Configure Reverse Shell Detection
Configure Reverse Shell Detection on SRX Series Firewall
A reverse shell allows the attacker to bypass firewalls and other security mechanisms to open the ports to the target system. It takes advantage of the vulnerabilities in the target system to start a shell session and access the system remotely. Reverse shell detection helps you to detect shell attacks and prevent potential data thefts. For more information, see Juniper Advanced Threat Prevention Cloud User Guide.
To enable reverse shell detection on SRX Series Firewalls, include the following CLI configurations:
-
Configure the security intelligence (SecIntel) profile and policy.
services security-intelligence profile RevShellProfile category Reverse-Shell services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 7 services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 8 services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 9services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 10 services security-intelligence profile RevShellProfile rule RevShellRule1 then action permit services security-intelligence profile RevShellProfile rule RevShellRule1 then logservices security-intelligence policy secintel_policy Reverse-Shell RevShellProfile
-
Assign the SecIntel policy to a security firewall policy.
set security policies from-zone trust to-zone untrust policy atp_policy then permit application-services security-intelligence-policy secintel_policyset security policies from-zone untrust to-zone trust policy atp_policy then permit application-services security-intelligence-policy secintel_policy
Use the show services security-intelligence statistics command to view the
SecIntel statistics.
show services security-intelligence statistics
Logical system: root-logical-system
Category Whitelist:
Profile Whitelist:
Total processed sessions: 1816
Permit sessions: 0
Reverse shell permit sessions: 0
Category Blacklist:
Profile Blacklist:
Total processed sessions: 1816
Block drop sessions: 0
Category CC:
Profile feed-cc-log-only:
Total processed sessions: 0
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0
Profile secintel_profile:
Total processed sessions: 116
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0
Category Infected-Hosts:
Profile ih_profile:
Total processed sessions: 116
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0
Category Reverse-Shell:
Profile RevShellProfile:
Total processed sessions: 116
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0Use the show services security-intelligence category summary command to
view the summary of SecIntel category.
show services security-intelligence category summary
Category name :Whitelist
Status :Enable
Description :Whitelist data
Update interval :300s
TTL :3456000s
Feed name :whitelist_domain
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20230714.1
Objects number:0
Create time :2023-07-14 10:05:33 PDT
Update time :2023-09-06 13:21:14 PDT
Update status :N/A
Expired :Yes
Status :Active
Options :N/A
Feed name :whitelist_ip
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20230714.1
Objects number:0
Create time :2023-07-14 10:05:31 PDT
Update time :2023-09-06 13:21:14 PDT
Update status :N/A
Expired :Yes
Status :Active
Options :N/A
Feed name :whitelist_reverse_shell_domain
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20230629.2
Objects number:1
Create time :2023-08-22 21:05:02 PDT
Update time :2023-09-06 13:21:14 PDT
Update status :Store succeeded
Expired :No
Status :Active
Options :N/A
Feed name :whitelist_reverse_shell_ip
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20230823.2
Objects number:1
Create time :2023-08-22 21:04:48 PDT
Update time :2023-09-06 13:21:14 PDT
Update status :Store succeeded
Expired :No
Status :Active
Options :N/A