They were extremely basic (3 rules) and not very useful. Merely changing the title or name would bypass the rules. Detecting malicious web shells/backdoors is better left to a script that you invoke using @inspectFile while files are being uploaded or @fuzzyHash.
Here's an article on using @fuzzyHash - https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Detecting-Malware-with-Fuzzy-Hashing/ You can download commonly used web shells and then use ssdeep and @fuzzyHash to detect them. -- Osama Elnaggar On October 16, 2018 at 5:24:02 PM, Ewald Dieterich (ew...@mailbox.org) wrote: CRS 2.2.9 and below have some basic trojan detection in file modsecurity_crs_45_trojans.conf. It looks like those rules were removed from CRS 3.0. At least there's no mapping in IdNumbering.csv and I also couldn't find anything by grepping for e.g. "backdoor" or "trojan". I'm just interested on why this category was removed. Did it prove to be ineffective or are there other reasons? _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
