Fixed debian package + readme

author: xarkes 2016-04-11 11:22:01 +0200
committer: Julien (jvoisin) Voisin 2016-04-11 17:09:34 +0200
commit: 3854653c8686cf9ff9bbab13f09d1566682efb5e (patch)
tree: 4615cb15e9c81428068ae3a3f13faf10cc426e0d
parent: b1f5377f011ff1eeab9bec96261667ed566c6fbe (diff)
5 files changed, 18 insertions, 8 deletions
diff --git a/.travis.yml b/.travis.yml
index 9fb27eb..6a89685 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,5 +1,10 @@
 language: c
+addons:
+    apt:
+      packages:
+        - devscripts
 install:
    - git clone --depth 1 https://github.com/plusvic/yara.git yara3
    - cd yara3
@@ -11,3 +16,4 @@ install:
 script:
    - make tests
+    - make package
diff --git a/Makefile b/Makefile
index c57ef4d..ddf79b7 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
 VERSION=1.0
-DEBVER := $(shell cut -d'.' -f1 < /etc/debian_version)
+DEBVER := $(shell sed 's,[/\.].*,,' < /etc/debian_version)
 tests:
        @cd ./php-malware-finder && bash ./tests.sh
@@ -10,14 +10,16 @@ clean:
 extract:
        cp -r debian php-malware-finder
-        git checkout php-malware-finder/malwares.yara
+        git checkout php-malware-finder/common.yara
+        git checkout php-malware-finder/php.yara
+        git checkout php-malware-finder/asp.yara
 set_distribution:
-                sed -e "s/##version/`cut -d'.' -f1 < /etc/debian_version`/" -i php-malware-finder/debian/control php-malware-finder/debian/changelog
+        sed -e "s/##version/${DEBVER}/" -i php-malware-finder/debian/control php-malware-finder/debian/changelog
 check_distribution:
 ifeq ($(DEBVER),6)
-                sed -e '/too_many_chr/d'  -e '/b64_concat/d' -e 's/^import.*//g' -e 's/^include.*//g' -e 's/and\ not\ IsWhitelisted//g' -i php-malware-finder/malwares.yara
+                sed -e '/too_many_chr/d'  -e '/b64_concat/d' -e 's/^import.*//g' -e 's/^include.*//g' -e 's/and\ not\ IsWhitelisted//g' -i php-malware-finder/common.yara
 endif
 package: clean extract set_distribution check_distribution
diff --git a/README.md b/README.md
index 5778d06..7ed97d3 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ both) category, and should re-read the previous sentence.
 ## How does it work?
 Detection is performed by crawling the filesystem and testing files against a
-[set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara )
+[set]( https://github.com/nbs-system/php-malware-finder/blob/master/php.yara )
 of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!
@@ -67,7 +67,8 @@ Usage phpmalwarefinder [-cfhtv] [-l (php|asp)] <file|folder> ...
 Or if you prefer to use `yara`:
 ```
-$ yara -r ./malwares.yara /var/www
+$ yara -r ./php.yara /var/www
+$ yara -r ./asp.yara /var/www
 ```
 Please keep in mind that you should use at least YARA 3.4 because we're using
diff --git a/debian/nbs-phpmalwarefinder.install b/debian/nbs-phpmalwarefinder.install
index 9727f63..676b4aa 100644
--- a/debian/nbs-phpmalwarefinder.install
+++ b/debian/nbs-phpmalwarefinder.install
@@ -1,4 +1,6 @@
-malwares.yara etc/phpmalwarefinder
+common.yara etc/phpmalwarefinder
+php.yara etc/phpmalwarefinder
+asp.yara etc/phpmalwarefinder
 whitelist.yara etc/phpmalwarefinder
 phpmalwarefinder usr/bin/
 docroot-check.sh usr/bin/
diff --git a/php-malware-finder/php.yara b/php-malware-finder/php.yara
index 0f46025..416215f 100644
--- a/php-malware-finder/php.yara
+++ b/php-malware-finder/php.yara
@@ -78,7 +78,6 @@ rule DodgyPhp
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
        $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/
        $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\//
-        $user_function = /(call_user_func|create_function)/ nocase
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
    condition:
author	xarkes	2016-04-11 11:22:01 +0200
committer	Julien (jvoisin) Voisin	2016-04-11 17:09:34 +0200
commit	3854653c8686cf9ff9bbab13f09d1566682efb5e (patch)
tree	4615cb15e9c81428068ae3a3f13faf10cc426e0d
parent	b1f5377f011ff1eeab9bec96261667ed566c6fbe (diff)