remove hashes from rules (#625)

* remove hashes from rules * remove hashes from rules * run fmt * remove remaining hashes * fix 3rd party rules * add descriptions * update testdata
chainguard-dev · Nov 15, 2024 · 3aa2507 · 3aa2507
1 parent 56458e1
commit 3aa2507
Show file tree

Hide file tree

Showing 502 changed files with 1,074 additions and 2,809 deletions.
diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
@@ -645,7 +645,7 @@
                     "RuleName": "whoami"
                 },
                 {
-                    "Description": "selinux",
+                    "Description": "alters the SELinux enforcement level",
                     "MatchStrings": [
                         "setenforce"
                     ],

diff --git a/rules/anti-behavior/LD_DEBUG.yara b/rules/anti-behavior/LD_DEBUG.yara
@@ -1,9 +1,6 @@
 rule env_LD_DEBUG: medium {
   meta:
-    description              = "may check if dynamic linker debugging is enabled"
-    hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796"
-    hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b"
-    hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151"
+    description = "may check if dynamic linker debugging is enabled"
 
   strings:
     $val = "LD_DEBUG" fullword

diff --git a/rules/anti-behavior/LD_PROFILE.yara b/rules/anti-behavior/LD_PROFILE.yara
@@ -1,9 +1,6 @@
 rule env_LD_PROFILE: medium {
   meta:
-    description              = "may check if dynamic linker profiling is enabled"
-    hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796"
-    hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b"
-    hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151"
+    description = "may check if dynamic linker profiling is enabled"
 
   strings:
     $val = "LD_PROFILE" fullword

diff --git a/rules/anti-behavior/process-check.yara b/rules/anti-behavior/process-check.yara
@@ -1,8 +1,6 @@
 rule activity_monitor_checker: high macos {
   meta:
-    hash_2020_BirdMiner_tonsillith = "9f8dba1cea7c8a4d7701a6a3e2d826202ba7e00e30e9c836c734ad6842b8cb5e"
-    hash_2020_BirdMiner_tormina    = "4179cdef4de0eef44039e9d03d42b3aeca06df533be74fc65f5235b21c9f0fb1"
-    description                    = "checks if 'Activity Monitor' is running"
+    description = "checks if 'Activity Monitor' is running"
 
   strings:
     $ps             = "ps" fullword

diff --git a/rules/anti-behavior/vm-check.yara b/rules/anti-behavior/vm-check.yara
@@ -1,9 +1,6 @@
 rule vm_checker: medium {
   meta:
-    description                       = "Checks to see if it is running with a VM"
-    hash_2024_Downloads_3105          = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d"
-    hash_2023_Downloads_589d          = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0"
-    hash_2023_Downloads_Chrome_Update = "eed1859b90b8832281786b74dc428a01dbf226ad24b182d09650c6e7895007ea"
+    description = "Checks to see if it is running with a VM"
 
   strings:
     $a_vmware         = "VMware"

diff --git a/rules/anti-static/base64/eval.yara b/rules/anti-static/base64/eval.yara
@@ -2,9 +2,7 @@ import "math"
 
 rule eval_base64: high {
   meta:
-    hash_2023_0xShell       = "acf556b26bb0eb193e68a3863662d9707cbf827d84c34fbc8c19d09b8ea811a1"
-    hash_2023_0xShell_0xObs = "6391e05c8afc30de1e7980dda872547620754ce55c36da15d4aefae2648a36e5"
-    hash_2023_0xShell       = "a6f1f9c9180cb77952398e719e4ef083ccac1e54c5242ea2bc6fe63e6ab4bb29"
+    description = "Evaluates base64 content"
 
   strings:
     $eval = /eval\(.{0,256}base64/
@@ -15,9 +13,7 @@ rule eval_base64: high {
 
