Write a better rule?

[EMSeek]

Given how many .htaccess based web shell blog posts and clones there is of my project I seriously don't think my handle is a great rule. You could match on the .htaccess syntax instead and catch others. If not I guess I'll just alter my repo and invalidate your rule

[wargio]

@jvoisin

[jvoisin]

I don't understand the issue: there is no trace of your username in the rules.

[wargio]

me neither.

[wireghoul]

Sorry, I opened the issue with the wrong account. Your current rule will flag on all of my projects, including secure coding libraries, but not flag other people's .htaccess based web shells.

[wargio]

i think it is handled by the yara rules.

[wireghoul]

You mean this rule? https://github.com/nbs-system/php-malware-finder/blob/5a7f1303b7df1752fff6099014072c75eeec78d6/php-malware-finder/php.yar#L315

[wargio]

no i mean to detect php stuff, like shells etc.. are in the yara rules

[wireghoul]

My only complaint is for the rule that detects my handle. Which I linked above.

[jvoisin]

Oh, yeah, we've got your handle in the rules, because people are stupid. But it's not the only way we're using to detect htaccess-based shells.

[wargio]

i agree. there are plenty of rules that are detecting webshells and other stuff in pmf.

[wargio]

thank you for reporting this, but i'm going to mark it as invalid.

[wireghoul]

Using my handle for detection isn't smart in my opinion, and if you're insisting on making me play the bypass your rules game to prove my point I will.

[wargio]

what we meant is that often script kiddies use your scripts as they are. but there are also other signatures to detect malicious files.

[wireghoul]

I understood your comment, but for unmodified scripts there are other things you can match on that is equally effective, or even hashes so your argument again doesn't really hold up.

[wargio]

If you want to help to improve the rules, please make a PR, i will be more than happy to merge it.