From 892d94a4901b522d3bb614e15722c8c0554a9046 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Str=C3=B6mberg?= Date: Tue, 17 Dec 2024 19:05:31 -0500 Subject: [PATCH] Fix false-positives in http_parser.rb-0.8.0/ext/ruby_http_parser/vendor/http-parser/test.c (#720) * improve http false positives * refresh testdata * Add test --- rules/evasion/net/http_443.yara | 13 ++++++----- rules/net/http/content-length.yara | 8 +++++-- rules/net/ip/host_port.yara | 5 +++++ tests/c/clean/ruby_http_parser/test.c.simple | 23 ++++++++++++++++++++ 4 files changed, 42 insertions(+), 7 deletions(-) create mode 100644 tests/c/clean/ruby_http_parser/test.c.simple diff --git a/rules/evasion/net/http_443.yara b/rules/evasion/net/http_443.yara index 7d4913ba9..84db1e0de 100644 --- a/rules/evasion/net/http_443.yara +++ b/rules/evasion/net/http_443.yara @@ -3,11 +3,14 @@ rule http_port_443: high { description = "hardcoded HTTP site on port 443 (HTTPS)" strings: - $http_443 = /http:\/\/[\w\.]{0,32}:443[\/\w\-\?\.]{0,32}/ - $not_test = "assertEqual" - $not_example = "http://example.com:443" - $not_localhost = "http://localhost:443" - $not_foo = "http://foo.com:443/" + $http_443 = /http:\/\/[\w\.]{0,32}:443[\/\w\-\?\.]{0,32}/ + $not_test = "assertEqual" + $not_example = "http://example.com:443" + $not_localhost = "http://localhost:443" + $not_foo = "http://foo.com:443/" + $not_empty = "http://:443/" + $not_slash_test = "/test" fullword + $not_unit_test = "unit test" condition: $http_443 and none of ($not*) diff --git a/rules/net/http/content-length.yara b/rules/net/http/content-length.yara index e96d7d7e4..8a5029550 100644 --- a/rules/net/http/content-length.yara +++ b/rules/net/http/content-length.yara @@ -14,8 +14,12 @@ rule content_length_hardcoded: high { description = "Sets HTTP content length to hard-coded value" strings: - $ref = /Content-Length: \d{2,13}/ fullword + $ref = /Content-Length: \d{2,13}/ fullword + $not_test_parse = "test_parse" + $not_slash_test = "/test" fullword + $not_test_message = "test_message" + $not_unit_test = "unit test" condition: - $ref + $ref and none of ($not*) } diff --git a/rules/net/ip/host_port.yara b/rules/net/ip/host_port.yara index 9d9c5a0c9..2bf7707a6 100644 --- a/rules/net/ip/host_port.yara +++ b/rules/net/ip/host_port.yara @@ -75,6 +75,11 @@ rule hardcoded_host_port_over_10k: high { $not_example_com = "example.com:" $not_mygateway = "mygateway.com:" $not_mymachine = "mymachine.com:" + $not_ruby_http = "http://hypnotoad.org:1234?hail=all" + $not_test_parse = "test_parse" + $not_slash_test = "/test" fullword + $not_test_message = "test_message" + $not_unit_test = "unit test" condition: any of ($h*) and none of ($not*) diff --git a/tests/c/clean/ruby_http_parser/test.c.simple b/tests/c/clean/ruby_http_parser/test.c.simple new file mode 100644 index 000000000..b57c3d310 --- /dev/null +++ b/tests/c/clean/ruby_http_parser/test.c.simple @@ -0,0 +1,23 @@ +# c/clean/ruby_http_parser/test.c: medium +c2/tool_transfer/os: low +crypto/openssl: medium +data/compression/gzip: low +data/compression/zlib: low +data/embedded/base64_url: medium +data/embedded/pem_certificate: low +data/random/insecure: low +impact/remote_access/agent: medium +net/download/fetch: medium +net/http/accept_encoding: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/post: medium +net/http/request: low +net/http/websocket: medium +net/ip/host_port: medium +net/socket/send: low +net/udp/kcp: medium +net/udp/upnp: medium +net/url/embedded: low +net/url/encode: medium