 rule ruby_eval_base64_decode: critical {
   meta:
-    description             = "Evaluates base64 content"
-    hash_2023_1_1_6_payload = "cbe882505708c72bc468264af4ef5ae5de1b75de1f83bba4073f91568d9d20a1"
-    hash_2023_0_0_7_payload = "bb6ca6bfd157c39f4ec27589499d3baaa9d1b570e622722cb9bddfff25127ac9"
+    description = "Evaluates base64 content"
 
   strings:
     $eval_base64_decode = "eval(Base64."
@@ -28,10 +24,7 @@ rule ruby_eval_base64_decode: critical {
 
 rule ruby_eval_near_enough: critical {
   meta:
-    description                            = "Evaluates base64 content"
-    hash_2019_active_controller_middleware = "9a85e7aee672b1258b3d4606f700497d351dd1e1117ceb0e818bfea7922b9a96"
-    hash_2023_1_1_6_payload                = "cbe882505708c72bc468264af4ef5ae5de1b75de1f83bba4073f91568d9d20a1"
-    hash_2023_0_0_7_payload                = "bb6ca6bfd157c39f4ec27589499d3baaa9d1b570e622722cb9bddfff25127ac9"
+    description = "Evaluates base64 content"
 
   strings:
     $eval   = "eval("
@@ -43,8 +36,7 @@ rule ruby_eval_near_enough: critical {
 
 rule ruby_eval2_near_enough: critical {
   meta:
-    description          = "Evaluates base64 content"
-    hash_2023_siamttview = "7a19eb7e34f500af708eeccbf990ce623f58293e693a86bc1a99cc3bf18d1529"
+    description = "Evaluates base64 content"
 
   strings:
     $eval   = "eval("
@@ -56,10 +48,7 @@ rule ruby_eval2_near_enough: critical {
 
 rule python_exec_near_enough: high {
   meta:
-    description                                                                               = "Evaluates base64 content"
-    hash_2023_UPX_7f5fd8c7cad4873993468c0c0a4cabdd8540fd6c2679351f58580524c1bfd0af_elf_x86_64 = "3b9f8c159df5d342213ed7bd5bc6e07bb103a055f4ac90ddb4b981957cd0ab53"
-    hash_2019_CookieMiner_OAZG                                                                = "27ccebdda20264b93a37103f3076f6678c3446a2c2bfd8a73111dbc8c7eeeb71"
-    hash_2018_EvilOSX_89e5                                                                    = "89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a"
+    description = "Evaluates base64 content"
 
   strings:
     $exec   = "exec("
@@ -71,10 +60,7 @@ rule python_exec_near_enough: high {
 
 rule echo_decode_bash_probable: high {
   meta:
-    description                          = "likely pipes base64 into a shell"
-    hash_2023_OrBit_f161                 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8"
-    hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f"
-    hash_2023_Unix_Trojan_Coinminer_3a6b = "3a6b3552ffac13aa70e24fef72b69f683ac221105415efb294fb9a2fc81c260a"
+    description = "likely pipes base64 into a shell"
 
   strings:
     $echo          = "echo" fullword

diff --git a/rules/anti-static/base64/exec.yara b/rules/anti-static/base64/exec.yara
@@ -1,9 +1,6 @@
 rule base64_commands: high {
   meta:
-    description                          = "commands in base64 form"
-    hash_2023_OrBit_f161                 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8"
-    hash_2023_Sysrv_Hello_sys_x86_64     = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3"
-    hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97"
+    description = "commands in base64 form"
 
   strings:
     $b_chmod        = "chmod" base64

diff --git a/rules/anti-static/base64/function_names.yara b/rules/anti-static/base64/function_names.yara
@@ -1,9 +1,6 @@
 rule base64_php_functions: medium {
   meta:
-    description                  = "References PHP functions in base64 form"
-    hash_2023_0xShell_0xObs      = "6391e05c8afc30de1e7980dda872547620754ce55c36da15d4aefae2648a36e5"
-    hash_2023_0xShell_0xShellObs = "64771788a20856c7b2a29067f41be9cb7138c11a2cf2a8d17ab4afe73516f1ed"
-    hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e"
+    description = "References PHP functions in base64 form"
 
