From e889f9d6f551ded842910584c855e8f16f7d67cd Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Thu, 27 Oct 2016 11:57:59 +0200
Subject: Extend whitelisting support

Some detection modules weren't aware of whiteliting
---
 php-malware-finder/common.yar | 2 +-
 php-malware-finder/php.yar    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 2b0cd7d..c4dac97 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -72,7 +72,7 @@ private rule strrev
 rule SuspiciousEncoding
 {
     condition:
-        base64 or hex or strrev
+        base64 or hex or strrev and not IsWhitelisted
 }
 
 rule DodgyStrings
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index cdb91c2..37a8dcf 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -39,7 +39,7 @@ rule PasswordProtection
         $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
         $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase
     condition:
-        any of them
+        any of them and not IsWhitelisted
 }
 
 rule ObfuscatedPhp
@@ -149,5 +149,5 @@ rule HiddenInAFile
         $jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
 
     condition:
-        ($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp)
+        ($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp) and not IsWhitelisted
 }
-- 
cgit v1.3