README.md

PHP Yara Scanner

with ability to update with a cron job.

yaraScanner.php

<?php
/**
* Simple Yara Scanner v1.0
*
*
* Written by: Hasan AlDoy
*/

// 1. Clone the repo from: https://github.com/virustotal/yara
$mainYaraDir = 'YOUR_CLONED_REPO_PATH';
// Paths to your YARA rule files
$yaraRules = glob($mainYaraDir . '/malware/*.yar', GLOB_BRACE);

$selectedRukes = [];

echo "YARA Rules:\n";
echo "Total Rules: " . count($yaraRules) . "\n";
echo PHP_EOL . "\t Rules with PHP in them: ";
foreach ($yaraRules as $rule) {
    // if (strpos(file_get_contents($rule), 'php') !== false) {
        echo "Rule: " . basename($rule) . "\n";
        $selectedRukes[] = $rule;
    // }
}

// confirm to continue
echo "Do you want to continue? (y/n) ";
$handle = fopen("php://stdin", "r");
$line = fgets($handle);
if (trim($line) != 'y' && trim($line) != 'Y') {
    echo "Exiting...\n";
    exit;
} 

// ask for path
echo "Current working directory: " . getcwd() . "\n";
$path = readline("Enter the path to scan: ");

if (!is_dir($path)) {
    echo "Invalid path. Exiting...\n";
}
$scanDirectory = getcwd();
// Directory to scan

// Build the command with all rules
$command = 'yara -r ';
foreach ($yaraRules as $rule) {
    $command .= escapeshellarg($rule) . ' ';
}
$command .= escapeshellarg($scanDirectory);

// Execute the command and capture the output
$output = shell_exec($command);

// Display the results of the YARA scan
if ($output) {
    echo PHP_EOL . PHP_EOL
        . "yara -r " . implode(' ', $yaraRules) . " " . $scanDirectory . PHP_EOL . PHP_EOL;
    echo "YARA Scan Results:\n" . $output;
} else {
    echo "No suspicious files found.";
}