Can I have cxs run a custom script before reporting or acting on a possible threat, so that the script itself can rule out false-positives or take action?
I've been getting a lot of useful hits on "social.png" files being uploaded via ftp. These are potentially dangerous, as they could be from the CryptoPHP malware. However, a simple check using the file command can tell me whether it's "PHP script text" or just harmless "PNG image data".
Now, it would be too much to ask the cxs team to perform these potentially complex checks, so allowing me to run a custom script would be great.
For example, the script would default to a 0 exit code, meaning "OK, report/act on the threat", but upon receiving exit code 1, cxs would understand "Ignore this, it's a false-positive/I've taken care of it".
Anyway I can do this already?
Custom ignore script
Re: Custom ignore script
Oh great, I guess I found the answer searching for "ConfigServer Exploit Scanner – external perl script to run upon detection of a match" on Google (can't post URL here).
Come to think of it, I wish cxs would try a bit harder not to report false-positives, a file being called social.png hardly counts as something to feel threatened by, specially if it's just a PNG file.
Come to think of it, I wish cxs would try a bit harder not to report false-positives, a file being called social.png hardly counts as something to feel threatened by, specially if it's just a PNG file.
Re: Custom ignore script
Apparently, --script doesn't allow for the script to communicate with cxs through exit codes, which is a real bummer.