From 84102414fc295c9a37f15985e93fc2cc02ebb446 Mon Sep 17 00:00:00 2001
From: shaddai
Date: Fri, 12 Feb 2016 15:04:12 +0100
Subject: symfony added, new versions of wordpress and drupal

---
 php-malware-finder/whitelist.yara | 41 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/php-malware-finder/whitelist.yara b/php-malware-finder/whitelist.yara
index 107c638..e9bb883 100644
--- a/php-malware-finder/whitelist.yara
+++ b/php-malware-finder/whitelist.yara
@@ -3,6 +3,23 @@
     since the sha1sum my be recomputed for every since test;
     please make sure that you're calling them after every other ones.
 */
+
+private rule Symfony : Blog                                                     
+{                                                                               
+    condition:                                                                  
+       hash.sha1(0, filesize) ==  "3006ce2ddce200e1c66185b95065dc7f9d224465" or // vendor/twig/twig/lib/Twig/Node/Macro.php
+       hash.sha1(0, filesize) ==  "39bae7f6aa0f4affe06a0d7b7d8306e1e27e441e" or // vendor/doctrine/common/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+       hash.sha1(0, filesize) ==  "4848d9582a2205c1b037a542faa5ed1b755d6620" or // vendor/phpoffice/phpword/src/PhpWord/Shared/PCLZip/pclzip.lib.php
+       hash.sha1(0, filesize) ==  "85a49736e0df50f8aaad652c517f4f230726f73c" or // vendor/mouf/mouf/vendor/twig/twig/test/Twig/Tests/Node/MacroTest.php
+       hash.sha1(0, filesize) ==  "8954260cbb93f46da59cff358c824679395664c2" or // vendor/twig/twig/lib/Twig/Node/CheckSecurity.php
+       hash.sha1(0, filesize) ==  "9b2834dabbb7331a02a158b91fdb48f73e8bc0ea" or // vendor/dompdf/dompdf/include/page_cache.cls.php
+       hash.sha1(0, filesize) ==  "a3e936e90a73ece5637a10cd7c26f047d0d5a820" or // vendor/dompdf/dompdf/include/attribute_translator.cls.php
+       hash.sha1(0, filesize) ==  "b4cbea1458132e156327f20810cf2a2d1f961869" or // vendor/doctrine/inflector/lib/Doctrine/Common/Inflector/Inflector.php
+       hash.sha1(0, filesize) ==  "beea13bcbd977cb7ee29fdf4bca36c9c19e5a562" or // vendor/dompdf/dompdf/include/cellmap.cls.php
+       hash.sha1(0, filesize) ==  "da96d532cc2f930449a4e19a0e280d759366a8de" or // vendor/dompdf/dompdf/include/style.cls.php
+       hash.sha1(0, filesize) ==  "e4b9be9277626f5377ecb3306fd4f2fb7a99508f" // vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/SimpleMailInvoker.php
+}                                                                               
+
 private rule Wordpress : Blog
 {
     condition:
@@ -15,7 +32,16 @@ private rule Wordpress : Blog
         hash.sha1(0, filesize)  == "e7caf1f66c38bb119fe709ade012a989d8610f07" or // wp-admin/includes/class-pclzip.php
         hash.sha1(0, filesize)  == "8ddb9eff06105b9699c6b03db54472291abcb823" or // wp-includes/taxonomy.php
         hash.sha1(0, filesize)  == "9dd666651f57ef6e704310fe37ffce7dfd2322e4" or // wp-includes/comment.php
-
+        
+        /* Wordpress 3.9 */                                                     
+        hash.sha1(0, filesize)  == "b20e3d401b0ab935ed6401392233b36966523e20" or // wp-includes/class-pop3.php
+        hash.sha1(0, filesize)  == "3748c7a2150a9da2d2dda10062b00d34982b3d87" or // wp-includes/taxonomy.php
+        hash.sha1(0, filesize)  == "1a4e6932523c34d95f050960e7c3d082adb28156" or // wp-includes/ID3/getid3.php
+        hash.sha1(0, filesize)  == "48a3dab94dc548169700bb411148c6fbf30274c3" or // wp-includes/ID3/getid3.lib.php
+        hash.sha1(0, filesize)  == "c605d1224cf4b24ad2457dd87885de9030e20731" or // wp-includes/SimplePie/File.php
+        hash.sha1(0, filesize)  == "005f02927a6904c4e7f3b88ebdd9feaa6221790b" or // wp-includes/class-phpmailer.php
+        hash.sha1(0, filesize)  == "12b433cc24cca9747b1fcb1132ffb6b1e6ab75b0" or // wp-includes/comment.php
+        
         /* Wordpress 3.5.1 */
         hash.sha1(0, filesize)  == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php
         hash.sha1(0, filesize)  == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php
@@ -65,7 +91,17 @@ private rule Drupal : Blog
         /* Drupal 7.38 */
         hash.sha1(0, filesize) == "ad7587ce735352b6a55526005c05c280e9d41822" or // modules/system/system.admin.inc
         hash.sha1(0, filesize) == "dfa67a40daeb9c1dd28f3fab00097852243258ed" or // modules/system/system.module
-
+        
+        /* Drupal 7.33 */                                                       
+                                                                                
+        hash.sha1(0, filesize) == "19c45985dfee7dc27a3a275542dee7c8fc7ebd6d" or // modules/simpletest/drupal_web_test_case.php
+        hash.sha1(0, filesize) == "e53ae29f02d7bd8667ce701b6d13ca71249e6598" or // modules/contrib/simplenews/tests/d6_simplenews_61.php
+        hash.sha1(0, filesize) == "5e1093b4d8bcb438b07e8a428957bd3f79c1042c" or // modules/contrib/simplenews/tests/d6_simplenews_62.php
+        hash.sha1(0, filesize) == "1335f535e2b20634fa8be3e95411921dfe47041d" or // modules/socials/og/og_migrate/tests/drupal-6.og.database.php
+        hash.sha1(0, filesize) == "c748f376cccb982448e99dee184dfec3a1979f44" or // modules/socials/og/tests/drupal-7.og.update_7001.database.php
+        hash.sha1(0, filesize) == "1335f535e2b20634fa8be3e95411921dfe47041d" or // modules/socials/og/tests/drupal-6.og.database.php
+        hash.sha1(0, filesize) == "10aa23f49747970a204c5df98d4c36e64e354760" or // modules/socials/og/og_ui/tests/drupal-6.og-ui.database.php
+       
         /* Drupal 7.15 */
         hash.sha1(0, filesize)  == "23cc0e2c6eebe94fe189e258a3658b40b0005891" or // modules/simpletest/tests/upgrade/drupal-6.bare.database.php
         hash.sha1(0, filesize)  == "8cb36d865b951378c3266dca7d5173a303e8dcff" or // modules/simpletest/tests/upgrade/drupal-6.filled.database.php
@@ -131,6 +167,7 @@ private rule Phpmyadmin
 private rule IsWhitelisted
 {
     condition:
+        Symfony or
         Wordpress or
         Prestashop or
         Magento or
-- 
cgit v1.3