   strings:
     $php           = "<?php"
@@ -69,10 +66,7 @@ rule base64_php_functions: medium {
 
 rule base64_php_functions_multiple: critical {
   meta:
-    description                  = "References multiple PHP functions in base64 form"
-    hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e"
-    hash_2023_0xShell_0xencbase  = "50057362c139184abb74a6c4ec10700477dcefc8530cf356607737539845ca54"
-    hash_2023_0xShell_wesobase   = "17a1219bf38d953ed22bbddd5aaf1811b9380ad0535089e6721d755a00bddbd0"
+    description = "References multiple PHP functions in base64 form"
 
   strings:
     $php           = "<?php"
@@ -137,10 +131,7 @@ rule base64_php_functions_multiple: critical {
 
 rule base64_python_functions: critical {
   meta:
-    description                            = "contains base64 Python code"
-    hash_2023_0xShell_0xencbase            = "50057362c139184abb74a6c4ec10700477dcefc8530cf356607737539845ca54"
-    hash_2023_0xShell_wesobase             = "17a1219bf38d953ed22bbddd5aaf1811b9380ad0535089e6721d755a00bddbd0"
-    hash_2024_static_demonizedshell_static = "b4e65c01ab90442cb5deda26660a3f81bd400c205e12605536483f979023aa15"
+    description = "contains base64 Python code"
 
   strings:
     $f_exec          = "exec(" base64

diff --git a/rules/anti-static/base64/http_agent.yara b/rules/anti-static/base64/http_agent.yara
@@ -1,9 +1,6 @@
 rule base64_http_val: high {
   meta:
-    description                      = "base64 HTTP protocol references"
-    hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3"
-    hash_2023_pan_chan_6896          = "6896b02503c15ffa68e17404f1c97fd53ea7b53c336a7b8b34e7767f156a9cf2"
-    hash_2023_pan_chan_73ed          = "73ed0b692fda696efd5f8e33dc05210e54b17e4e4a39183c8462bcc5a3ba06cc"
+    description = "base64 HTTP protocol references"
 
   strings:
     $user_agent  = "User-Agent" base64

diff --git a/rules/anti-static/base64/obfuscated_caller.yara b/rules/anti-static/base64/obfuscated_caller.yara
@@ -1,9 +1,6 @@
 rule base64_str_replace: critical {
   meta:
-    description                                     = "creatively hidden forms of the term 'base64'"
-    hash_2024_2024_Inull_Studio_err                 = "5dbab6891fefb2ba4e3983ddb0d95989cf5611ab85ae643afbcc5ca47c304a4a"
-    hash_2024_2024_Inull_Studio_err                 = "5dbab6891fefb2ba4e3983ddb0d95989cf5611ab85ae643afbcc5ca47c304a4a"
-    hash_2024_2024_Inull_Studio_godzilla_xor_base64 = "699c7bbf08d2ee86594242f487860221def3f898d893071426eb05bec430968e"
+    description = "creatively hidden forms of the term 'base64'"
 
   strings:
     $a = /\wba\ws\we64/

diff --git a/rules/anti-static/binary/opaque.yara b/rules/anti-static/binary/opaque.yara
@@ -1,9 +1,6 @@
 rule opaque_binary: medium {
   meta:
-    description              = "binary contains little text content"
-    hash_2024_Downloads_309f = "309f399788b63f66cfa7b37ae1db5dced55a9e73b768a7f05ea4de553192eeb1"
-    hash_2024_Downloads_52d3 = "52d3f9458cfc31b2b8b6a5abd2ad743e7a2bb2999442ee2a3de5e17805cfbacc"
-    hash_2024_Downloads_690f = "690f29dd425f7415ecb50986aa26750960c39a0ca8a02ddfd37ec4196993bd9e"
+    description = "binary contains little text content"
 
