1

我已按照此处的说明成功安装了 Yara:https ://yara.readthedocs.io/en/v3.8.1/gettingstarted.html#compiling-and-installing-yara包括执行 ./configure --with-crypto 和没有看到任何错误信息。

当我进入“make check”步骤时,我遇到了以下两个失败。

PASS: test-alignment
PASS: test-atoms
PASS: test-api
FAIL: test-rules
FAIL: test-pe
PASS: test-elf
PASS: test-version
PASS: test-bitmask
PASS: test-math
PASS: test-exception

打开 SSL 版本:OpenSSL 1.0.2k-fips 26 Jan 2017

如果我运行 phpmalwarefinder,我会得到

[ec2-user@ip-internal-ip php-malware-finder]$ ./phpmalwarefinder -v /var/www/html/mysite.org
./php.yar(1): error: unknown module "hash"
./whitelists/drupal.yar(10): error: invalid field name "sha1"
./whitelists/drupal.yar(8): error: can't open include file: whitelists/wordpress.yar
./whitelists/drupal.yar(9): error: can't open include file: whitelists/symfony.yar
./whitelists/drupal.yar(10): error: can't open include file: whitelists/phpmyadmin.yar
./whitelists/drupal.yar(11): error: can't open include file: whitelists/magento1ce.yar
./whitelists/drupal.yar(12): error: can't open include file: whitelists/magento2.yar
./whitelists/drupal.yar(13): error: can't open include file: whitelists/prestashop.yar
./whitelists/drupal.yar(14): error: can't open include file: whitelists/custom.yar
./whitelists/drupal.yar(21): error: invalid field name "sha1"
./whitelists/drupal.yar(63): error: invalid field name "sha1"
./whitelists/drupal.yar(76): error: invalid field name "sha1"
./whitelists/drupal.yar(85): error: invalid field name "sha1"
./whitelists/drupal.yar(99): error: invalid field name "sha1"
./whitelists/drupal.yar(110): error: invalid field name "sha1"
./whitelists/drupal.yar(116): error: undefined identifier "Symfony"
./whitelists/drupal.yar(95): warning: $pr contains .* or .+, consider using .{N} or .{1,N} with a reasonable value for N
4

1 回答 1

0

我在这里发布了我的说明 https://github.com/nbs-system/php-malware-finder/issues/94

这是我如何让它运行的,还有一个小补丁

git clone git@github.com:VirusTotal/yara.git
cd yara/
sudo yum install autoconf automake libtool  openssl-devel.x86_64  flex bison
YACC=bison ./configure
make

设置查找器

cd ..
git clone git@github.com:nbs-system/php-malware-finder.git
cd php-malware-finder/
~/GitHub/devops/yara/yara  -r ./php-malware-finder/php.yar  ~/GitHub/sourcetoscan/

必须修补这个(nocase 是重复的)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 6a93fe1..029aaf9 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -159,7 +159,7 @@ rule DangerousPhp
         $ = "suhosin.executor.func.blacklist" nocase
         $ = "unregister_tick_function" fullword nocase
         $ = "win32_create_service" fullword nocase
-        $ = "xmlrpc_decode" fullword nocase nocase
+        $ = "xmlrpc_decode" fullword nocase
         $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
于 2019-10-21T20:35:50.753 回答