Linux

Linux Yara Rules

global rule php_file

{

strings:

$php = /<\?[^x]/

condition:

$php

}

rule common_webshell_keywords {

meta:

description = "Common Web Shell Keywords"

author = "RET"

reference = "https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/"

date = "2021/11/19"

strings:

condition:

$s1

}

Linux osquery Daemon Configuration

{

// Configure the daemon below: test file

"options": {

// Select the osquery config plugin.

"config_plugin": "filesystem",

// Select the osquery logging plugin.

"logger_plugin": "filesystem",

"utc": "true",

"enable_file_events": "true",

"disable_events": "false"

"yara":{

"signatures": {

"sig_group_1": [ "/opt/cisco/orbital/config/yara_sigs/web_shells.yar" ]

"file_paths": {

"web_server_root_folder_default": [ "sig_group_1" ]

}

// Define FIM monitoring paths and directories

"file_paths": {

"dir_etc": [

"/etc/%%"

"dir_lib_modules": [

"/lib/modules/%%"

"file_bashrc": [

"/home/%/.bashrc"

"file_bash_profile": [

"/home/%/.bash_profile"

"file_bash_history": [

"/home/%/.bash_history"

"web_server_root_folder_default": [

"/var/www/html/%%"

"file_accesses": [ "dir_etc", "file_bashrc", "file_bash_profile", "file_bash_history" ]

}

Linux osquery Client Configuration

{

"config_path": "${CONFIGDIR}/osquery.conf",

"flagfile": "",

"extensions_autoload": "",

"force": "true",

"events_expiry": "3600",

"events_max": "50000",

"disable_tables": "augeas,carves,curl,curl_certificate,mdfind,ntfs_journal_events,powershell_events,wifi_survey,windows_events,ycloud_instance_metadata",

"disable_watchdog": "true",

"disable_events": "false",

"augeas_lenses": "",

"pidfile": "${WORKDIR}/osqueryd.pid",

"logger_path": "${WORKDIR}/osqueryd_log",

"database_path": "${WORKDIR}/osqueryd_db",

"extensions_socket": "${WORKDIR}/orbital-osquery.em"

}