waf webshell-detection-policy
Use this command to set Web Shell Detection policies that FortiWeb will use to Trojans in the files that can be uploaded to your web servers.
Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page.
Web Shell Detection detects Trojan in the uploaded files. In addition to the traditional method which detects Trojan based on tags and keywords, Web Shell Detection can perform fuzzy hash based detection as well, where it determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.
Web Shell Detection is divided into two categories: Fuzzy Hash Based Detection and Known Web Shells. And each category is divided into five categories according to the type, namely PHP, ASP, JSP, Perl, and Python.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.
Syntax
config waf webshell-detection-policy
edit "<file-upload-restriction-policy_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger <trigger-policy_name>
set fuzzy-similarity-threshold <threshold>
set fuzzy-asp-status {enable | disable}
set fuzzy-jsp-status {enable | disable}
set fuzzy-php-status {enable | disable}
set fuzzy-perl-status {enable | disable}
set fuzzy-python-status {enable | disable}
set known-asp-status {enable | disable}
set known-jsp-status {enable | disable}
set known-php-status {enable | disable}
set known-php-short-open-tag {enable | disable}
set known-perl-status {enable | disable}
set known-python-status {enable | disable}
config fuzzy-disable-list
edit edit <webshell-name>
end
end
end
| Variable | Description | Default |
|
Enter the name of an existing or new Web Shell Detection policy. The maximum length is 63 characters. To display the list of existing policies, enter:
|
No default.
|
|
|
Enter the action you want FortiWeb to perform when the policy is violated:
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for. Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select |
alert_deny
|
|
If action {alert | alert_deny | block-period | deny_no_log} is block-period, type the number of seconds that violating requests will be blocked. The valid range is 1–3,600 seconds. |
600
|
|
| Select the severity level to use in logs and reports generated when a violation of the rule occurs. | medium
|
|
|
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing triggers, enter:
|
No default
|
|
|
Web Shell Detection can perform fuzzy hash based detection to determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan. Specify the Fuzzy Similarity Threshold. A file will be identified as a Trojan when it resembles the Trojan sample library by the specified percentage. The valid range is 1-100 (%). |
80
|
|
| fuzzy-asp-status {enable | disable} | Enable or disable fuzzy hash based detection for ASP script type. | enable
|
| fuzzy-jsp-status {enable | disable} | Enable or disable fuzzy hash based detection for JSP script type. | enable
|
| Enable or disable fuzzy hash based detection for PHP script type. | enable
|
|
| fuzzy-perl-status {enable | disable} | Enable or disable fuzzy hash based detection for Perl script type. | enable
|
| fuzzy-python-status {enable | disable} | Enable or disable fuzzy hash based detection for Python script type. | enable
|
| known-asp-status {enable | disable} | Enable or disable FortiWeb to detect ASP script type according to known signatures. | enable
|
| known-jsp-status {enable | disable} | Enable or disable FortiWeb to detect JSP script type according to known signatures. | enable
|
| known-php-status {enable | disable} | Enable or disable FortiWeb to detect PHP script type according to known signatures. | enable
|
|
By default, FortiWeb uses both the However, if you find that the short open tag |
|
|
| known-perl-status {enable | disable} | Enable or disable FortiWeb to detect Perl script type according to known signatures. | enable
|
| known-python-status {enable | disable} | Enable or disable FortiWeb to detect Python script type according to known signatures. | enable
|
|
Enter the web shell name to exclude it. The uploaded file containing the specified script will not be identified as an attack.
|
|