From 640a4de4dde0b4054830182b920c08083d764fd9 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 9 Jul 2015 14:08:27 +0200
Subject: Split the whitelist in another file

---
 malwares.yara  | 21 ++-------------------
 whitelist.yara | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 19 deletions(-)
 create mode 100644 whitelist.yara

diff --git a/malwares.yara b/malwares.yara
index 206acf0..1126efb 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -1,4 +1,6 @@
 import "hash"
+include "whitelist.yara"
+
 /*
     Detect:
         - phpencode.org
@@ -15,25 +17,6 @@ import "hash"
         - https://code.google.com/p/carbylamine/
 */
 
-private rule IsWhitelisted
-{
-    condition:
-        /* Prestashop 1.6.1.0 */
-        hash.sha1(0, filesize)  == "544cd822e2195ac162c9f0387031709042a72cfd" or // tools/htmlpurifier/HTMLPurifier.standalone.php
-        hash.sha1(0, filesize)  == "bb8c0d735809b9412265729906016329f3e681ff" or // classes/webservice/WebserviceOutputJSON.php
-        hash.sha1(0, filesize)  == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" or // classes/Tools.php
-
-        /* Wordpress 3.5.1 */
-        hash.sha1(0, filesize)  == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php
-        hash.sha1(0, filesize)  == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php
-
-        /* Wordpress 3.2.1 */
-        hash.sha1(0, filesize)  == "b4f53b8c360f9e47cc63047305a0ce2e3ff6a251" or // wp-includes/functions.php
-        hash.sha1(0, filesize)  == "ac8298df16a560c80fb213ef3f51f90df8ef5292" or // wp-includes/class-phpmailer.php
-        hash.sha1(0, filesize)  == "232e4705e3aa28269c4d5e4a4a700bb7a2d06f24" // wp-admin/includes/menu.php
-
-}
-
 global private rule IsPhp
 {
     strings:
diff --git a/whitelist.yara b/whitelist.yara
new file mode 100644
index 0000000..06cb59b
--- /dev/null
+++ b/whitelist.yara
@@ -0,0 +1,18 @@
+private rule IsWhitelisted
+{
+    condition:
+        /* Prestashop 1.6.1.0 */
+        hash.sha1(0, filesize)  == "544cd822e2195ac162c9f0387031709042a72cfd" or // tools/htmlpurifier/HTMLPurifier.standalone.php
+        hash.sha1(0, filesize)  == "bb8c0d735809b9412265729906016329f3e681ff" or // classes/webservice/WebserviceOutputJSON.php
+        hash.sha1(0, filesize)  == "15da986fccdc7104f9d4e8c344f332db5ae9a32b" or // classes/Tools.php
+
+        /* Wordpress 3.5.1 */
+        hash.sha1(0, filesize)  == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php
+        hash.sha1(0, filesize)  == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php
+
+        /* Wordpress 3.2.1 */
+        hash.sha1(0, filesize)  == "b4f53b8c360f9e47cc63047305a0ce2e3ff6a251" or // wp-includes/functions.php
+        hash.sha1(0, filesize)  == "ac8298df16a560c80fb213ef3f51f90df8ef5292" or // wp-includes/class-phpmailer.php
+        hash.sha1(0, filesize)  == "232e4705e3aa28269c4d5e4a4a700bb7a2d06f24" // wp-admin/includes/menu.php
+
+}
-- 
cgit v1.3