Fix a yara warning

This shouldn't impact detection much, while fixing a scary warning
author: jvoisin 2020-07-01 14:35:17 +0200
committer: jvoisin 2020-07-01 14:35:17 +0200
commit: 72b929d82e76286cf9d90629e544c7472bb6974f (patch)
tree: b5046779d7812d7f576ba3ec7780a6e9c3dc67d1
parent: d3c62c55584e04fcc4b5f54497d378a6db911686 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index de5b1f7..dab8cbf 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -92,7 +92,7 @@ rule DodgyPhp
        $iis_com = /IIS:\/\/localhost\/w3svc/
        $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
        $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
-        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\([^)]*(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
        $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_exec|`)/  // https://github.com/nbs-system/php-malware-finder/issues/41
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
        $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/
author	jvoisin	2020-07-01 14:35:17 +0200
committer	jvoisin	2020-07-01 14:35:17 +0200
commit	72b929d82e76286cf9d90629e544c7472bb6974f (patch)
tree	b5046779d7812d7f576ba3ec7780a6e9c3dc67d1
parent	d3c62c55584e04fcc4b5f54497d378a6db911686 (diff)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index de5b1f7..dab8cbf 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -92,7 +92,7 @@ rule DodgyPhp
92	$iis_com = /IIS:\/\/localhost\/w3svc/	92	$iis_com = /IIS:\/\/localhost\/w3svc/
93	$include = /include\s\(\s[^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes	93	$include = /include\s\(\s[^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes
94	$ini_get = /ini_(get\|set\|restore)\s\(\s['"](safe_mode\|open_basedir\|disable_(function\|classe)s\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals\|allow_url_include)/ nocase	94	$ini_get = /ini_(get\|set\|restore)\s\(\s['"](safe_mode\|open_basedir\|disable_(function\|classe)s\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals\|allow_url_include)/ nocase
95	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s*\(.+(\/\|\\x2f)(e\|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php	95	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s\([^)](\/\|\\x2f)(e\|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php
96	$register_function = /register_[a-z]+_function\s\(\s['"]\s*(eval\|assert\|passthru\|exec\|include\|system\|shell_exec\|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41	96	$register_function = /register_[a-z]+_function\s\(\s['"]\s*(eval\|assert\|passthru\|exec\|include\|system\|shell_exec\|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41
97	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	97	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
98	$shellshock = /\(\)\s{\s[a-z:]\s;\s}\s*;/	98	$shellshock = /\(\)\s{\s[a-z:]\s;\s}\s*;/