Add exception for php_image_include rule (#1000)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

rules/evasion/covert-location/php_image.yara

@@ -7,8 +7,13 @@ rule php_image_include: critical {
     $php     = "<?php"
     $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/
 
+    // https://github.com/symfony/symfony/blob/7.4/src/Symfony/Component/ErrorHandler/Resources/views/exception_full.html.php#L9
+    // https://github.com/symfony/symfony/blob/7.4/src/Symfony/Component/ErrorHandler/Resources/assets/images/favicon.png.base64
+    $not_symfony1 = "include('assets/images/favicon.png.base64')"
+    $not_symfony2 = "<a href=\"https://symfony.com/doc/<?= Symfony\\Component\\HttpKernel\\Kernel::VERSION; ?>/index.html\">"
+
   condition:
-    filesize < 5242880 and all of them
+    filesize < 5242880 and all of them and none of ($not*)
 }
 
 rule php_in_image: critical {