Hi,
my question is: In case I am infected with a Reverse shell connection e.g. Meterpreter from Metasploit, is there any way to block this using OPNSense? (Without using Suricata for detection and prevention)
I read that Meterpreter can escape firewall, proxy server etc. So,is this possible to block it?How?
Thanks
Basically it is just normal traffic.
If you know the Ports or destination IPs you can block them, but if the attacker changes them the traffic will pass.
Allow outgoing only the absolutly necessary ports and protocolls. Windows is a little picky on that though... ;-) With some firewalls (on windows: Gdata) you can block traffic (even outgoing) on the level of the application (again: windows needs so many "allow" trash for the OS, hard to know the difference from malware in the first place).
Put different classes of clients in different physical subnets. If you don't want to run suricata it's the best you can do.
Will Suricata detect and then block a Reverse shell connection?As far I can see,Suricate only alerts for Bad traffic,you need to manually block Bad traffic and then Suricata will block the same traffic.Is there any way to automatically block first seen Bad Traffic?
Cheers