topic Prevent abnormal PHP webshell by Snort2 in Network Security

Prevent abnormal PHP webshell by Snort2

alexseo — Wed, 20 Mar 2024 04:55:07 GMT

I have experienced the PHP webshell from the public webserver. Luckily, it was detected by 3rd party vendor and blocked successfully. [1][2] Most of all, I want to protect it by the Snort 2 on our environment at the first stage. But I want to know which rule I should need to enable it and drop it. Could you kindly advise?

Device: Cisco ASA 5516-X

OS: FTD 7.0.6.1

Snort version: 2

Reference

[1] VirusTotal - File - 426ae4cfacc597706bbc0f540ae234843e916987c828ec69ae7df4d8c912464d

[2] Talos File Reputation Lookup || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence

Re: Prevent abnormal PHP webshell by Snort2

Ruben Cocheno — Wed, 20 Mar 2024 11:37:38 GMT

@alexseo

The IOCs should be part of your signatures assuming that you have the proper licenses in use, if it is something that needs some tweaking then you need to create a customized snort Rule for it.

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-license.html

Re: Prevent abnormal PHP webshell by Snort2

alexseo — Thu, 21 Mar 2024 02:09:16 GMT

Dear @Ruben Cocheno

Thank you for your reply.

Yes, I have the proper licenses (Base, Threat, and Malware) already, and in use for a long time.

Most of all, I want to protect the general webshell using the Snort2 rule. I tried to find the general webshell rule in Snort 2, but do not know which one I should need to enable it to drop it as there are many similar rules.

The source code of webshell that I experienced. (See the Source code.png)

The attached figure (see the Talos_Result.png)shows the "DETECTION ALIASES" from this source code file, but hard to match it in the Snort 2. Is there any way to find the exact/similar rule in the Snort2? Please kindly advise.

Thank you.

Regards,

Alex