Adding your own signatures to NinjaFirewall Anti-Malware.

by

NinTechNet


Starting from version 3.2, NinjaFirewall (WP / WP+ Edition) includes a new feature: Anti-Malware.

It allows you to scan your website for malware. It is important to note that its main goal is not to detect a hidden iframe redirecting to a porn site, but applications that could harm the site or even the server such as backdoors or shell scripts. It can also scan and detect dangerous Linux binary files (trojan, IRC bot etc).

The scanning engine is compatible with the popular Linux Malware Detect (LMD), whose anti-malware signatures are included with this release.

Linux Malware Detect is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources.

The Anti-Malware engine is also compatible with some ClamAV signatures and it is possible to create and include your own ones.


Signatures format

NinjaFirewall Anti-Malware engine support two different formats:

HEX format

It is used by Linux Malware Detect and ClamAV antivirus. Signatures using that format start with the {HEX} keyword. Note that NinjaFirewall does not support ClamAV wildcards (e.g., ??, a?, {n} etc). If you need to include wildcards, use the REX format below instead.
Signatures must follow this format:

{HEX}MalwareName:0:*:HexEncodedSignature
  • {HEX}: Signature keyword, must always be present.
  • MalwareName: This is your signature description that will be displayed by NinjaFirewall if a positive detection occurs. You can use case insensitive alphabetic characters a-zA-Z, digits 0-9, as well as -, _ and . characters. Do not use the colon character : because it is reserved.
  • :0:*:: Extended signature format. Do not change this value.
  • HexEncodedSignature: This is the hexadecimal value of the signature you want to detect. Because it is hex-encoded, you can add either text based or binary signatures (i.e., to scan an executable program).


REX format

This is NinjaFirewall's own format, using hex-encoded regular expressions. Such signatures must start with the {REX} keyword and must follow this format:

{REX}MalwareName:0:*:HexEncodedRegexSignature
  • {REX}: Signature keyword, must always be present.
  • MalwareName: This is your signature description that will be displayed by NinjaFirewall if a positive detection occurs. You can use case insensitive alphabetic characters a-zA-Z, digits 0-9, as well as -, _ and . characters. Do not use the colon character : because it is reserved.
  • :0:*:: Extended signature format. Do not change this value.
  • Hex-encoded regular expression (regex): This is the hexadecimal value of the regex signature you want to detect.

Loading the signatures

Your signatures must be written, one per line, and saved to one or more *.sig files which must be uploaded to the /wp-content/nfwlog/sigs/ folder.
You can see if your signatures are properly loaded from the "Anti-Malware" page by clicking on the [+] Signatures link:


Error handling

When starting a scan, NinjaFirewall will load and check the validity of each signature. If there is an error, it will skip that signature and will inform you about the issue:


Anti-Malware signatures generator

You can use the following form to create your own signatures:



Special discount offers on NinjaFirewall: 15% to 35% off

View NinjaFirewall Pro+ Edition discount offers.
View NinjaFirewall WP+ Edition discount offers.


NinjaMonitoring

Website Monitoring
for just $4.99 per month.



NinjaFirewall

Web Application Firewall
for PHP and WordPress.



NinjaRecovery

Malware removal
and hacking recovery.

Table of contents