Extend whitelisting support

Some detection modules weren't aware of whiteliting
author: Julien (jvoisin) Voisin 2016-10-27 11:57:59 +0200
committer: Julien (jvoisin) Voisin 2016-10-27 11:57:59 +0200
commit: e889f9d6f551ded842910584c855e8f16f7d67cd (patch)
tree: bfcc1bb0a99eaa3df6f3872127bc2e8878a819a0
parent: 9661c01a9238fbc900821e0d3ec9723c4e7304e0 (diff)
2 files changed, 3 insertions, 3 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 2b0cd7d..c4dac97 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -72,7 +72,7 @@ private rule strrev
 rule SuspiciousEncoding
 {
    condition:
-        base64 or hex or strrev
+        base64 or hex or strrev and not IsWhitelisted
 }
 rule DodgyStrings
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index cdb91c2..37a8dcf 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -39,7 +39,7 @@ rule PasswordProtection
        $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase
    condition:
-        any of them
+        any of them and not IsWhitelisted
 }
 rule ObfuscatedPhp
@@ -149,5 +149,5 @@ rule HiddenInAFile
        $jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
    condition:
-        ($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp)
+        ($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp) and not IsWhitelisted
 }
author	Julien (jvoisin) Voisin	2016-10-27 11:57:59 +0200
committer	Julien (jvoisin) Voisin	2016-10-27 11:57:59 +0200
commit	e889f9d6f551ded842910584c855e8f16f7d67cd (patch)
tree	bfcc1bb0a99eaa3df6f3872127bc2e8878a819a0
parent	9661c01a9238fbc900821e0d3ec9723c4e7304e0 (diff)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index 2b0cd7d..c4dac97 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar
@@ -72,7 +72,7 @@ private rule strrev
72	rule SuspiciousEncoding	72	rule SuspiciousEncoding
73	{	73	{
74	condition:	74	condition:
75	base64 or hex or strrev	75	base64 or hex or strrev and not IsWhitelisted
76	}	76	}
77		77
78	rule DodgyStrings	78	rule DodgyStrings


diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index cdb91c2..37a8dcf 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -39,7 +39,7 @@ rule PasswordProtection
39	$md5 = /md5\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase	39	$md5 = /md5\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase
40	$sha1 = /sha1\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{40}['"]/ nocase	40	$sha1 = /sha1\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{40}['"]/ nocase
41	condition:	41	condition:
42	any of them	42	any of them and not IsWhitelisted
43	}	43	}
44		44
45	rule ObfuscatedPhp	45	rule ObfuscatedPhp
@@ -149,5 +149,5 @@ rule HiddenInAFile
149	$jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png	149	$jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
150		150
151	condition:	151	condition:
152	($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp)	152	($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp) and not IsWhitelisted
153	}	153	}