secintel_profile: Total processed sessions: 116 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Category Infected-Hosts: Profile ih_profile: Total processed sessions: 116 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Category Reverse-Shell: Profile RevShellProfile: Total processed sessions: 116 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0
Use the show services security-intelligence category summary
command to
view the summary of security intelligence category.
show services security-intelligence category summary
user@host> show services security-intelligence category summary Category name :Whitelist Status :Enable Description :Whitelist data Update interval :300s TTL :3456000s Feed name :whitelist_domain logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230714.1 Objects number:0 Create time :2023-07-14 10:05:33 PDT Update time :2023-09-06 13:21:14 PDT Update status :N/A Expired :Yes Status :Active Options :N/A Feed name :whitelist_ip logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230714.1 Objects number:0 Create time :2023-07-14 10:05:31 PDT Update time :2023-09-06 13:21:14 PDT Update status :N/A Expired :Yes Status :Active Options :N/A Feed name :whitelist_reverse_shell_domain logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230629.2 Objects number:1 Create time :2023-08-22 21:05:02 PDT Update time :2023-09-06 13:21:14 PDT Update status :Store succeeded Expired :No Status :Active Options :N/A Feed name :whitelist_reverse_shell_ip logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230823.2 Objects number:1 Create time :2023-08-22 21:04:48 PDT Update time :2023-09-06 13:21:14 PDT Update status :Store succeeded Expired :No Status :Active Options :N/A