signature-base icon indicating copy to clipboard operation
signature-base copied to clipboard

Published 20 hours ago verified publisher icon Neo23x0

False positive for the WEBSHELL_PHP_Dynamic_Big rule

Open vsushkov opened this issue 4 months ago • 1 comments

If you run the https://github.com/Neo23x0/signature-base/blob/master/yara/gen_webshells.yar against this file https://github.com/Smile-SA/elasticsuite/blob/2.11.x/src/module-elasticsuite-virtual-category/Plugin/Catalog/Product/ProductPlugin.php, then a false positive will be displayed

yara -L -r gen_webshells.yar src/module-elasticsuite-virtual-category/Plugin/Catalog/Product/ProductPlugin.php
WEBSHELL_PHP_Dynamic_Big vendor/smile/elasticsuite/src/module-elasticsuite-virtual-category/Plugin/Catalog/Product/ProductPlugin.php
0x0:5:$new_php2
0x0:2:$php_short
0x983:10:$dynamic1
0xd00:10:$dynamic1
0x9ac:6:$gen_much_sus93

vsushkov avatar Feb 13 '24 20:02 vsushkov

thx, I'll fix it next week

ruppde avatar Feb 14 '24 20:02 ruppde

Cheap fix is in https://github.com/Neo23x0/signature-base/pull/297/commits/8f43991154d559f2b9a71e302a866c40d9859a03

ruppde avatar Feb 23 '24 17:02 ruppde