It seems that `and` has a precedence over `or`, unsurprisingly

author: Julien (jvoisin) Voisin 2016-10-27 17:14:13 +0200
committer: Julien (jvoisin) Voisin 2016-10-27 17:14:13 +0200
commit: 7a2d7c0c398b5294524fff4d437b34e5cd6fcf31 (patch)
tree: ac203a96af725c9d35e250f480a47e1febcf2eb7
parent: e889f9d6f551ded842910584c855e8f16f7d67cd (diff)
2 files changed, 7 insertions, 7 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index c4dac97..b47fb69 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -72,7 +72,7 @@ private rule strrev
 rule SuspiciousEncoding
 {
    condition:
-        base64 or hex or strrev and not IsWhitelisted
+        (base64 or hex or strrev) and not IsWhitelisted
 }
 rule DodgyStrings
@@ -141,7 +141,7 @@ rule DodgyStrings
        $asp = "scripting.filesystemobject" nocase
    condition:
-        IRC or 2 of them and not IsWhitelisted
+        (IRC or 2 of them) and not IsWhitelisted
 }
 rule Websites
@@ -172,6 +172,6 @@ rule Websites
        $ = "mumaasp.com" nocase
    condition:
-        any of them and not IsWhitelisted
+        (any of them) and not IsWhitelisted
 }
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 37a8dcf..e80dae9 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -39,7 +39,7 @@ rule PasswordProtection
        $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase
    condition:
-        any of them and not IsWhitelisted
+        (any of them) and not IsWhitelisted
 }
 rule ObfuscatedPhp
@@ -56,7 +56,7 @@ rule ObfuscatedPhp
        $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
        $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/  // eval /* comment */ (php_code)
 condition:
-        any of them and not IsWhitelisted
+        (any of them) and not IsWhitelisted
 }
 rule DodgyPhp
@@ -80,7 +80,7 @@ rule DodgyPhp
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
    condition:
-        any of them and not IsWhitelisted
+        (any of them) and not IsWhitelisted
 }
 rule DangerousPhp
@@ -138,7 +138,7 @@ rule DangerousPhp
        $whitelist = /escapeshellcmd|escapeshellarg/ nocase
    condition:
-        not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
+        (not $whitelist and (5 of them or #system > 250)) and not IsWhitelisted
 }
 rule HiddenInAFile
author	Julien (jvoisin) Voisin	2016-10-27 17:14:13 +0200
committer	Julien (jvoisin) Voisin	2016-10-27 17:14:13 +0200
commit	7a2d7c0c398b5294524fff4d437b34e5cd6fcf31 (patch)
tree	ac203a96af725c9d35e250f480a47e1febcf2eb7
parent	e889f9d6f551ded842910584c855e8f16f7d67cd (diff)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index c4dac97..b47fb69 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar
@@ -72,7 +72,7 @@ private rule strrev
72	rule SuspiciousEncoding	72	rule SuspiciousEncoding
73	{	73	{
74	condition:	74	condition:
75	base64 or hex or strrev and not IsWhitelisted	75	(base64 or hex or strrev) and not IsWhitelisted
76	}	76	}
77		77
78	rule DodgyStrings	78	rule DodgyStrings
@@ -141,7 +141,7 @@ rule DodgyStrings
141	$asp = "scripting.filesystemobject" nocase	141	$asp = "scripting.filesystemobject" nocase
142		142
143	condition:	143	condition:
144	IRC or 2 of them and not IsWhitelisted	144	(IRC or 2 of them) and not IsWhitelisted
145	}	145	}
146		146
147	rule Websites	147	rule Websites
@@ -172,6 +172,6 @@ rule Websites
172	$ = "mumaasp.com" nocase	172	$ = "mumaasp.com" nocase
173		173
174	condition:	174	condition:
175	any of them and not IsWhitelisted	175	(any of them) and not IsWhitelisted
176	}	176	}
177		177


diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 37a8dcf..e80dae9 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -39,7 +39,7 @@ rule PasswordProtection
39	$md5 = /md5\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase	39	$md5 = /md5\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase
40	$sha1 = /sha1\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{40}['"]/ nocase	40	$sha1 = /sha1\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{40}['"]/ nocase
41	condition:	41	condition:
42	any of them and not IsWhitelisted	42	(any of them) and not IsWhitelisted
43	}	43	}
44		44
45	rule ObfuscatedPhp	45	rule ObfuscatedPhp
@@ -56,7 +56,7 @@ rule ObfuscatedPhp
56	$var_as_func = /\$_(GET\|POST\|COOKIE\|REQUEST)\s\[[^\]]+\]\s\(/	56	$var_as_func = /\$_(GET\|POST\|COOKIE\|REQUEST)\s\[[^\]]+\]\s\(/
57	$comment = /\/\([^]\|\[^\/])\\/\s\(/ // eval /* comment */ (php_code)	57	$comment = /\/\([^]\|\[^\/])\\/\s\(/ // eval /* comment */ (php_code)
58	condition:	58	condition:
59	any of them and not IsWhitelisted	59	(any of them) and not IsWhitelisted
60	}	60	}
61		61
62	rule DodgyPhp	62	rule DodgyPhp
@@ -80,7 +80,7 @@ rule DodgyPhp
80	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec	80	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
81		81
82	condition:	82	condition:
83	any of them and not IsWhitelisted	83	(any of them) and not IsWhitelisted
84	}	84	}
85		85
86	rule DangerousPhp	86	rule DangerousPhp
@@ -138,7 +138,7 @@ rule DangerousPhp
138	$whitelist = /escapeshellcmd\|escapeshellarg/ nocase	138	$whitelist = /escapeshellcmd\|escapeshellarg/ nocase
139		139
140	condition:	140	condition:
141	not $whitelist and (5 of them or #system > 250) and not IsWhitelisted	141	(not $whitelist and (5 of them or #system > 250)) and not IsWhitelisted
142	}	142	}
143		143
144	rule HiddenInAFile	144	rule HiddenInAFile