我已经通过按照说明成功地安装Yara:https://yara.readthedocs.io/en/v3.8.1/gettingstarted.html#compiling-compiling-and-installing-ing-installing-installing-yara-yara包括执行./configure -with-crypto,并且没有看到任何错误消息。
当我进入" Make Check"步骤时,我会得到以下两个失败。
PASS: test-alignment
PASS: test-atoms
PASS: test-api
FAIL: test-rules
FAIL: test-pe
PASS: test-elf
PASS: test-version
PASS: test-bitmask
PASS: test-math
PASS: test-exception
打开SSL版本:OpenSSL 1.0.2k-fips 26 Jan 2017
如果我运行phpmalwarefinder,我得到
[ec2-user@ip-internal-ip php-malware-finder]$ ./phpmalwarefinder -v /var/www/html/mysite.org
./php.yar(1): error: unknown module "hash"
./whitelists/drupal.yar(10): error: invalid field name "sha1"
./whitelists/drupal.yar(8): error: can't open include file: whitelists/wordpress.yar
./whitelists/drupal.yar(9): error: can't open include file: whitelists/symfony.yar
./whitelists/drupal.yar(10): error: can't open include file: whitelists/phpmyadmin.yar
./whitelists/drupal.yar(11): error: can't open include file: whitelists/magento1ce.yar
./whitelists/drupal.yar(12): error: can't open include file: whitelists/magento2.yar
./whitelists/drupal.yar(13): error: can't open include file: whitelists/prestashop.yar
./whitelists/drupal.yar(14): error: can't open include file: whitelists/custom.yar
./whitelists/drupal.yar(21): error: invalid field name "sha1"
./whitelists/drupal.yar(63): error: invalid field name "sha1"
./whitelists/drupal.yar(76): error: invalid field name "sha1"
./whitelists/drupal.yar(85): error: invalid field name "sha1"
./whitelists/drupal.yar(99): error: invalid field name "sha1"
./whitelists/drupal.yar(110): error: invalid field name "sha1"
./whitelists/drupal.yar(116): error: undefined identifier "Symfony"
./whitelists/drupal.yar(95): warning: $pr contains .* or .+, consider using .{N} or .{1,N} with a reasonable value for N
我在这里发布了我的说明https://github.com/nbs-system/php-malware-finder/issues/94
这是我如何运行它,和一个小补丁
git clone git@github.com:VirusTotal/yara.git
cd yara/
sudo yum install autoconf automake libtool openssl-devel.x86_64 flex bison
YACC=bison ./configure
make
设置查找器
cd ..
git clone git@github.com:nbs-system/php-malware-finder.git
cd php-malware-finder/
~/GitHub/devops/yara/yara -r ./php-malware-finder/php.yar ~/GitHub/sourcetoscan/
必须修补这个(Nocase重复)
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 6a93fe1..029aaf9 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -159,7 +159,7 @@ rule DangerousPhp
$ = "suhosin.executor.func.blacklist" nocase
$ = "unregister_tick_function" fullword nocase
$ = "win32_create_service" fullword nocase
- $ = "xmlrpc_decode" fullword nocase nocase
+ $ = "xmlrpc_decode" fullword nocase
$ = /ob_starts*(s*[^)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();