From 7a2d7c0c398b5294524fff4d437b34e5cd6fcf31 Mon Sep 17 00:00:00 2001 From: Julien (jvoisin) Voisin Date: Thu, 27 Oct 2016 17:14:13 +0200 Subject: It seems that `and` has a precedence over `or`, unsurprisingly --- php-malware-finder/common.yar | 6 +++--- php-malware-finder/php.yar | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index c4dac97..b47fb69 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar @@ -72,7 +72,7 @@ private rule strrev rule SuspiciousEncoding { condition: - base64 or hex or strrev and not IsWhitelisted + (base64 or hex or strrev) and not IsWhitelisted } rule DodgyStrings @@ -141,7 +141,7 @@ rule DodgyStrings $asp = "scripting.filesystemobject" nocase condition: - IRC or 2 of them and not IsWhitelisted + (IRC or 2 of them) and not IsWhitelisted } rule Websites @@ -172,6 +172,6 @@ rule Websites $ = "mumaasp.com" nocase condition: - any of them and not IsWhitelisted + (any of them) and not IsWhitelisted } diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 37a8dcf..e80dae9 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar @@ -39,7 +39,7 @@ rule PasswordProtection $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase condition: - any of them and not IsWhitelisted + (any of them) and not IsWhitelisted } rule ObfuscatedPhp @@ -56,7 +56,7 @@ rule ObfuscatedPhp $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/ // eval /* comment */ (php_code) condition: - any of them and not IsWhitelisted + (any of them) and not IsWhitelisted } rule DodgyPhp @@ -80,7 +80,7 @@ rule DodgyPhp $various = "