LoFP LoFP / crazy web applications

Techniques

Sample rules

Webshell Remote Command Execution

Description

Detects possible command execution by web application/web shell

Detection logic

condition: selection
selection:
  key: detect_execve_www
  syscall: execve
  type: SYSCALL

Program Executions in Suspicious Folders

Description

Detects program executions in suspicious non-program folders related to malware or hacking activity

Detection logic

condition: selection
selection:
  exe|startswith:
  - /tmp/
  - /var/www/
  - /home/*/public_html/
  - /usr/local/apache2/
  - /usr/local/httpd/
  - /var/apache/
  - /srv/www/
  - /home/httpd/html/
  - /srv/http/
  - /usr/share/nginx/html/
  - /var/lib/pgsql/data/
  - /usr/local/mysql/data/
  - /var/lib/mysql/
  - /var/vsftpd/
  - /etc/bind/
  - /var/named/
  type: SYSCALL