Spip whitelist support

[camlafit]

Hello

Could be nice to add spip (or gihub mirror support. I've a PR but maybe some question to be correct. I use generate_whitelist script to generate and have some questions :

• Rule are not private at https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/utils/generate_whitelist.py#L38
• False condition is added in https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/utils/generate_whitelist.py#L40 but on https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/whitelist.yar this condition is missing. Must be conserved ?
• generate_whitelist.py doesn't look to support multi version. Then a file manage all included version. I'm not sure about this use way.

Thanks a lot

[jvoisin]

• I guess we can mark them as private, but it doesn't change much. Be my guest if you want to modify this.
• The trailing false looks like a bug to me. @mdeous can you explain, since you're the one that wrote this.
• I don't understand this point, sorry :/

I would prefer if you could commit a script to generate the whitelists, instead of dumping them in the repo :)

[camlafit]

Hello

• I've juste read yara documentation about use private keyword. If I've understood correctly should be more logical to use it. I can propose the PR if needed.
• No problem, I wait your return about this behavior
• Actually whitelists directory propose one file by CMS. And each file have all CMS version concatened. But generate_whitelist.py script generate different file to each couple CMS/version. It's more invasive. (as we can see in Add whitelist SPIP support #90)

As explained in #90 all files are generated from https://git.spip.net/_outils_/yara-spip . One yar file by version took from official SPIP source. They're reproductible rules generate from generate_whitelist.

Look complicate to provide only a script without globbing support in yara file. We must hardcode some inclusion/rule at least :

• https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/whitelist.yar#L14
• https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/whitelist.yar#L128

Of course no problem to improve thise PR just I don't see how.

[jvoisin]

I guess we should indeed use a single file per CMS, instead of one per cms per version.

As for shipping the scripts, just assume that the other files will be present in the current folder?

[mdeous]

About the false, I have no idea what it's for, this was actually added in #76, I guess it can be removed.

[jvoisin]

Yay, let's remove it then !