Make application go-install-able and create a docker image

author: Mathieu Deous 2022-05-02 20:18:23 +0200
committer: GitHub 2022-05-02 20:18:23 +0200
commit: 48936efa96ae17295be4e0a71be3294f0ec6aef8 (patch)
tree: f4e69551f1368aa048edf46b7b061600f3668329 /README.md
parent: bbc738e16f8b637afde58d65196374af98a5e0e2 (diff)
1 files changed, 23 insertions, 6 deletions
diff --git a/README.md b/README.md
index 6ae0b07..2ee0606 100644
--- a/README.md
+++ b/README.md
@@ -60,22 +60,28 @@ PMF tries as much as possible to use semantic patterns, to detect things like
 and then passed to some dangerous function like `system`".
 ## Installation
+### From source
 - Install Go (using your package manager, or [manually](https://go.dev/doc/install))
 - Install libyara >= 4.2 (using your package manager, or [from source](https://yara.readthedocs.io/en/stable/gettingstarted.html))
 - Download php-malware-finder: `git clone https://github.com/jvoisin/php-malware-finder.git`
 - Build php-malware-finder: `cd php-malware-finder && make`
+or replace the last 2 steps with `go install github.com/jvoisin/php-malware-finder`,
+which will directly compile and install PMF in your `${GOROOT}/bin` folder.
 ## How to use it?
 ```
-$ ./phpmalwarefinder -h
+$ ./php-malware-finder -h
 Usage:
-  phpmalwarefinder [OPTIONS] [Target]
+  php-malware-finder [OPTIONS] [Target]
 Application Options:
-  -r, --rules-dir=      Rules location (default: /etc/phpmalwarefinder or .)
+  -r, --rules-dir=      Alternative rules location (default: embedded rules)
  -a, --show-all        Display all matched rules
-  -f, --fast            Enable YARA's fast mode'
+  -f, --fast            Enable YARA's fast mode
  -R, --rate-limit=     Max. filesystem ops per second, 0 for no limit (default: 0)
  -v, --verbose         Verbose mode
  -w, --workers=        Number of workers to spawn for scanning (default: 32)
@@ -84,6 +90,7 @@ Application Options:
  -i, --exclude-imgs    Do not scan image files
  -x, --exclude-ext=    Additional file extensions to exclude
  -u, --update          Update rules
+  -V, --version         Show version number and exit
 Help Options:
  -h, --help            Show this help message
@@ -92,7 +99,7 @@ Help Options:
 Or if you prefer to use `yara`:
 ```
-$ yara -r ./php.yar /var/www
+$ yara -r ./data/php.yar /var/www
 ```
 Please keep in mind that you should use at least YARA 3.4 because we're using
@@ -103,6 +110,16 @@ have support for hashes.
 Oh, and by the way, you can run the *comprehensive* testsuite with `make tests`.
+### Docker
+If you want to avoid having to install Go and libyara, you can also use our
+docker image and simply mount the folder you want to scan to the container's
+`/data` directory:
+```
+$ docker run --rm -v /folder/to/scan:/data ghcr.io/jvoisin/php-malware-finder
+```
 ## Whitelisting
 Check the [whitelist.yar](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/whitelist.yar) file.
@@ -115,7 +132,7 @@ Because:
 - It doesn't use [a single rule per sample](
  https://github.com/Neo23x0/signature-base/blob/e264d66a8ea3be93db8482ab3d639a2ed3e9c949/yara/thor-webshells.yar
  ), since it only cares about finding malicious patterns, not specific webshells
- It has a [complete testsuite](https://travis-ci.org/jvoisin/php-malware-finder), to avoid regressions
+- It has a [complete testsuite](https://github.com/jvoisin/php-malware-finder/actions), to avoid regressions
 - Its whitelist system doesn't rely on filenames
 - It doesn't rely on (slow) [entropy computation]( https://en.wikipedia.org/wiki/Entropy_(information_theory) )
 - It uses a ghetto-style static analysis, instead of relying on file hashes
author	Mathieu Deous	2022-05-02 20:18:23 +0200
committer	GitHub	2022-05-02 20:18:23 +0200
commit	48936efa96ae17295be4e0a71be3294f0ec6aef8 (patch)
tree	f4e69551f1368aa048edf46b7b061600f3668329 /README.md
parent	bbc738e16f8b637afde58d65196374af98a5e0e2 (diff)