From 2417f4477ae56a856a154c056e95b737ad7c28f4 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 8 Jul 2016 15:37:03 +0200
Subject: Fix the previous commit

It seems that a lot of jpeg files contain some <?php stuff :/
---
 php-malware-finder/php.yar | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index c7af3f2..d4a77c1 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -33,17 +33,6 @@ global private rule IsPhp
         $php and filesize < 5MB
 }
 
-rule HiddenInAFile
-{
-    strings:
-        $gif = {47 49 46 38 ?? 61} // GIF8[version]a
-        $png = {89 50 4E 47 0D 0a 1a 0a} // \X89png\X0D\X0A\X1A\X0A
-        $jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
-
-    condition:
-        $gif at 0 or $png at 0 or $jpeg at 0
-}
-
 rule PasswordProtection
 {
     strings:
@@ -152,3 +141,13 @@ rule DangerousPhp
         not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
 }
 
+rule HiddenInAFile
+{
+    strings:
+        $gif = {47 49 46 38 ?? 61} // GIF8[version]a
+        $png = {89 50 4E 47 0D 0a 1a 0a} // \X89png\X0D\X0A\X1A\X0A
+        $jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
+
+    condition:
+        ($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp)
+}
-- 
cgit v1.3