php-malware-finder icon indicating copy to clipboard operation
php-malware-finder copied to clipboard

Published 20 hours ago verified publisher icon jvoisin

Better information / context in output

Open Kramerican opened this issue 7 years ago • 2 comments

Similar to #39 it would be great if the tool were to output some more context.

E.g. line number (if possible) of hits, or snippets of code from file that matched the rule in question. I am not sure if this is possible, but it would be a helpful addition.

It can be quite the challenge to sort through the noise on a large site with many themes and plugins. I have (through limited trial and error) found that e.g. a hit with subsequent ObfuscatedPhp and also a DodgyPhp on a file is a good hint something is wrong (or just multiple hits on the same file, in general).

Also I've seen SuspiciousEncoding be a good indicator of bad stuff - however this is not one of the flags you pick out for your (in your own words "hacky") You should take a look at the files listed below section.

So yeah, some more context, or some more "intelligent" rules for your recommended section would be awesome :+1:

Kramerican avatar Dec 17 '17 17:12 Kramerican

Have you tried the verbose mode via -v ?

jvoisin avatar Dec 18 '17 09:12 jvoisin

Hello

No I had not - Just did a test and yikes! That's a lot of verbosity :D I think verbose mode comes close though - but when the tool has hits in e.g. image files, tremendous amounts of noise is generated. As in hundreds of lines.

What I am looking for is a way to get concise information which will actually make it faster to identify the needles in the haystack.

Re. #60 : Is it possible to specify verbose mode when using find + yara? That way I could at least cut down the noise by excluding images. It might be a nice addition to add a few lines in the readme with example usage.

No wait nevermind - I just noticed phpmalwarefinder is actually a shell script that just invokes yara! Hah, I thought it was something more opaque - I can just read that source and figure out the bits and pieces I need. I'll see what I come up with and maybe do a pull request if it makes sense.

Anyway, thank you for the feedback. However, I think this request still has some merit: It would be great with reworked output which would actually assist you in sorting the bad stuff from the good.

Kramerican avatar Dec 18 '17 09:12 Kramerican