Renaming .yara files to .yar (#24)

author: xarkes 2016-04-21 11:37:43 +0200
committer: jvoisin 2016-04-21 11:37:43 +0200
commit: b2fc542557d08570faa0dd077d07277c626ddc1b (patch)
tree: 5cc3fc94c16bc04c8127257f3109e41680af8b86
parent: d3008b7639c24cf71a2b07b29b58b48533fdfa49 (diff)
11 files changed, 25 insertions, 25 deletions
diff --git a/Makefile b/Makefile
index ddf79b7..b66e1db 100644
--- a/Makefile
+++ b/Makefile
@@ -10,16 +10,16 @@ clean:
 extract:
        cp -r debian php-malware-finder
-        git checkout php-malware-finder/common.yara
+        git checkout php-malware-finder/common.yar
-        git checkout php-malware-finder/php.yara
+        git checkout php-malware-finder/php.yar
-        git checkout php-malware-finder/asp.yara
+        git checkout php-malware-finder/asp.yar
 set_distribution:
        sed -e "s/##version/${DEBVER}/" -i php-malware-finder/debian/control php-malware-finder/debian/changelog
 check_distribution:
 ifeq ($(DEBVER),6)
-                sed -e '/too_many_chr/d'  -e '/b64_concat/d' -e 's/^import.*//g' -e 's/^include.*//g' -e 's/and\ not\ IsWhitelisted//g' -i php-malware-finder/common.yara
+                sed -e '/too_many_chr/d'  -e '/b64_concat/d' -e 's/^import.*//g' -e 's/^include.*//g' -e 's/and\ not\ IsWhitelisted//g' -i php-malware-finder/common.yar
 endif
 package: clean extract set_distribution check_distribution
diff --git a/README.md b/README.md
index 7ed97d3..0cb901a 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ both) category, and should re-read the previous sentence.
 ## How does it work?
 Detection is performed by crawling the filesystem and testing files against a
-[set]( https://github.com/nbs-system/php-malware-finder/blob/master/php.yara )
+[set]( https://github.com/nbs-system/php-malware-finder/blob/master/php.yar )
 of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!
@@ -67,8 +67,8 @@ Usage phpmalwarefinder [-cfhtv] [-l (php|asp)] <file|folder> ...
 Or if you prefer to use `yara`:
 ```
-$ yara -r ./php.yara /var/www
+$ yara -r ./php.yar /var/www
-$ yara -r ./asp.yara /var/www
+$ yara -r ./asp.yar /var/www
 ```
 Please keep in mind that you should use at least YARA 3.4 because we're using
@@ -79,7 +79,7 @@ Ho, and by the way, you can run the comprehensive testsuite with `make test`.
 ## Whitelisting
-Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file.
+Check the [whitelist.yar]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yar ) file.
 If you're lazy, you can generate whitelists for entire folders with the
 [generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.
diff --git a/debian/nbs-phpmalwarefinder.install b/debian/nbs-phpmalwarefinder.install
index 676b4aa..fb5e89a 100644
--- a/debian/nbs-phpmalwarefinder.install
+++ b/debian/nbs-phpmalwarefinder.install
@@ -1,6 +1,6 @@
-common.yara etc/phpmalwarefinder
+common.yar etc/phpmalwarefinder
-php.yara etc/phpmalwarefinder
+php.yar etc/phpmalwarefinder
-asp.yara etc/phpmalwarefinder
+asp.yar etc/phpmalwarefinder
-whitelist.yara etc/phpmalwarefinder
+whitelist.yar etc/phpmalwarefinder
 phpmalwarefinder usr/bin/
 docroot-check.sh usr/bin/
diff --git a/php-malware-finder/asp.yara b/php-malware-finder/asp.yar
index 26483a1..6af74fb 100644
--- a/php-malware-finder/asp.yara
+++ b/php-malware-finder/asp.yar
@@ -1,6 +1,6 @@
 import "hash"
-include "whitelist.yara"
+include "whitelist.yar"
-include "common.yara"
+include "common.yar"
 global private rule IsAsp
 {
diff --git a/php-malware-finder/bad_php.yara b/php-malware-finder/bad_php.yar
index 1fb185f..1fb185f 100644
