1 files changed, 46 insertions, 0 deletions
diff --git a/utils/generate_whitelist.py b/utils/generate_whitelist.py
new file mode 100755
index 0000000..dabaa21
--- /dev/null
+++ b/utils/generate_whitelist.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+#coding=UTF-8
+import fnmatch
+import hashlib
+import os
+import sys
+try:
+    import yara
+except ImportError:
+    print('Please install python-yara')
+    sys.exit(1)
+if len(sys.argv) != 3:
+    print('Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0])
+    sys.exit(1)
+if not os.path.isdir(sys.argv[2]):
+    print('%s is not a folder !' % sys.argv[2])
+    sys.exit(1)
+try:
+    rules = yara.compile(sys.path[0]+'/../php.yar', includes=True, error_on_warning=False)
+except yara.SyntaxError as e:
+    print("Can't compile rules: %s" % e)
+    sys.exit(1)
+output_list = list()
+for curdir, dirnames, filenames in os.walk(sys.argv[2]):
+    for filename in filenames:
+        fname = os.path.join(curdir, filename)
+        if 0 < os.stat(fname).st_size < 5 * 1024 * 1024:
+            matches = rules.match(fname, fast=True)
+            if matches:
+                with open(fname, 'rb') as f:
+                    digest = hashlib.sha1(f.read()).hexdigest()
+                output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (digest, fname))
+if output_list:
+    output_rule = 'import "hash"\n\nrule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1])
+    output_rule += '\n\t\t'.join(output_list)
+    output_rule += '\n\t\tfalse\n}'
+    print(output_rule)

diff --git a/utils/generate_whitelist.py b/utils/generate_whitelist.py new file mode 100755 index 0000000..dabaa21 --- /dev/null +++ b/utils/generate_whitelist.py
@@ -0,0 +1,46 @@
	1	#!/usr/bin/env python
	2	#coding=UTF-8
	3
	4	import fnmatch
	5	import hashlib
	6	import os
	7	import sys
	8
	9	try:
	10	import yara
	11	except ImportError:
	12	print('Please install python-yara')
	13	sys.exit(1)
	14
	15	if len(sys.argv) != 3:
	16	print('Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0])
	17	sys.exit(1)
	18
	19	if not os.path.isdir(sys.argv[2]):
	20	print('%s is not a folder !' % sys.argv[2])
	21	sys.exit(1)
	22
	23	try:
	24	rules = yara.compile(sys.path[0]+'/../php.yar', includes=True, error_on_warning=False)
	25	except yara.SyntaxError as e:
	26	print("Can't compile rules: %s" % e)
	27	sys.exit(1)
	28
	29	output_list = list()
	30
	31	for curdir, dirnames, filenames in os.walk(sys.argv[2]):
	32	for filename in filenames:
	33	fname = os.path.join(curdir, filename)
	34	if 0 < os.stat(fname).st_size < 5 * 1024 * 1024:
	35	matches = rules.match(fname, fast=True)
	36	if matches:
	37	with open(fname, 'rb') as f:
	38	digest = hashlib.sha1(f.read()).hexdigest()
	39	output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (digest, fname))
	40
	41
	42	if output_list:
	43	output_rule = 'import "hash"\n\nrule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1])
	44	output_rule += '\n\t\t'.join(output_list)
	45	output_rule += '\n\t\tfalse\n}'
	46	print(output_rule)