diff options
| author | Julien Voisin | 2016-02-22 11:55:31 +0100 |
|---|---|---|
| committer | Julien Voisin | 2016-02-22 11:55:31 +0100 |
| commit | 1cd54c4f41ccea0c48b3c79d1edc9024fd2f011e (patch) | |
| tree | c6c2a7e1d69ac10d472b06fc90f3f7f59fbdcbac | |
| parent | ff2443d4ee9a94163898dce91ff575cd77407991 (diff) | |
Remove a rule that triggered too many FP
It seems that a lot of php developers are using $__ as a legitimate
variable name.
| -rw-r--r-- | php-malware-finder/malwares.yara | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 1a4b940..1fa5c22 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -119,7 +119,6 @@ rule DodgyPhp | |||
| 119 | $udp_dos = /sockopen\s*\(['"]udp:\/\// | 119 | $udp_dos = /sockopen\s*\(['"]udp:\/\// |
| 120 | $user_function = /(call_user_func|create_function)/ | 120 | $user_function = /(call_user_func|create_function)/ |
| 121 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec | 121 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec |
| 122 | $vars = /\$__+/ // $__ is rarely used in legitimate scripts | ||
| 123 | 122 | ||
| 124 | condition: | 123 | condition: |
| 125 | (any of them or CloudFlareBypass) and not IsWhitelisted | 124 | (any of them or CloudFlareBypass) and not IsWhitelisted |