--- a/php-malware-finder/bad_php.yara
+++ b/php-malware-finder/bad_php.yar
diff --git a/php-malware-finder/common.yara b/php-malware-finder/common.yar
index 38b6726..38b6726 100644
--- a/php-malware-finder/common.yara
+++ b/php-malware-finder/common.yar
diff --git a/php-malware-finder/docroot-check.sh b/php-malware-finder/docroot-check.sh
index fa67a11..11aa4f9 100644
--- a/php-malware-finder/docroot-check.sh
+++ b/php-malware-finder/docroot-check.sh
@@ -2,7 +2,7 @@
 PATH=/usr/bin:/bin:/sbin:/usr/sbin
 apache_confdir="/etc/apache2/sites-available"
-pmf_conf="/etc/phpmalwarefinder/php.yara"
+pmf_conf="/etc/phpmalwarefinder/php.yar"
 pmf_cachedir="/tmp"
 # grab the different document roots to scan each and everyone of them
diff --git a/php-malware-finder/generate_whitelist.py b/php-malware-finder/generate_whitelist.py
index ca9fa2d..4a8a6c5 100644
--- a/php-malware-finder/generate_whitelist.py
+++ b/php-malware-finder/generate_whitelist.py
@@ -19,7 +19,7 @@ if not os.path.isdir(sys.argv[2]):
    print '%s is not a folder !' % sys.argv[2]
    sys.exit(1)
-rules = yara.compile('./php.yara', includes=True, error_on_warning=True)
+rules = yara.compile('./php.yar', includes=True, error_on_warning=True)
 output_list = list()
diff --git a/php-malware-finder/php.yara b/php-malware-finder/php.yar
index 1370543..06e1827 100644
--- a/php-malware-finder/php.yara
+++ b/php-malware-finder/php.yar
@@ -1,6 +1,6 @@
 import "hash"
-include "whitelist.yara"
+include "whitelist.yar"
-include "common.yara"
+include "common.yar"
 /*
    Detect:
diff --git a/php-malware-finder/phpmalwarefinder b/php-malware-finder/phpmalwarefinder
index db87349..1f8073f 100755
--- a/php-malware-finder/phpmalwarefinder
+++ b/php-malware-finder/phpmalwarefinder
@@ -2,7 +2,7 @@
 YARA=$(type -P yara)
-CONFIG_PATH='/etc/phpmalwarefinder/common.yara'
+CONFIG_PATH='/etc/phpmalwarefinder/common.yar'
 IONICE_BIN=$(type -P ionice)
 NICE_BIN=$(type -P nice)
 FORMAT="php"
@@ -20,10 +20,10 @@ fi
 if [ ! -f "$CONFIG_PATH" ]
 then
    OLD_PATH=$CONFIG_PATH
-    CONFIG_PATH='./common.yara'
+    CONFIG_PATH='./common.yar'
    if [ ! -f "$CONFIG_PATH" ]
    then
-        echo "Unable to find 'common.yara' in $OLD_PATH, and in the current directory."
+        echo "Unable to find 'common.yar' in $OLD_PATH, and in the current directory."
        exit 0
    fi
 fi
@@ -42,12 +42,12 @@ fi
 update_rules() {
  SITE="https://raw.githubusercontent.com/nbs-system/php-malware-finder/master/php-malware-finder/"
-  RULES_FILES=('asp.yara' 'common.yara' 'bad_php.yara' 'php.yara'
+  RULES_FILES=('asp.yar' 'common.yar' 'bad_php.yar' 'php.yar'
-  'whitelist.yara')
+  'whitelist.yar')
  CONFIG_DIR="/etc/phpmalwarefinder/"
  if [ ! -d $CONFIG_DIR ]; then
-      if [ ! -f ./common.yara ]; then
+      if [ ! -f ./common.yar ]; then
          echo "no rules in $CONFIG_DIR or ./, exiting"
          exit 1
      else
@@ -182,7 +182,7 @@ one_line_trick "$@"
 # Include correct yara rule
 CONFIG_PATH=${CONFIG_PATH%/*}/
-OPTS="${OPTS} -r ${CONFIG_PATH}${FORMAT}.yara"
+OPTS="${OPTS} -r ${CONFIG_PATH}${FORMAT}.yar"
 # Execute rules
 ${NICE} ${NICE_OPTS} $YARA $OPTS "$@"
diff --git a/php-malware-finder/whitelist.yara b/php-malware-finder/whitelist.yar
index 3aab9c5..3aab9c5 100644
--- a/php-malware-finder/whitelist.yara
+++ b/php-malware-finder/whitelist.yar
author	xarkes	2016-04-21 11:37:43 +0200
committer	jvoisin	2016-04-21 11:37:43 +0200
commit	b2fc542557d08570faa0dd077d07277c626ddc1b (patch)
tree	5cc3fc94c16bc04c8127257f3109e41680af8b86
parent	d3008b7639c24cf71a2b07b29b58b48533fdfa49 (diff)

