-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move build artefacts out of repo #149
Comments
@timmuller @thomasbrockmeier did I forget anything? BTW I think you would only have to rebuild a new deb package, the Hypernode mwscan cron looks like it can stay the same. |
To warn users of the old rules URL, I could update the Github rules file to add a single signature with name "UPDATE YOUR MWSCAN PACKAGE" which would trigger on all files. What to do.. Fail fast and hard? Or let unsuspecting sysadmins silently use the deprecated rules files for years? |
@jeroenvermeulen what do you think? |
I vote for "fail fast and hard", because I hate false security. To build the rules, we use One other thing: at this moment we are maintaining our rules in the |
Indeed :) However,
Absolutely! You would still be able to use Does that answer your question? The main objective this issue tries to solve, is to deduplicate the rules in this repo and to streamline merging of PRs. |
@gwillem Is it the plan we send a PR every time we update |
If you want to maintain an independent set of sigs/whitelists, then no need
for PRs as your URLs are already included in the mwscan package!
I made the external uploader to keep compiled
yar diffs out of the commit history. If you want to do the same for your
fork, by all means go ahead ;) but it’s not strictly necessary.
…On Sat, 3 Mar 2018 at 20:54, Jeroen Vermeulen ***@***.***> wrote:
@gwillem <https://github.com/gwillem> Is it the plan we send a PR every
time we update rules/magehost.yar or rules/magehost_whitelist.json? Will
you configure your travis to deploy to S3, or is it better we use an own S3
bucket?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#149 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABF6h9Rt2Xx6_PQh90iYt2JCZbsY3A72ks5tavTmgaJpZM4PjLk8>
.
|
Wildcard rules were added for the (now deprecated) all-confirmed.txt & .yar. Hopefully they don't cause too much inconvenience. On the upside: mwscan maintenance has been much simplified with this change! |
https://github.com/nbs-system/php-malware-finder I tested the magento scanner and this one. |
@albertobraschi Thanks, will give it a try. If it works well I will add it to the list of scanners we run every night at MageHost. |
@albertobraschi These projects have different design goals: NBS's PMF optimizes for coverage while mwscan optimizes for accuracy. So PMF tends to have more hits, while MWscan has fewer false positives. But perhaps you want to share which malware was missed by mwscan so we can include it? |
@jeroenvermeulen FYI the NBS ruleset is supported by mwscan ( |
@albertobraschi Tested NBS on our customers' Magento installs. Lots of false positives as @gwillem predicted. I did some work to whitelist vanilla Magento installs, but the guys don't accept my PR, they don't trust me. |
I have used both. mwscan and nbs. |
What did nbs find that mwscan hasn't?
…On Fri, 13 Jul 2018, 15:10 Alberto Braschi, ***@***.***> wrote:
I have used both. *mwscan* and *nbs*.
mwscan had few false positives, on the other hand, it did not cover all
malware.
nbs had a few false positives, but it covered all the malwares.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#149 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AWjyNAbVjp3b075p64CdY_JGV87EN6Ovks5uGKpJgaJpZM4PjLk8>
.
|
this is the log from nbs |
I am no longer with the files to test again and do a comparison. |
@albertobraschi obfuscated PHP isn't necessarily malware.. unfortunately, many legitimate extension vendors use obfuscation techniques to "protect" their code. |
Note to mwscan users: update your install, or you will not get new rules anymore!
grep
URL has changed fromgit.io/mwscan.txt
tomwscan.s3.amazonaws.com/mwscan.txt
mwscan
package, trysudo pip3 install --upgrade mwscan
(orsudo pip install --upgrade mwscan
).See the updated docs for sample crons.
What is this change about?
Let the CI pipeline build the signatures, instead of including them in the repo (redundantly).
Pro: This will unclutter many PRs
Con: Installation instructions need to change, people need to update their mwscan code as the URL is hardcoded and currently points to github.
Plan:
mwscan.txt
andmwscan.yar
(fromall-confirmed
).grep
usageDEFAULT_RULES_FILE
mwscan
ruleset the default onebuild/*
to .gitignore so PRs will not clutter any further.mwscan
without arguments still does a sane thing (ie download the latest default ruleset and use that)Mwscan users (e.g. Byte) should:
The text was updated successfully, but these errors were encountered: