Prevent abnormal PHP webshell by Snort2

alexseo · ‎03-19-2024

Hi

I have experienced the PHP webshell from the public webserver. Luckily, it was detected by 3rd party vendor and blocked successfully. [1][2] Most of all, I want to protect it by the Snort 2 on our environment at the first stage. But I want to know which rule I should need to enable it and drop it. Could you kindly advise?

Device: Cisco ASA 5516-X

OS: FTD 7.0.6.1

Snort version: 2

Reference

[1] VirusTotal - File - 426ae4cfacc597706bbc0f540ae234843e916987c828ec69ae7df4d8c912464d

[2] Talos File Reputation Lookup || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence

Ruben Cocheno · ‎03-20-2024

@alexseo

The IOCs should be part of your signatures assuming that you have the proper licenses in use, if it is something that needs some tweaking then you need to create a customized snort Rule for it.

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-license.html

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

alexseo · ‎03-20-2024

Dear @Ruben Cocheno

Thank you for your reply.

Yes, I have the proper licenses (Base, Threat, and Malware) already, and in use for a long time.

Most of all, I want to protect the general webshell using the Snort2 rule. I tried to find the general webshell rule in Snort 2, but do not know which one I should need to enable it to drop it as there are many similar rules.

The source code of webshell that I experienced. (See the Source code.png)

The attached figure (see the Talos_Result.png)shows the "DETECTION ALIASES" from this source code file, but hard to match it in the Snort 2. Is there any way to find the exact/similar rule in the Snort2? Please kindly advise.

Thank you.

Regards,

Alex