diff --git a/Makefile b/Makefile index ddf79b7..b66e1db 100644 --- a/Makefile +++ b/Makefile
@@ -10,16 +10,16 @@ clean:
10		10
11	extract:	11	extract:
12	cp -r debian php-malware-finder	12	cp -r debian php-malware-finder
13	git checkout php-malware-finder/common.yara	13	git checkout php-malware-finder/common.yar
14	git checkout php-malware-finder/php.yara	14	git checkout php-malware-finder/php.yar
15	git checkout php-malware-finder/asp.yara	15	git checkout php-malware-finder/asp.yar
16		16
17	set_distribution:	17	set_distribution:
18	sed -e "s/##version/${DEBVER}/" -i php-malware-finder/debian/control php-malware-finder/debian/changelog	18	sed -e "s/##version/${DEBVER}/" -i php-malware-finder/debian/control php-malware-finder/debian/changelog
19		19
20	check_distribution:	20	check_distribution:
21	ifeq ($(DEBVER),6)	21	ifeq ($(DEBVER),6)
22	sed -e '/too_many_chr/d' -e '/b64_concat/d' -e 's/^import.//g' -e 's/^include.//g' -e 's/and\ not\ IsWhitelisted//g' -i php-malware-finder/common.yara	22	sed -e '/too_many_chr/d' -e '/b64_concat/d' -e 's/^import.//g' -e 's/^include.//g' -e 's/and\ not\ IsWhitelisted//g' -i php-malware-finder/common.yar
23	endif	23	endif
24		24
25	package: clean extract set_distribution check_distribution	25	package: clean extract set_distribution check_distribution


diff --git a/README.md b/README.md index 7ed97d3..0cb901a 100644 --- a/README.md +++ b/README.md
@@ -47,7 +47,7 @@ both) category, and should re-read the previous sentence.
47	## How does it work?	47	## How does it work?
48		48
49	Detection is performed by crawling the filesystem and testing files against a	49	Detection is performed by crawling the filesystem and testing files against a
50	[set]( https://github.com/nbs-system/php-malware-finder/blob/master/php.yara )	50	[set]( https://github.com/nbs-system/php-malware-finder/blob/master/php.yar )
51	of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!	51	of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!
52		52
53		53
@@ -67,8 +67,8 @@ Usage phpmalwarefinder [-cfhtv] [-l (php\|asp)] <file\|folder> ...
67	Or if you prefer to use `yara`:	67	Or if you prefer to use `yara`:
68		68
69	```	69	```
70	$ yara -r ./php.yara /var/www	70	$ yara -r ./php.yar /var/www
71	$ yara -r ./asp.yara /var/www	71	$ yara -r ./asp.yar /var/www
72	```	72	```
73		73
74	Please keep in mind that you should use at least YARA 3.4 because we're using	74	Please keep in mind that you should use at least YARA 3.4 because we're using
@@ -79,7 +79,7 @@ Ho, and by the way, you can run the comprehensive testsuite with `make test`.
79		79
80	## Whitelisting	80	## Whitelisting
81		81
82	Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file.	82	Check the [whitelist.yar]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yar ) file.
83	If you're lazy, you can generate whitelists for entire folders with the	83	If you're lazy, you can generate whitelists for entire folders with the
84	[generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.	84	[generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.
85		85


