From 98b1d99081414b3ad882aea30f1869608eb20757 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 8 Dec 2016 11:32:44 +0100
Subject: Remove some useless and buggy rules

---
 php-malware-finder/bad_php.yar      | 49 -------------------------------------
 php-malware-finder/phpmalwarefinder |  2 +-
 2 files changed, 1 insertion(+), 50 deletions(-)
 delete mode 100644 php-malware-finder/bad_php.yar

diff --git a/php-malware-finder/bad_php.yar b/php-malware-finder/bad_php.yar
deleted file mode 100644
index 1fb185f..0000000
--- a/php-malware-finder/bad_php.yar
+++ /dev/null
@@ -1,49 +0,0 @@
-rule Sqli
-{
-    strings:
-        $mysql = /mysqli?_.*[[:space:]]*\(.*\$.*\)/
-        $pg = /pg_.*[[:space:]]*\(.*\$.*\)/
-        $sqlite = /sqlite_.*[[:space:]]*\(.*\$.*\)/
-    condition:
-        any of them
-}
-
-rule Xss
-{
-    strings:
-        $xss1 = /(echo|print(_r)?)([[:space:]]|\()+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*/
-    condition:
-        any of them
-}
-
-rule CodeExec
-{
-    strings:
-        $eval = /eval\s*\(\s*.\$.*\s*\)/
-        $file = /(readfile|fopen|file(_get_contents)?)\s*\(.\$.*\)/
-        $include = /(include|require)(_once)?\s*\(.*\$.*\)/
-        $system = /(system|shell_exec)([[:space:]]*\(|[[:space:]]+).*\)?/
-    condition:
-        any of them
-}
-
-
-rule Misc
-{
-    strings:
-        $header_splitting = /header\s*\(.*\$_(GET|POST|REQUEST|COOKIE).*\)/
-        $serialize = /unserialize\s*\(.*\)|unserialize_callback_func/
-        $chmod = /chmod\s*(.*777/
-    condition:
-        any of them
-}
-
-rule Infoleak
-{
-    strings:
-        $php = /php(info|credits|version|_logo_guid|_uname)\s*\(.*\)/
-        $zend = /zend(_logo_guid|_version)\s*\(.*\)/
-        $extensions = /get_loaded_extensions\s*\(.*\)/
-    condition:
-        any of them
-}
diff --git a/php-malware-finder/phpmalwarefinder b/php-malware-finder/phpmalwarefinder
index de25a36..716f6e8 100755
--- a/php-malware-finder/phpmalwarefinder
+++ b/php-malware-finder/phpmalwarefinder
@@ -42,7 +42,7 @@ fi
 
 update_rules() {
   SITE="https://raw.githubusercontent.com/nbs-system/php-malware-finder/master/php-malware-finder/"
-  RULES_FILES=('asp.yar' 'common.yar' 'bad_php.yar' 'php.yar'
+  RULES_FILES=('asp.yar' 'common.yar' 'php.yar'
   'whitelist.yar' 'whitelists/drupal.yar' 'whitelists/magento2.yar'
   'whitelists/phpmyadmin.yar' 'whitelists/prestashop.yar'
   'whitelists/symfony.yar' 'whitelists/wordpress.yar' )
-- 
cgit v1.3