Fortinet black logo

Administration Guide

Web Shell Detection

Web Shell Detection

Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page.

Web Shell Detection detects Trojan in the uploaded files. In addition to the traditional method which detects Trojan based on tags and keywords, Web Shell Detection can perform fuzzy hash based detection as well, where it determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.

Web Shell Detection is divided into two categories: Fuzzy Hash Based Detection and Known Web Shells. And each category is divided into five categories according to the type, namely PHP, ASP, JSP, Perl, and Python.

Creating a Web Shell Detection policy

  1. Go to Web Protection > Input Validation > Web Shell Detection.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permissions to items in the Web Protection Configurationcategory. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Action

    Select which action FortiWeb will take when it detects a violation of a rule in the policy:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request (or reset the connection).

    The default value is Alert & Deny.

    Caution: This setting will be ignored if Monitor Mode is enabled.

    Note: Logs and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated a rule in the policy.

    This setting is available only if Web Shell Detection is set to Period Block. The valid range is from 1 to 3,600 seconds. For details, see Monitoring currently blocked IPs.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Action Select which trigger action, if any, that FortiWeb will carry out when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
    Fuzzy Similarity Threshold

    Web Shell Detection can perform fuzzy hash based detection to determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.

    Specify the Fuzzy Similarity Threshold. A file will be identified as a Trojan when it resembles the Trojan sample library by the specified percentage.

  6. Enable or disable the type of scripts that you want FortiWeb to parse.
  7. Click OK.
  8. Each script type includes a list of specific scripts. If you want to include or exclude certain scripts, you can find the web shell detection policy, click Edit, then click the following icon to include or exclude the scripts from the list.
  9. To apply the Web Shell Detection policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
See also

Web Shell Detection

Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page.

Web Shell Detection detects Trojan in the uploaded files. In addition to the traditional method which detects Trojan based on tags and keywords, Web Shell Detection can perform fuzzy hash based detection as well, where it determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.

Web Shell Detection is divided into two categories: Fuzzy Hash Based Detection and Known Web Shells. And each category is divided into five categories according to the type, namely PHP, ASP, JSP, Perl, and Python.

Creating a Web Shell Detection policy

  1. Go to Web Protection > Input Validation > Web Shell Detection.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permissions to items in the Web Protection Configurationcategory. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Action

    Select which action FortiWeb will take when it detects a violation of a rule in the policy:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request (or reset the connection).

    The default value is Alert & Deny.

    Caution: This setting will be ignored if Monitor Mode is enabled.

    Note: Logs and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated a rule in the policy.

    This setting is available only if Web Shell Detection is set to Period Block. The valid range is from 1 to 3,600 seconds. For details, see Monitoring currently blocked IPs.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Action Select which trigger action, if any, that FortiWeb will carry out when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
    Fuzzy Similarity Threshold

    Web Shell Detection can perform fuzzy hash based detection to determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.

    Specify the Fuzzy Similarity Threshold. A file will be identified as a Trojan when it resembles the Trojan sample library by the specified percentage.

  6. Enable or disable the type of scripts that you want FortiWeb to parse.
  7. Click OK.
  8. Each script type includes a list of specific scripts. If you want to include or exclude certain scripts, you can find the web shell detection policy, click Edit, then click the following icon to include or exclude the scripts from the list.
  9. To apply the Web Shell Detection policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
See also