diff --git a/debian/nbs-phpmalwarefinder.install b/debian/nbs-phpmalwarefinder.install index 676b4aa..fb5e89a 100644 --- a/debian/nbs-phpmalwarefinder.install +++ b/debian/nbs-phpmalwarefinder.install
@@ -1,6 +1,6 @@
1	common.yara etc/phpmalwarefinder	1	common.yar etc/phpmalwarefinder
2	php.yara etc/phpmalwarefinder	2	php.yar etc/phpmalwarefinder
3	asp.yara etc/phpmalwarefinder	3	asp.yar etc/phpmalwarefinder
4	whitelist.yara etc/phpmalwarefinder	4	whitelist.yar etc/phpmalwarefinder
5	phpmalwarefinder usr/bin/	5	phpmalwarefinder usr/bin/
6	docroot-check.sh usr/bin/	6	docroot-check.sh usr/bin/


diff --git a/php-malware-finder/asp.yara b/php-malware-finder/asp.yar index 26483a1..6af74fb 100644 --- a/php-malware-finder/asp.yara +++ b/php-malware-finder/asp.yar
@@ -1,6 +1,6 @@
1	import "hash"	1	import "hash"
2	include "whitelist.yara"	2	include "whitelist.yar"
3	include "common.yara"	3	include "common.yar"
4		4
5	global private rule IsAsp	5	global private rule IsAsp
6	{	6	{


diff --git a/php-malware-finder/bad_php.yara b/php-malware-finder/bad_php.yar index 1fb185f..1fb185f 100644 --- a/php-malware-finder/bad_php.yara +++ b/php-malware-finder/bad_php.yar


diff --git a/php-malware-finder/common.yara b/php-malware-finder/common.yar index 38b6726..38b6726 100644 --- a/php-malware-finder/common.yara +++ b/php-malware-finder/common.yar


diff --git a/php-malware-finder/docroot-check.sh b/php-malware-finder/docroot-check.sh index fa67a11..11aa4f9 100644 --- a/php-malware-finder/docroot-check.sh +++ b/php-malware-finder/docroot-check.sh
@@ -2,7 +2,7 @@
2		2
3	PATH=/usr/bin:/bin:/sbin:/usr/sbin	3	PATH=/usr/bin:/bin:/sbin:/usr/sbin
4	apache_confdir="/etc/apache2/sites-available"	4	apache_confdir="/etc/apache2/sites-available"
5	pmf_conf="/etc/phpmalwarefinder/php.yara"	5	pmf_conf="/etc/phpmalwarefinder/php.yar"
6	pmf_cachedir="/tmp"	6	pmf_cachedir="/tmp"
7		7
8	# grab the different document roots to scan each and everyone of them	8	# grab the different document roots to scan each and everyone of them


diff --git a/php-malware-finder/generate_whitelist.py b/php-malware-finder/generate_whitelist.py index ca9fa2d..4a8a6c5 100644 --- a/php-malware-finder/generate_whitelist.py +++ b/php-malware-finder/generate_whitelist.py
@@ -19,7 +19,7 @@ if not os.path.isdir(sys.argv[2]):
19	print '%s is not a folder !' % sys.argv[2]	19	print '%s is not a folder !' % sys.argv[2]
20	sys.exit(1)	20	sys.exit(1)
21		21
22	rules = yara.compile('./php.yara', includes=True, error_on_warning=True)	22	rules = yara.compile('./php.yar', includes=True, error_on_warning=True)
23		23
24	output_list = list()	24	output_list = list()
25		25


