NAME

       neopi - web shell code detection

SYNOPSIS

       neopi [options] <dir> [regex]

DESCRIPTION

       This manual page documents briefly the neopi command.

       neopi  is  a  Python script that uses a variety of statistical methods to detect obfuscated and encrypted
       content within text/script files.

       The intended purpose of NeoPI is to aid in the detection of hidden web shell code.

       The development focus of NeoPI was creating  a  tool  that  could  be  used  in  conjunction  with  other
       established  detection  methods  such  as  Linux  Malware  Detect  or traditional signature/keyword based
       searches.

       NeoPI recursively scans through the file system from a base directory and will rank files  based  on  the
       results of a number of tests.

       It also presents a “general” score derived from file rankings within the individual tests.

OPTIONST

       The  program follows the usual GNU command line syntax, with long options starting with two dashes (`-').
       A summary of options is included below.

       -v, --version
              Show version of program.

       -h, --help
              Show summary of options.

       -C FILECSV, --csv=FILECSV
              Generates a CSV output to FILECSV containing the results of the scan.

       -a, --all
              Run all tests including entropy, longest word, and index of coincidence.  This is the  recommended
              way of running neopi.

       -e, --entropy
              Run only the entropy test.

       -l, --longestword
              Run only the longestword test.

       -c, --ic
              Run only the Index Coincidence test.

       -A, --auto
              This flag runs an auto generated regular expression that contains many common web application file
              extensions.

              This  list  is  by  no  means  comprehensive but does include a good ‘best effort’ scan if you are
              unsure of what web application languages your server is running.

              Current list of included extensions: php, asp, aspx, sh, bash, zsh, csh, tsch, pl, py,  txt,  cgi,
              cfm

EXAMPLES

       neopi -C scan1.csv -a -A /var/www/

       neopi -a /tmp/phpbb "php|txt"

       neopi -a -A /var/www/html/

ABOUT

       neopi authors are Ben Hagen <ben.hagen@neohapsis.com> and Scott Behrens <scott.behrens@neohapsis.com>.

       This  man  page  was  written  by  Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> for the Debian
       GNU/Linux distribution (but it may be used by others).

                                                  May  27, 2014                                         NEOPI(1)