From 82aa5ca8080b3787dfb5d5e3944a8cdfc0c9dc6c Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 9 Jul 2015 13:33:07 +0200
Subject: make IsPhp a global rule

---
 malwares.yara | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index b3f5e78..d438854 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -24,7 +24,7 @@ private rule IsWhitelisted
         hash.sha1(0, filesize)  == "15da986fccdc7104f9d4e8c344f332db5ae9a32b"  // classes/Tools.php
 }
 
-private rule IsPhp
+global private rule IsPhp
 {
     strings:
         $php = "<?"
@@ -72,7 +72,7 @@ rule ObfuscatedPhp
         $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
         $strange_arg = /\${\$[0-9a-zA-z]+}/
     condition:
-        IsPhp and any of them and not IsWhitelisted
+        any of them and not IsWhitelisted
 }
 
 private rule base64
@@ -101,7 +101,7 @@ private rule hex
 rule SuspiciousEncoding
 {
     condition:
-        IsPhp and (base64 or hex)
+        base64 or hex
 }
 
 rule DodgyPhp
@@ -121,7 +121,7 @@ rule DodgyPhp
         $udp_dos = /sockopen\s*\(['"]udp:\/\//
 
     condition:
-        IsPhp and (any of them or CloudFlareBypass) and not IsWhitelisted
+        (any of them or CloudFlareBypass) and not IsWhitelisted
 }
 
 rule DangerousPhp
@@ -158,7 +158,7 @@ rule DangerousPhp
         $whitelist = /escapeshellcmd|escapeshellarg/
 
     condition:
-        IsPhp and not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
+        not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
 }
 
 rule DodgyStrings
@@ -194,7 +194,7 @@ rule DodgyStrings
         $asp = "scripting.filesystemobject" nocase
 
     condition:
-        IsPhp and (IRC or 2 of them)
+        IRC or 2 of them
 }
 
 rule Websites
@@ -222,5 +222,5 @@ rule Websites
         $locus = "locus7s.com"
 
     condition:
-        IsPhp and any of them
+        any of them
 }
-- 
cgit v1.3