Remove a slow-and-false-positives-generating rule

author: jvoisin 2015-05-21 11:31:28 +0200
committer: jvoisin 2015-05-21 11:31:28 +0200
commit: f9e7357cdc5e006f528235a12f9cd72973aa0dbe (patch)
tree: 96655dd0abd5b53e6291b050368164e9ba4647f1
parent: ff6e3ef0259f933a7c61c3816035b9ae42d66d42 (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index 792c0d2..deb5f5f 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -110,7 +110,6 @@ rule DodgyPhp
        $htaccess = "SetHandler application/x-httpd-php"
        $obvious_preg = /['"]\/\.\*\/e["']/ fullword  // "/.*/e" <- this is suspicious
        $udp_dos = /sockopen\s*\(['"]udp:\/\//
-        $stored_func = /\$[A-Za-z0-9_-]+\[([0-9]+|['"][^'"]+['"])\]\s*\(/  // things like $myArray['varname'](parameters, ...)
    condition:
        IsPhp and (any of them or CloudFlareBypass)
author	jvoisin	2015-05-21 11:31:28 +0200
committer	jvoisin	2015-05-21 11:31:28 +0200
commit	f9e7357cdc5e006f528235a12f9cd72973aa0dbe (patch)
tree	96655dd0abd5b53e6291b050368164e9ba4647f1
parent	ff6e3ef0259f933a7c61c3816035b9ae42d66d42 (diff)

diff --git a/malwares.yara b/malwares.yara index 792c0d2..deb5f5f 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -110,7 +110,6 @@ rule DodgyPhp
110	$htaccess = "SetHandler application/x-httpd-php"	110	$htaccess = "SetHandler application/x-httpd-php"
111	$obvious_preg = /['"]\/\.\\/e["']/ fullword // "/./e" <- this is suspicious	111	$obvious_preg = /['"]\/\.\\/e["']/ fullword // "/./e" <- this is suspicious
112	$udp_dos = /sockopen\s*\(['"]udp:\/\//	112	$udp_dos = /sockopen\s*\(['"]udp:\/\//
113	$stored_func = /\$[A-Za-z0-9_-]+\[([0-9]+\|['"][^'"]+['"])\]\s*\(/ // things like $myArray['varname'](parameters, ...)
114		113
115	condition:	114	condition:
116	IsPhp and (any of them or CloudFlareBypass)	115	IsPhp and (any of them or CloudFlareBypass)