Change Webshell Behavior Detector settings

Available in VPC

You can adjust various settings required for running Webshell Behavior Detector, such as detection target, detection notification, exception rules, etc.

Set exception

You can view the exception rules, and add or delete them in the Exception Settings menu.

View exception rules

To view exception rules:

From the NAVER Cloud Platform console's VPC environment, navigate to > Services > Security > Webshell Behavior Detector.
Navigate to Exception Setting > Exception.
Click the exception rule item you'd like to view from the list and see the details.

Add exception rule

To add an exception rule:

From the NAVER Cloud Platform console's VPC environment, navigate to > Services > Security > Webshell Behavior Detector.
Navigate to Exception Setting > Exception.
Click [Add exception rule].
- If you'd like to replicate an existing exception rule to add, click the exception rule to replicate from the list, then click [Replicate exception rule].
Enter a name for the rule in the settings popup, and set the exception rule.
- Only web shell behaviors that meet all the conditions of the exception rules (AND condition) are excepted.
- Conditions that can be selected when creating exception rules are as follows:
  - START: Starting with the entered string.
  - END: Ending with the entered string.
  - NOT USE: Not using this condition.

Caution

Use the NOT USE condition with caution since it widens the range of the targets handled by the exception rule. If used excessively, then it may increase the chance of web shells not being detected.

Note

If you set the detection target as a server group, you can select it as the exception rule target and apply exception rules in bulk. For more details about setting server groups, see Set server group.

Delete exception rule

To delete an exception rule:

From the NAVER Cloud Platform console's VPC environment, navigate to > Services > Security > Webshell Behavior Detector.
Navigate to Exception Setting > Exception.
Click [Delete exception rule].
In the confirmation popup, click [Yes].

Note

You can see the deleted exception rules in the Exception Setting > Log menu, and restore them if necessary.

Set notifications

You can set detection notification intervals and recipients in the Notification Setting menu.

Set detection notification recipient

To set a detection notification recipient:

From the NAVER Cloud Platform console's VPC environment, navigate to > Services > Security > Webshell Behavior Detector.
Navigate to Notification Setting > Recipient.
- You are directed to NAVER Cloud Platform Monitoring's notification recipients settings page.
Click [Add recipient].
Set the recipient's contact information, and click [Register].

Set notification transmission interval

To set a notification transmission interval:

From the NAVER Cloud Platform console's VPC environment, navigate to > Services > Security > Webshell Behavior Detector.
Navigate to Notification Setting > Interval.
Select a notification transmission interval, and click [Save settings].

Note

There may be relatively many notifications in the early stage of using the service since not enough exceptions have been set. We recommend setting a long interval in the early stage, and then making the interval shorter after a month or so.

Set detection

You can check the detection target server's status and information and change them in the Detection Setting menu. You can also add detection target servers if required. Also, you can set server groups and use them for setting exception targets in exception rules.

Check and manage detection targets

To view and manage detection target servers:

From the NAVER Cloud Platform console's VPC environment, navigate to > Services > Security > Webshell Behavior Detector.
Navigate to Detection Setting > Configuration.
Click the server to view from the list of detection targets, and check the server's status and information.

Click [Change settings] to change the server's detection settings.
Click [Enable] or [Disable] to change the server's activation status.
Click [Remove detection target] to remove the server from the detection target.
Click [Register detection target] to add detection target servers. See Register detection target.

Set server group

By grouping servers registered as detection targets, you can select the group as the exception target when setting exception rules and apply the rules in bulk.

Add server group

To add a server group:

From the NAVER Cloud Platform console's VPC environment, navigate to > Services > Security > Webshell Behavior Detector.
Navigate to Detection Setting > Server Group.
Click above the server group list, enter the group name, and click .
Select servers to be grouped from the server list, and click [Move to group].
Select the server group from the list popup, and click [Move].

The server is moved to the selected server group.

Note

Click > Edit next to the server group in the server group list if you'd like to change the server group's name.

Remove server from group

To remove a specific server from a server group:

From the NAVER Cloud Platform console's VPC environment, navigate to > Services > Security > Webshell Behavior Detector.
Navigate to Detection Setting > Server Group.
Select a server to remove from a group from the server list, and click [Remove from group].
From the confirmation popup, click [Remove].

Delete server group

To delete a server group:

From the NAVER Cloud Platform console's VPC environment, navigate to > Services > Security > Webshell Behavior Detector.
Navigate to Detection Setting > Server Group.
From the server group list, click > Delete next to the server group to be deleted.
From the confirmation popup window, click [Delete].