search

Neo23x0 / signature-base

YARA signature and IOC database for my scanners and tools
Other
2.49k stars 605 forks source link

False positive for the WEBSHELL_PHP_Dynamic_Big rule #309

Closed vsushkov closed 9 months ago

vsushkov commented 9 months ago

If you run the https://github.com/Neo23x0/signature-base/blob/master/yara/gen_webshells.yar against this file https://github.com/Smile-SA/elasticsuite/blob/2.11.x/src/module-elasticsuite-virtual-category/Plugin/Catalog/Product/ProductPlugin.php, then a false positive will be displayed

yara -L -r gen_webshells.yar src/module-elasticsuite-virtual-category/Plugin/Catalog/Product/ProductPlugin.php
WEBSHELL_PHP_Dynamic_Big vendor/smile/elasticsuite/src/module-elasticsuite-virtual-category/Plugin/Catalog/Product/ProductPlugin.php
0x0:5:$new_php2
0x0:2:$php_short
0x983:10:$dynamic1
0xd00:10:$dynamic1
0x9ac:6:$gen_much_sus93
ruppde commented 9 months ago

thx, I'll fix it next week

ruppde commented 9 months ago

Cheap fix is in https://github.com/Neo23x0/signature-base/pull/297/commits/8f43991154d559f2b9a71e302a866c40d9859a03