summaryrefslogtreecommitdiff
path: root/utils/generate_whitelist.py
diff options
context:
space:
mode:
Diffstat (limited to 'utils/generate_whitelist.py')
-rwxr-xr-xutils/generate_whitelist.py46
1 files changed, 46 insertions, 0 deletions
diff --git a/utils/generate_whitelist.py b/utils/generate_whitelist.py
new file mode 100755
index 0000000..dabaa21
--- /dev/null
+++ b/utils/generate_whitelist.py
@@ -0,0 +1,46 @@
1#!/usr/bin/env python
2#coding=UTF-8
3
4import fnmatch
5import hashlib
6import os
7import sys
8
9try:
10 import yara
11except ImportError:
12 print('Please install python-yara')
13 sys.exit(1)
14
15if len(sys.argv) != 3:
16 print('Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0])
17 sys.exit(1)
18
19if not os.path.isdir(sys.argv[2]):
20 print('%s is not a folder !' % sys.argv[2])
21 sys.exit(1)
22
23try:
24 rules = yara.compile(sys.path[0]+'/../php.yar', includes=True, error_on_warning=False)
25except yara.SyntaxError as e:
26 print("Can't compile rules: %s" % e)
27 sys.exit(1)
28
29output_list = list()
30
31for curdir, dirnames, filenames in os.walk(sys.argv[2]):
32 for filename in filenames:
33 fname = os.path.join(curdir, filename)
34 if 0 < os.stat(fname).st_size < 5 * 1024 * 1024:
35 matches = rules.match(fname, fast=True)
36 if matches:
37 with open(fname, 'rb') as f:
38 digest = hashlib.sha1(f.read()).hexdigest()
39 output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (digest, fname))
40
41
42if output_list:
43 output_rule = 'import "hash"\n\nrule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1])
44 output_rule += '\n\t\t'.join(output_list)
45 output_rule += '\n\t\tfalse\n}'
46 print(output_rule)