Remove some useless and buggy rules

author: jvoisin 2016-12-08 11:32:44 +0100
committer: jvoisin 2016-12-08 11:32:55 +0100
commit: 98b1d99081414b3ad882aea30f1869608eb20757 (patch)
tree: 6ca5e4ade0588b18803f0e33f63fda0150547e8b
parent: a390eb0413ea6f879c1d945d58618f8961e02281 (diff)
2 files changed, 1 insertions, 50 deletions
diff --git a/php-malware-finder/bad_php.yar b/php-malware-finder/bad_php.yar
deleted file mode 100644
index 1fb185f..0000000
--- a/php-malware-finder/bad_php.yar
+++ /dev/null
@@ -1,49 +0,0 @@
-rule Sqli
-{
-    strings:
-        $mysql = /mysqli?_.*[[:space:]]*\(.*\$.*\)/
-        $pg = /pg_.*[[:space:]]*\(.*\$.*\)/
-        $sqlite = /sqlite_.*[[:space:]]*\(.*\$.*\)/
-    condition:
-        any of them
-}
-rule Xss
-{
-    strings:
-        $xss1 = /(echo|print(_r)?)([[:space:]]|\()+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*/
-    condition:
-        any of them
-}
-rule CodeExec
-{
-    strings:
-        $eval = /eval\s*\(\s*.\$.*\s*\)/
-        $file = /(readfile|fopen|file(_get_contents)?)\s*\(.\$.*\)/
-        $include = /(include|require)(_once)?\s*\(.*\$.*\)/
-        $system = /(system|shell_exec)([[:space:]]*\(|[[:space:]]+).*\)?/
-    condition:
-        any of them
-}
-rule Misc
-{
-    strings:
-        $header_splitting = /header\s*\(.*\$_(GET|POST|REQUEST|COOKIE).*\)/
-        $serialize = /unserialize\s*\(.*\)|unserialize_callback_func/
-        $chmod = /chmod\s*(.*777/
-    condition:
-        any of them
-}
-rule Infoleak
-{
-    strings:
-        $php = /php(info|credits|version|_logo_guid|_uname)\s*\(.*\)/
-        $zend = /zend(_logo_guid|_version)\s*\(.*\)/
-        $extensions = /get_loaded_extensions\s*\(.*\)/
-    condition:
-        any of them
-}
diff --git a/php-malware-finder/phpmalwarefinder b/php-malware-finder/phpmalwarefinder
index de25a36..716f6e8 100755
--- a/php-malware-finder/phpmalwarefinder
+++ b/php-malware-finder/phpmalwarefinder
@@ -42,7 +42,7 @@ fi
 update_rules() {
  SITE="https://raw.githubusercontent.com/nbs-system/php-malware-finder/master/php-malware-finder/"
-  RULES_FILES=('asp.yar' 'common.yar' 'bad_php.yar' 'php.yar'
+  RULES_FILES=('asp.yar' 'common.yar' 'php.yar'
  'whitelist.yar' 'whitelists/drupal.yar' 'whitelists/magento2.yar'
  'whitelists/phpmyadmin.yar' 'whitelists/prestashop.yar'
  'whitelists/symfony.yar' 'whitelists/wordpress.yar' )
author	jvoisin	2016-12-08 11:32:44 +0100
committer	jvoisin	2016-12-08 11:32:55 +0100
commit	98b1d99081414b3ad882aea30f1869608eb20757 (patch)
tree	6ca5e4ade0588b18803f0e33f63fda0150547e8b
parent	a390eb0413ea6f879c1d945d58618f8961e02281 (diff)

diff --git a/php-malware-finder/bad_php.yar b/php-malware-finder/bad_php.yar deleted file mode 100644 index 1fb185f..0000000 --- a/php-malware-finder/bad_php.yar +++ /dev/null
@@ -1,49 +0,0 @@
1	rule Sqli
2	{
3	strings:
4	$mysql = /mysqli?_.[[:space:]]\(.\$.\)/
5	$pg = /pg_.[[:space:]]\(.\$.\)/
6	$sqlite = /sqlite_.[[:space:]]\(.\$.\)/
7	condition:
8	any of them
9	}
10
11	rule Xss
12	{
13	strings:
14	$xss1 = /(echo\|print(_r)?)([[:space:]]\|\()+.\$(_ENV\|_GET\|_POST\|_COOKIE\|_REQUEST\|_SERVER\|HTTP\|http)./
15	condition:
16	any of them
17	}
18
19	rule CodeExec
20	{
21	strings:
22	$eval = /eval\s\(\s.\$.\s\)/
23	$file = /(readfile\|fopen\|file(_get_contents)?)\s\(.\$.\)/
24	$include = /(include\|require)(_once)?\s\(.\$.*\)/
25	$system = /(system\|shell_exec)([[:space:]]\(\|[[:space:]]+).\)?/
26	condition:
27	any of them
28	}
29
30
31	rule Misc
32	{
33	strings:
34	$header_splitting = /header\s\(.\$_(GET\|POST\|REQUEST\|COOKIE).*\)/
35	$serialize = /unserialize\s\(.\)\|unserialize_callback_func/
36	$chmod = /chmod\s(.777/
37	condition:
38	any of them
39	}
40
41	rule Infoleak
42	{
43	strings:
44	$php = /php(info\|credits\|version\|_logo_guid\|_uname)\s\(.\)/
45	$zend = /zend(_logo_guid\|_version)\s\(.\)/
46	$extensions = /get_loaded_extensions\s\(.\)/
47	condition:
48	any of them
49	}


diff --git a/php-malware-finder/phpmalwarefinder b/php-malware-finder/phpmalwarefinder index de25a36..716f6e8 100755 --- a/php-malware-finder/phpmalwarefinder +++ b/php-malware-finder/phpmalwarefinder
@@ -42,7 +42,7 @@ fi
42		42
43	update_rules() {	43	update_rules() {
44	SITE="https://raw.githubusercontent.com/nbs-system/php-malware-finder/master/php-malware-finder/"	44	SITE="https://raw.githubusercontent.com/nbs-system/php-malware-finder/master/php-malware-finder/"
45	RULES_FILES=('asp.yar' 'common.yar' 'bad_php.yar' 'php.yar'	45	RULES_FILES=('asp.yar' 'common.yar' 'php.yar'
46	'whitelist.yar' 'whitelists/drupal.yar' 'whitelists/magento2.yar'	46	'whitelist.yar' 'whitelists/drupal.yar' 'whitelists/magento2.yar'
47	'whitelists/phpmyadmin.yar' 'whitelists/prestashop.yar'	47	'whitelists/phpmyadmin.yar' 'whitelists/prestashop.yar'
48	'whitelists/symfony.yar' 'whitelists/wordpress.yar' )	48	'whitelists/symfony.yar' 'whitelists/wordpress.yar' )