security talk & philosophizing

FF E4

Detecting Reverse Shells

The following rules might be useful in detecting reverse shells with Suricata:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Reverse Shell detected"; content:"bash -i >& /dev/tcp/"; depth:20; classtype:trojan-activity; sid:10001; rev:1;)

# or use for testing purposes:
# alert tcp any any -> any any (msg:"Possible Reverse Shell detected"; content:"bash -i >& /dev/tcp/"; depth:20; classtype:trojan-activity; sid:10001; rev:1;)

This rule will alert on incoming TCP traffic from external networks to your internal network containing the string “bash -i >& /dev/tcp/”, which is a common reverse shell.

Variations can be implemented, such as /bin/sh or other ideas on passing a shell.

Note that the depth option is set to 20, which means the string must be present within the first 20 bytes of the payload. The classtype is set to trojan-activity.

Me

FF
EF

a moment now is worth a thousand moments from the before, or next.

letting go is the hardest, but most rewarding aspect of everything

© 2025 FF E4 • Powered by