diff --git a/php-malware-finder/php.yara b/php-malware-finder/php.yar index 1370543..06e1827 100644 --- a/php-malware-finder/php.yara +++ b/php-malware-finder/php.yar
@@ -1,6 +1,6 @@
1	import "hash"	1	import "hash"
2	include "whitelist.yara"	2	include "whitelist.yar"
3	include "common.yara"	3	include "common.yar"
4		4
5	/*	5	/*
6	Detect:	6	Detect:


diff --git a/php-malware-finder/phpmalwarefinder b/php-malware-finder/phpmalwarefinder index db87349..1f8073f 100755 --- a/php-malware-finder/phpmalwarefinder +++ b/php-malware-finder/phpmalwarefinder
@@ -2,7 +2,7 @@
2		2
3		3
4	YARA=$(type -P yara)	4	YARA=$(type -P yara)
5	CONFIG_PATH='/etc/phpmalwarefinder/common.yara'	5	CONFIG_PATH='/etc/phpmalwarefinder/common.yar'
6	IONICE_BIN=$(type -P ionice)	6	IONICE_BIN=$(type -P ionice)
7	NICE_BIN=$(type -P nice)	7	NICE_BIN=$(type -P nice)
8	FORMAT="php"	8	FORMAT="php"
@@ -20,10 +20,10 @@ fi
20	if [ ! -f "$CONFIG_PATH" ]	20	if [ ! -f "$CONFIG_PATH" ]
21	then	21	then
22	OLD_PATH=$CONFIG_PATH	22	OLD_PATH=$CONFIG_PATH
23	CONFIG_PATH='./common.yara'	23	CONFIG_PATH='./common.yar'
24	if [ ! -f "$CONFIG_PATH" ]	24	if [ ! -f "$CONFIG_PATH" ]
25	then	25	then
26	echo "Unable to find 'common.yara' in $OLD_PATH, and in the current directory."	26	echo "Unable to find 'common.yar' in $OLD_PATH, and in the current directory."
27	exit 0	27	exit 0
28	fi	28	fi
29	fi	29	fi
@@ -42,12 +42,12 @@ fi
42		42
43	update_rules() {	43	update_rules() {
44	SITE="https://raw.githubusercontent.com/nbs-system/php-malware-finder/master/php-malware-finder/"	44	SITE="https://raw.githubusercontent.com/nbs-system/php-malware-finder/master/php-malware-finder/"
45	RULES_FILES=('asp.yara' 'common.yara' 'bad_php.yara' 'php.yara'	45	RULES_FILES=('asp.yar' 'common.yar' 'bad_php.yar' 'php.yar'
46	'whitelist.yara')	46	'whitelist.yar')
47	CONFIG_DIR="/etc/phpmalwarefinder/"	47	CONFIG_DIR="/etc/phpmalwarefinder/"
48		48
49	if [ ! -d $CONFIG_DIR ]; then	49	if [ ! -d $CONFIG_DIR ]; then
50	if [ ! -f ./common.yara ]; then	50	if [ ! -f ./common.yar ]; then
51	echo "no rules in $CONFIG_DIR or ./, exiting"	51	echo "no rules in $CONFIG_DIR or ./, exiting"
52	exit 1	52	exit 1
53	else	53	else
@@ -182,7 +182,7 @@ one_line_trick "$@"
182		182
183	# Include correct yara rule	183	# Include correct yara rule
184	CONFIG_PATH=${CONFIG_PATH%/*}/	184	CONFIG_PATH=${CONFIG_PATH%/*}/
185	OPTS="${OPTS} -r ${CONFIG_PATH}${FORMAT}.yara"	185	OPTS="${OPTS} -r ${CONFIG_PATH}${FORMAT}.yar"
186		186
187	# Execute rules	187	# Execute rules
188	${NICE} ${NICE_OPTS} $YARA $OPTS "$@"	188	${NICE} ${NICE_OPTS} $YARA $OPTS "$@"


diff --git a/php-malware-finder/whitelist.yara b/php-malware-finder/whitelist.yar index 3aab9c5..3aab9c5 100644 --- a/php-malware-finder/whitelist.yara +++ b/php-malware-finder/whitelist.yar