php-malware-finder icon indicating copy to clipboard operation
php-malware-finder copied to clipboard

Published 20 hours ago verified publisher icon jvoisin

Spip whitelist support

Open camlafit opened this issue 6 years ago • 5 comments

Hello

Could be nice to add spip (or gihub mirror support. I've a PR but maybe some question to be correct. I use generate_whitelist script to generate and have some questions :

  • Rule are not private at https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/utils/generate_whitelist.py#L38
  • False condition is added in https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/utils/generate_whitelist.py#L40 but on https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/whitelist.yar this condition is missing. Must be conserved ?
  • generate_whitelist.py doesn't look to support multi version. Then a file manage all included version. I'm not sure about this use way.

Thanks a lot

camlafit avatar Jul 29 '19 12:07 camlafit

  • I guess we can mark them as private, but it doesn't change much. Be my guest if you want to modify this.
  • The trailing false looks like a bug to me. @mdeous can you explain, since you're the one that wrote this.
  • I don't understand this point, sorry :/

I would prefer if you could commit a script to generate the whitelists, instead of dumping them in the repo :)

jvoisin avatar Jul 30 '19 21:07 jvoisin

Hello

  • I've juste read yara documentation about use private keyword. If I've understood correctly should be more logical to use it. I can propose the PR if needed.
  • No problem, I wait your return about this behavior
  • Actually whitelists directory propose one file by CMS. And each file have all CMS version concatened. But generate_whitelist.py script generate different file to each couple CMS/version. It's more invasive. (as we can see in #90)

As explained in #90 all files are generated from https://git.spip.net/outils/yara-spip . One yar file by version took from official SPIP source. They're reproductible rules generate from generate_whitelist.

Look complicate to provide only a script without globbing support in yara file. We must hardcode some inclusion/rule at least :

  • https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/whitelist.yar#L14
  • https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/whitelist.yar#L128

Of course no problem to improve thise PR just I don't see how.

camlafit avatar Jul 30 '19 21:07 camlafit

I guess we should indeed use a single file per CMS, instead of one per cms per version.

As for shipping the scripts, just assume that the other files will be present in the current folder?

jvoisin avatar Aug 01 '19 11:08 jvoisin

About the false, I have no idea what it's for, this was actually added in #76, I guess it can be removed.

mdeous avatar Sep 06 '19 10:09 mdeous

Yay, let's remove it then !

jvoisin avatar Sep 06 '19 13:09 jvoisin