Resolve datadog-agent kworker false positives (#300)

* Resolve datadog-agent kworker false positives

Signed-off-by: egibs <[email protected]>

* Better handling of ignore_ref

Signed-off-by: egibs <[email protected]>

* Update rules/evasion/fake-process-name.yara

Signed-off-by: Evan Gibler <[email protected]>

* Update rules/evasion/fake-process-name.yara

Signed-off-by: Evan Gibler <[email protected]>

* Add more precise DataDog process-agent kworker references

Signed-off-by: egibs <[email protected]>

* More specificity

Signed-off-by: egibs <[email protected]>

* Consolidate ignores

Signed-off-by: egibs <[email protected]>

* Ignore DataDog strings

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
Signed-off-by: Evan Gibler <[email protected]>
Co-authored-by: Thomas Strömberg <[email protected]>

rules/evasion/fake-process-name.yara

@@ -1,4 +1,3 @@
-
 rule fake_kworker_val : critical {
   meta:
     description = "Pretends to be a kworker kernel thread"
@@ -9,8 +8,10 @@ rule fake_kworker_val : critical {
     $kworker = /\[{0,1}kworker\/[\d:\]]{1,5}/
     $kworker2 = "kworker" fullword
     $kworker3 = "[kworker"
+    // datadog process-agent
+    $ignore_datadog = /[Dd]ata[Dd]og/
   condition:
-    any of them
+    any of ($kworker*) and not $ignore_datadog
 }
 
 rule fake_syslogd : critical {