-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improve results scanning for Linux malware (#608)
* Improve coverage for timb-machine * address more Ubuntu high false-positive * further rule tuning * further rule tuning * Renamed rules * rule tuning
- Loading branch information
1 parent
0f7f75f
commit 297b82e
Showing
244 changed files
with
1,728 additions
and
983 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
import "math" | ||
|
||
private rule normal_elf { | ||
condition: | ||
filesize < 64MB and uint32(0) == 1179403647 | ||
} | ||
|
||
private rule small_elf { | ||
condition: | ||
filesize < 400KB and uint32(0) == 1179403647 | ||
} | ||
|
||
rule normal_elf_high_entropy_7: medium { | ||
meta: | ||
description = "higher entropy ELF binary (>7.1)" | ||
|
||
condition: | ||
normal_elf and math.entropy(1, filesize) >= 7.1 | ||
} | ||
|
||
rule normal_elf_high_entropy_7_4: high { | ||
meta: | ||
description = "high entropy ELF binary (>7.4)" | ||
|
||
strings: | ||
$not_whirlpool = "libgcrypt-grub/cipher/whirlpool.c" | ||
condition: | ||
normal_elf and math.entropy(1, filesize) >= 7.4 and none of ($not*) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
import "elf" | ||
|
||
rule impossibly_small_elf_program: high { | ||
meta: | ||
description = "ELF binary is unusually small" | ||
|
||
strings: | ||
$not_hello_c = "hello.c" | ||
condition: | ||
filesize < 8192 and filesize > 900 and uint32(0) == 1179403647 and elf.type == elf.ET_EXEC and none of ($not*) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
import "math" | ||
|
||
private rule smaller_macho { | ||
condition: | ||
filesize < 64MB and (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) | ||
} | ||
|
||
rule high_entropy_7_2: medium { | ||
meta: | ||
description = "higher entropy binary (>7.2)" | ||
|
||
condition: | ||
smaller_macho and math.entropy(1, filesize) >= 7.2 | ||
} | ||
|
||
rule high_entropy_7_9: high { | ||
meta: | ||
description = "high entropy binary (>7.9)" | ||
|
||
strings: | ||
// prevent bazel false positive | ||
$bin_java = "bin/java" | ||
condition: | ||
smaller_macho and math.entropy(1, filesize) >= 7.9 and not $bin_java | ||
} |
10 changes: 0 additions & 10 deletions
10
rules/anti-static/binary/tiny.yara → rules/anti-static/macho/tiny.yara
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.