From b5a5f1efe855f8d0878bfb7e74e5578cd42d38b7 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 13 Jul 2015 10:47:41 +0200
Subject: Add a whitelist generator

---
 generate_whitelist.py | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 generate_whitelist.py

diff --git a/generate_whitelist.py b/generate_whitelist.py
new file mode 100644
index 0000000..2671fc7
--- /dev/null
+++ b/generate_whitelist.py
@@ -0,0 +1,33 @@
+import fnmatch
+import hashlib
+import os
+import sys
+
+try:
+    import yara
+except ImportError:
+    print 'Please install python-yara'
+    sys.exit(0)
+
+if len(sys.argv) != 3:
+    print 'Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0]
+
+rules = yara.compile('./malwares.yara', includes=True, error_on_warning=True)
+
+output_list = list()
+
+for cpt, (root, dirnames, filenames) in enumerate(os.walk(sys.argv[2])):
+    for filename in fnmatch.filter(filenames, '*.ph*'):
+        fname = os.path.join(root, filename)
+        if os.stat(fname).st_size:
+            matches = rules.match(os.path.join(root, filename), fast=True)
+            if matches:
+                matches = matches.pop()  #  only one match, since we're scaning files
+                output_list.append('hash.sha1(0, filename) == %s or // %s' % (hashlib.sha1(fname).hexdigest(), fname))
+
+
+output_rule = 'private rule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1])
+output_list.append(output_list.pop().replace(' or ', '    '))
+output_rule += '\n\t\t'.join(output_list)
+output_rule +='\n}'
+print output_rule
-- 
cgit v1.3