   strings:
     $word_with_spaces = /[a-z]{2,} [a-z]{2,}/

diff --git a/rules/anti-static/elf/content.yara b/rules/anti-static/elf/content.yara
@@ -2,10 +2,7 @@ import "elf"
 
 rule obfuscated_elf: high linux {
   meta:
-    description              = "Obfuscated ELF binary (missing symbols)"
-    hash_2023_APT31_1d60     = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2"
-    hash_2023_UPX_0c25       = "0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d"
-    hash_2023_Earthwrom_1ae6 = "1ae62dbec330695d2eddc7cb9a65d47bad5f45af95e6c8a803f0780e0749a3ad"
+    description = "Obfuscated ELF binary (missing symbols)"
 
   strings:
     $dlsym             = "dlsym" fullword

diff --git a/rules/anti-static/elf/header.yara b/rules/anti-static/elf/header.yara
@@ -3,27 +3,23 @@ import "math"
 
 rule single_load_rwe: critical {
   meta:
-    description                          = "Binary with a single LOAD segment marked RWE"
-    family                               = "Stager"
-    filetype                             = "ELF"
-    hash_2024_Downloads_690f             = "690f29dd425f7415ecb50986aa26750960c39a0ca8a02ddfd37ec4196993bd9e"
-    hash_2023_Downloads_cd54             = "cd54a34dbd7d345a7fd7fd8744feb5c956825317e9225edb002c3258683947f1"
-    hash_2023_Linux_Malware_Samples_16e0 = "16e09592a9e85cd67530ec365ac2c50e48e873335c1ad0f984e3daaefc8a57b5"
-    author                               = "Tenable"
+    description = "Binary with a single LOAD segment marked RWE"
+    family      = "Stager"
+    filetype    = "ELF"
+
+    author = "Tenable"
 
   condition:
     elf.number_of_segments == 1 and elf.segments[0].type == elf.PT_LOAD and elf.segments[0].flags == elf.PF_R | elf.PF_W | elf.PF_X
 }
 
 rule fake_section_headers_conflicting_entry_point_address: critical {
   meta:
-    description                          = "binary with fake sections header"
-    family                               = "Obfuscation"
-    filetype                             = "ELF"
-    hash_2024_Downloads_e241             = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd"
-    hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73"
-    hash_2023_Linux_Malware_Samples_19f7 = "19f76bf2be3ea11732f2c5c562afbd6f363b062c25fba3a143c3c6ef4712774b"
-    author                               = "Tenable"
+    description = "binary with fake sections header"
+    family      = "Obfuscation"
+    filetype    = "ELF"
+
+    author = "Tenable"
 
   condition:
     elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_segments > 0 and elf.number_of_sections > 0 and not (for any i in (0..elf.number_of_segments): ((elf.segments[i].offset <= elf.entry_point) and ((elf.segments[i].offset + elf.segments[i].file_size) >= elf.entry_point) and for any j in (0..elf.number_of_sections): (elf.sections[j].offset <= elf.entry_point and ((elf.sections[j].offset + elf.sections[j].size) >= elf.entry_point) and (elf.segments[i].virtual_address + (elf.entry_point - elf.segments[i].offset)) == (elf.sections[j].address + (elf.entry_point - elf.sections[j].offset)))))
@@ -42,10 +38,7 @@ rule fake_dynamic_symbols: critical {
 
 rule high_entropy_header: high {
   meta:
-    description                                                       = "high entropy ELF header (>7)"
-    hash_2023_UPX_0c25                                                = "0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d"
-    hash_2023_UPX_5a59                                                = "5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59"
-    hash_2023_FontOnLake_38B09D690FAFE81E964CBD45EC7CF20DCB296B4D_elf = "f155fafa36d1094433045633741df98bbbc1153997b3577c3fa337cc525713c0"
+    description = "high entropy ELF header (>7)"
 
