Scroll to navigation

NEOPI(1) General Commands Manual NEOPI(1)

NAME

neopi - web shell code detection

SYNOPSIS

neopi [options] <dir> [regex]

DESCRIPTION

This manual page documents briefly the neopi command.

neopi is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files.

The intended purpose of NeoPI is to aid in the detection of hidden web shell code.

The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.

NeoPI recursively scans through the file system from a base directory and will rank files based on the results of a number of tests.

It also presents a “general” score derived from file rankings within the individual tests.

OPTIONST

The program follows the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below.

Show version of program.

Show summary of options.

Generates a CSV output to FILECSV containing the results of the scan.

Run all tests including entropy, longest word, and index of coincidence. This is the recommended way of running neopi.

Run only the entropy test.

Run only the longestword test.

Run only the Index Coincidence test.

This flag runs an auto generated regular expression that contains many common web application file extensions.

This list is by no means comprehensive but does include a good ‘best effort’ scan if you are unsure of what web application languages your server is running.

Current list of included extensions: php, asp, aspx, sh, bash, zsh, csh, tsch, pl, py, txt, cgi, cfm

EXAMPLES

neopi -C scan1.csv -a -A /var/www/

neopi -a /tmp/phpbb "php|txt"

neopi -a -A /var/www/html/

ABOUT

neopi authors are Ben Hagen <ben.hagen@neohapsis.com> and Scott Behrens <scott.behrens@neohapsis.com>.

This man page was written by Arturo Borrero Gonzalez <arturo@debian.org> for the Debian GNU/Linux distribution (but it may be used by others).

October 11, 2016