Установите и настройте Yara/phpmalwarefinder на AMI (Amazon) Linux

Question

Установите и настройте Yara/phpmalwarefinder на AMI (Amazon) Linux

Я успешно установил Yara, выполнив следующие инструкции: https://yara.readthedocs.io/en/v3.8.1/gettingstarted.html, включая выполнение./configure --with-crypto и не видел сообщений об ошибках.

Когда я добираюсь до шага "сделать проверку", я получаю следующие два сбоя.

PASS: test-alignment
PASS: test-atoms
PASS: test-api
FAIL: test-rules
FAIL: test-pe
PASS: test-elf
PASS: test-version
PASS: test-bitmask
PASS: test-math
PASS: test-exception

Открытая версия SSL: OpenSSL 1.0.2k-fips 26 Jan 2017

Если я запускаю phpmalwarefinder, я получаю

[ec2-user@ip-internal-ip php-malware-finder]$ ./phpmalwarefinder -v /var/www/html/mysite.org
./php.yar(1): error: unknown module "hash"
./whitelists/drupal.yar(10): error: invalid field name "sha1"
./whitelists/drupal.yar(8): error: can't open include file: whitelists/wordpress.yar
./whitelists/drupal.yar(9): error: can't open include file: whitelists/symfony.yar
./whitelists/drupal.yar(10): error: can't open include file: whitelists/phpmyadmin.yar
./whitelists/drupal.yar(11): error: can't open include file: whitelists/magento1ce.yar
./whitelists/drupal.yar(12): error: can't open include file: whitelists/magento2.yar
./whitelists/drupal.yar(13): error: can't open include file: whitelists/prestashop.yar
./whitelists/drupal.yar(14): error: can't open include file: whitelists/custom.yar
./whitelists/drupal.yar(21): error: invalid field name "sha1"
./whitelists/drupal.yar(63): error: invalid field name "sha1"
./whitelists/drupal.yar(76): error: invalid field name "sha1"
./whitelists/drupal.yar(85): error: invalid field name "sha1"
./whitelists/drupal.yar(99): error: invalid field name "sha1"
./whitelists/drupal.yar(110): error: invalid field name "sha1"
./whitelists/drupal.yar(116): error: undefined identifier "Symfony"
./whitelists/drupal.yar(95): warning: $pr contains .* or .+, consider using .{N} or .{1,N} with a reasonable value for N

1

amazon-lightsail amazon-linux yara

Источник

user1327047 20 фев '19 в 17:41

0 ответов

Другие вопросы по тегам amazon-lightsail amazon-linux yara

user10797272 21 окт '19 в 23:35 2019-10-21 23:35 · Answer 1 · 2019-10-21 23:35

Я разместил свои инструкции здесь https://github.com/nbs-system/php-malware-finder/issues/94

Вот как я его запустил, и небольшой патч

git clone git@github.com:VirusTotal/yara.git
cd yara/
sudo yum install autoconf automake libtool  openssl-devel.x86_64  flex bison
YACC=bison ./configure
make

средство поиска настроек

cd ..
git clone git@github.com:nbs-system/php-malware-finder.git
cd php-malware-finder/
~/GitHub/devops/yara/yara  -r ./php-malware-finder/php.yar  ~/GitHub/sourcetoscan/

Пришлось исправить это (случай не повторялся)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 6a93fe1..029aaf9 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -159,7 +159,7 @@ rule DangerousPhp
         $ = "suhosin.executor.func.blacklist" nocase
         $ = "unregister_tick_function" fullword nocase
         $ = "win32_create_service" fullword nocase
-        $ = "xmlrpc_decode" fullword nocase nocase
+        $ = "xmlrpc_decode" fullword nocase
         $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();