   strings:
     $not_pyinst = "pyi-bootloader-ignore-signals"

diff --git a/rules/anti-static/obfuscation/bitwise.yara b/rules/anti-static/obfuscation/bitwise.yara
@@ -2,10 +2,7 @@ import "math"
 
 rule large_bitwise_math: medium {
   meta:
-    description                   = "large amounts of bitwise math"
-    hash_2023_yfinancce_0_1_setup = "3bde1e9207dd331806bf58926d842e2d0f6a82424abd38a8b708e9f4e3e12049"
-    hash_2023_yvper_0_1_setup     = "b765244c1f8a11ee73d1e74927b8ad61718a65949e0b8d8cbc04e5d84dccaf96"
-    hash_2023_aiohttpp_0_1_setup  = "cfa4137756f7e8243e7c7edc7cb0b431a2f4c9fa401f2570f1b960dbc86ca7c6"
+    description = "large amounts of bitwise math"
 
   strings:
     $x = /\-{0,1}\d{1,8} \<\< \-{0,1}\d{1,8}/
@@ -16,10 +13,7 @@ rule large_bitwise_math: medium {
 
 rule excessive_bitwise_math: high {
   meta:
-    description                   = "excessive use of bitwise math (>64 ops)"
-    hash_2023_yfinancce_0_1_setup = "3bde1e9207dd331806bf58926d842e2d0f6a82424abd38a8b708e9f4e3e12049"
-    hash_2023_yvper_0_1_setup     = "b765244c1f8a11ee73d1e74927b8ad61718a65949e0b8d8cbc04e5d84dccaf96"
-    hash_2023_aiohttpp_0_1_setup  = "cfa4137756f7e8243e7c7edc7cb0b431a2f4c9fa401f2570f1b960dbc86ca7c6"
+    description = "excessive use of bitwise math (>64 ops)"
 
   strings:
     $x                  = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/
@@ -57,11 +51,8 @@ rule bitwise_math: low {
 
 rule bidirectional_bitwise_math: medium {
   meta:
-    description                   = "uses bitwise math in both directions"
-    ref                           = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection"
-    hash_2023_gmgeoip_IP2Location = "fd6123325a4b77c55ae30c641b00e28bc6c0187d6ce3d624440d70dc5376a7a4"
-    hash_2023_openssl_libcrypto   = "868ab5c1d1f0afa6547141f01877800d51f944a0e1f275a7bdbc38edd90ea74e"
-    hash_2023_openssl_libcrypto   = "868ab5c1d1f0afa6547141f01877800d51f944a0e1f275a7bdbc38edd90ea74e"
+    description = "uses bitwise math in both directions"
+    ref         = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection"
 
   strings:
     $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/
@@ -73,10 +64,8 @@ rule bidirectional_bitwise_math: medium {
 
 rule bitwise_python_string: medium {
   meta:
-    description                          = "creates string using bitwise math"
-    ref                                  = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection"
-    hash_2024_xFileSyncerx_xfilesyncerx  = "c68e907642a8462c6b82a50bf4fde82bbf71245ab4edace246dd341dc72e5867"
-    hash_2024_2024_d3duct1v_xfilesyncerx = "b87023e546bcbde77dae065ad3634e7a6bd4cc6056167a6ed348eee6f2a168ae"
+    description = "creates string using bitwise math"
+    ref         = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection"
 
   strings:
     $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/
@@ -87,10 +76,8 @@ rule bitwise_python_string: medium {
 
