getting running with yara

Question

getting running with yara

jdnrg opened this issue 5 years ago · 5 comments

Here is how I got it running,
and a small patch

git clone git@github.com:VirusTotal/yara.git
cd yara/
sudo yum install autoconf automake libtool  openssl-devel.x86_64  flex bison
YACC=bison ./configure
make

setup finder

cd ..
git clone git@github.com:nbs-system/php-malware-finder.git
cd php-malware-finder/
~/GitHub/devops/yara/yara  -r ./php-malware-finder/php.yar  ~/GitHub/sourcetoscan/

Had to patch this (nocase was duplicate)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 6a93fe1..029aaf9 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -159,7 +159,7 @@ rule DangerousPhp
         $ = "suhosin.executor.func.blacklist" nocase
         $ = "unregister_tick_function" fullword nocase
         $ = "win32_create_service" fullword nocase
-        $ = "xmlrpc_decode" fullword nocase nocase
+        $ = "xmlrpc_decode" fullword nocase
         $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();

jvoisin commented 5 years ago

Thanks!

Answer 1 · 2019-10-22T05:27:20.000Z

thanks for submitting this typo, I fixed it and it will be merged soon :)

Answer 2 · 2019-10-23T11:48:08.000Z

you might want to add my notes to the readme for the build instructions for aws amazon linux 2

Answer 3 · 2019-10-24T19:51:03.000Z

Rightyright, done in fe00ad8, thanks :)

Answer 4 · 2019-10-24T19:51:10.000Z

Rightyright, done in fe00ad8, thanks :)