配置反向 Shell 检测
在 SRX 系列防火墙上配置反向 Shell 检测
反向 shell 允许攻击者绕过防火墙和其他安全机制,打开目标系统的端口。它利用目标系统中的漏洞来启动 shell 会话并远程访问系统。反向 shell 检测可帮助您检测 shell 攻击并防止潜在的数据被盗。有关更多信息,请参阅 瞻博网络高级威胁防御云用户指南。
要在 SRX 系列防火墙上启用反向 shell 检测,请包括以下 CLI 配置:
-
配置 SecIntel 配置文件和策略。
services security-intelligence profile RevShellProfile category Reverse-Shell services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 7 services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 8 services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 9services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 10 services security-intelligence profile RevShellProfile rule RevShellRule1 then action permit services security-intelligence profile RevShellProfile rule RevShellRule1 then logservices security-intelligence policy secintel_policy Reverse-Shell RevShellProfile
-
将 SecIntel 策略分配给安全防火墙策略。
set security policies from-zone trust to-zone untrust policy atp_policy then permit application-services security-intelligence-policy secintel_policyset security policies from-zone untrust to-zone trust policy atp_policy then permit application-services security-intelligence-policy secintel_policy
show services security-intelligence statistics
使用命令查看安全智能统计信息。
显示服务安全智能统计信息
show services security-intelligence statistics Logical system: root-logical-system Category Whitelist: Profile Whitelist: Total processed sessions: 1816 Permit sessions: 0 Reverse shell permit sessions: 0 Category Blacklist: Profile Blacklist: Total processed sessions: 1816 Block drop sessions: 0 Category CC: Profile feed-cc-log-only: Total processed sessions: 0 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Profile secintel_profile: Total processed sessions: 116 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Category Infected-Hosts: Profile ih_profile: Total processed sessions: 116 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0 Category Reverse-Shell: Profile RevShellProfile: Total processed sessions: 116 Permit sessions: 0 Block drop sessions: 0 Block close sessions: 0 Close redirect sessions: 0
show services security-intelligence category summary
使用命令查看安全智能类别的摘要。
显示服务安全智能类别摘要
show services security-intelligence category summary Category name :Whitelist Status :Enable Description :Whitelist data Update interval :300s TTL :3456000s Feed name :whitelist_domain logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230714.1 Objects number:0 Create time :2023-07-14 10:05:33 PDT Update time :2023-09-06 13:21:14 PDT Update status :N/A Expired :Yes Status :Active Options :N/A Feed name :whitelist_ip logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230714.1 Objects number:0 Create time :2023-07-14 10:05:31 PDT Update time :2023-09-06 13:21:14 PDT Update status :N/A Expired :Yes Status :Active Options :N/A Feed name :whitelist_reverse_shell_domain logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230629.2 Objects number:1 Create time :2023-08-22 21:05:02 PDT Update time :2023-09-06 13:21:14 PDT Update status :Store succeeded Expired :No Status :Active Options :N/A Feed name :whitelist_reverse_shell_ip logical-system:root-logical-system Vrf name :junos-default-vrf Version :20230823.2 Objects number:1 Create time :2023-08-22 21:04:48 PDT Update time :2023-09-06 13:21:14 PDT Update status :Store succeeded Expired :No Status :Active Options :N/A