Light

pressidium / pressidium-yara-rules Goto Github PK

View Code? Open in Web Editor NEW

7.0 6.0 0.0 60 KB

Welcome to the Pressidium® Yara Rules repository. This section contains a carefully curated collection of Yara rules specifically designed to detect and prevent WordPress or PHP malware and viruses, ensuring a safer online environment.

Home Page: https://pressidium.com/

License: GNU General Public License v3.0

YARA 100.00%

malware-analysis malware-detection yara yara-rules yara-signatures

pressidium-yara-rules's Introduction

🕵️ Pressidium Yara Rules

Welcome to the Pressidium® Yara Rules repository. This section contains a carefully curated collection of Yara rules specifically designed to detect WordPress or PHP malware and viruses, ensuring a safer online environment.

Pressidium® offers Managed WordPress hosting for web professionals designed to optimize the performance, security, and scalability of WordPress websites. With a strong emphasis on reliability, Pressidium utilizes high-available architecture to ensure your website's uptime.

Table of Contents

Features
Credits
License

Features

🛡️ Specialized Rule Set: Focused on detecting WordPress and PHP malware, our rules are fine-tuned to identify and mitigate digital threats targeting these platforms
🔍 Highly Descriptive: Each rule comes with a set of descriptive comments that unravel the logic behind it, aiding in a deeper understanding and quicker threat analysis.
🤝 Community-Driven: We believe in the power of community. Contributions are welcome to keep the rule set robust, diverse, and in tune with the latest threat landscape.

Credits

A tip of the hat to the Yara Project and its thriving community for the foundational knowledge and continuous sharing.

Contributing

We welcome contributions to the Pressidium Yara Rules repository. If you have a rule to contribute or an improvement to suggest, feel free to create a pull request.

Reporting False Positives

If you come across a false positive detection by the Pressidium Yara Rules, please report it by creating an issue in this repository. Include the file that was incorrectly flagged as malicious. We appreciate your feedback, it will help us improve the rule set.

License

This repository is licensed under GNU GPL v2.0 or later. For more details, see the LICENSE file in this repository.

pressidium-yara-rules's People

Contributors

Stargazers

Watchers

pressidium-yara-rules's Issues

Eliminate false positives

First of all, thank you for sharing your rules. I am pretty new to YARA, so apologies if I just ask stupid questions.

I just tested your rules on a clean WordPress installation, but I notice that it reports a lot of false positives. I created a new, clean WordPress installation via the WP-CLI. A scan on this with Pressidium-commons-init.yar gives a lot of false positives. An installation with many plugins gives even more.

How do you eliminate these false positives? How do you do this for example with your customer base, for example?

Potential feedback is appreciated!

$ wp core download
Downloading WordPress 6.4.3 (en_US)...
md5 hash verified: 8e664626c12cb6daea37c8a90d8080d8
Success: WordPress downloaded.

$ yara --version
4.3.2

$ yara -r pressidium-yara-rules/Pressidium-commons-init.yar . > scan.log
warning: rule "common_encoding_php" in ../pressidium-yara-rules/Commons/Pressidium-common-encodings.yar(23): using literal string ".js" in a boolean operation.
warning: rule "Detect_Eval_Usage" in ../pressidium-yara-rules/Commons/Pressidium-common-eval-usage.yar(21): string "$eval4" may slow down scanning
warning: rule "Detect_Eval_Usage" in ../pressidium-yara-rules/Commons/Pressidium-common-eval-usage.yar(29): $eval_function2 contains .*, .+ or .{x,} consider using .{,N}, .{1,N} or {x,N} with a reasonable value for N

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.