 rule bitwise_python_string_exec_eval: high {
   meta:
-    description                          = "creates and evaluates string using bitwise math"
-    ref                                  = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection"
-    hash_2024_xFileSyncerx_xfilesyncerx  = "c68e907642a8462c6b82a50bf4fde82bbf71245ab4edace246dd341dc72e5867"
-    hash_2024_2024_d3duct1v_xfilesyncerx = "b87023e546bcbde77dae065ad3634e7a6bd4cc6056167a6ed348eee6f2a168ae"
+    description = "creates and evaluates string using bitwise math"
+    ref         = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection"
 
   strings:
     $ref  = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/
@@ -103,10 +90,8 @@ rule bitwise_python_string_exec_eval: high {
 
 rule bitwise_python_string_exec_eval_nearby: critical {
   meta:
-    description                          = "creates and executes string using bitwise math"
-    ref                                  = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection"
-    hash_2024_xFileSyncerx_xfilesyncerx  = "c68e907642a8462c6b82a50bf4fde82bbf71245ab4edace246dd341dc72e5867"
-    hash_2024_2024_d3duct1v_xfilesyncerx = "b87023e546bcbde77dae065ad3634e7a6bd4cc6056167a6ed348eee6f2a168ae"
+    description = "creates and executes string using bitwise math"
+    ref         = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection"
 
   strings:
     $ref  = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/

diff --git a/rules/anti-static/obfuscation/hex.yara b/rules/anti-static/obfuscation/hex.yara
@@ -12,10 +12,7 @@ rule excessive_hex_refs: medium {
 
 rule hex_parse: medium {
   meta:
-    description                  = "converts hex data to ASCII"
-    hash_2023_package_bgService  = "36831e715a152658bab9efbd4c2c75be50ee501b3dffdb5798d846a2259154a2"
-    hash_2023_getcookies_harness = "99b1563adea48f05ff6dfffa17f320f12f0d0026c6b94769537a1b0b1d286c13"
-    hash_1985_package_index      = "8d4daa082c46bfdef3d85a6b5e29a53ae4f45197028452de38b729d76d3714d1"
+    description = "converts hex data to ASCII"
 
   strings:
     $node   = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/
@@ -28,10 +25,7 @@ rule hex_parse: medium {
 
 rule hex_parse_base64: medium {
   meta:
-    description                  = "converts base64 hex data to ASCII"
-    hash_2023_package_bgService  = "36831e715a152658bab9efbd4c2c75be50ee501b3dffdb5798d846a2259154a2"
-    hash_2023_getcookies_harness = "99b1563adea48f05ff6dfffa17f320f12f0d0026c6b94769537a1b0b1d286c13"
-    hash_1985_package_index      = "8d4daa082c46bfdef3d85a6b5e29a53ae4f45197028452de38b729d76d3714d1"
+    description = "converts base64 hex data to ASCII"
 
   strings:
     $lang_node   = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/
@@ -45,10 +39,7 @@ rule hex_parse_base64: medium {
 
 rule hex_parse_base64_high: high {
   meta:
-    description                  = "converts base64 hex data to ASCII"
-    hash_2023_package_bgService  = "36831e715a152658bab9efbd4c2c75be50ee501b3dffdb5798d846a2259154a2"
-    hash_2023_getcookies_harness = "99b1563adea48f05ff6dfffa17f320f12f0d0026c6b94769537a1b0b1d286c13"
-    hash_1985_package_index      = "8d4daa082c46bfdef3d85a6b5e29a53ae4f45197028452de38b729d76d3714d1"
+    description = "converts base64 hex data to ASCII"
 
   strings:
     $lang_node         = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/

diff --git a/rules/anti-static/obfuscation/js.yara b/rules/anti-static/obfuscation/js.yara
@@ -101,8 +101,7 @@ rule ebe_generic: high {
 
 rule exec_console_log: critical {
   meta:
-    description            = "evaluates the return of console.log()"
-    hash_2017_package_post = "7664e04586d294092c86b7203f0651d071a993c5d62875988c2c5474e554c0e8"
+    description = "evaluates the return of console.log()"
 
   strings:
     $ref = ".exec(console.log("