Skip to content

Commit

Permalink
Ignore SIGNATURE_BASE_SUSP_PS1_JAB_Pattern_Jun22_1 rule (#355)
Browse files Browse the repository at this point in the history 
* Ignore SIGNATURE_BASE_SUSP_PS1_JAB_Pattern_Jun22_1 rule

Signed-off-by: egibs <[email protected]>

* make fix

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
  • Loading branch information
@egibs
egibs authored Jul 11, 2024
1 parent 61eea8b commit 8c46f3d
Showing 1 changed file with 29 additions and 28 deletions.
57 changes: 29 additions & 28 deletions pkg/compile/compile.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,55 +20,56 @@ var FS = rules.FS
// badRules are noisy 3rd party rules to silently disable.
var badRules = map[string]bool{
// YARAForge
"GODMODERULES_IDDQD_God_Mode_Rule": true,
"MALPEDIA_Win_Unidentified_107_Auto": true,
"GCTI_Sliver_Implant_32Bit": true,
"GCTI_Sliver_Implant_32Bit": true,
"GODMODERULES_IDDQD_God_Mode_Rule": true,
"MALPEDIA_Win_Unidentified_107_Auto": true,
"SIGNATURE_BASE_SUSP_PS1_JAB_Pattern_Jun22_1": true,
// ThreatHunting Keywords (some duplicates)
"scp_greyware_tool_keyword": true,
"Adobe_XMP_Identifier": true,
"Antivirus_Signature_signature_keyword": true,
"blackcat_ransomware_offensive_tool_keyword": true,
"Dinjector_offensive_tool_keyword": true,
"viperc2_offensive_tool_keyword": true,
"empire_offensive_tool_keyword": true,
"github_greyware_tool_keyword": true,
"wfuzz_offensive_tool_keyword": true,
"nmap_greyware_tool_keyword": true,
"koadic_offensive_tool_keyword": true,
"mythic_offensive_tool_keyword": true,
"netcat_greyware_tool_keyword": true,
"whoami_greyware_tool_keyword": true,
"nmap_greyware_tool_keyword": true,
"portscan_offensive_tool_keyword": true,
"scp_greyware_tool_keyword": true,
"sftp_greyware_tool_keyword": true,
"empire_offensive_tool_keyword": true,
"ssh_greyware_tool_keyword": true,
"wireshark_greyware_tool_keyword": true,
"portscan_offensive_tool_keyword": true,
"usbpcap_offensive_tool_keyword": true,
"koadic_offensive_tool_keyword": true,
"viperc2_offensive_tool_keyword": true,
"vsftpd_greyware_tool_keyword": true,
"blackcat_ransomware_offensive_tool_keyword": true,
"mythic_offensive_tool_keyword": true,
"Adobe_XMP_Identifier": true,
"wfuzz_offensive_tool_keyword": true,
"whoami_greyware_tool_keyword": true,
"wireshark_greyware_tool_keyword": true,
// YARA VT
"Windows_API_Function": true,
"Base64_Encoded_URL": true,
"Windows_API_Function": true,
}

// rulesWithWarnings determines what to do with rules that have known warnings: true=keep, false=disable.
var rulesWithWarnings = map[string]bool{
"opaque_binary": true,
"hardcoded_ip": true,
"str_replace_obfuscation": true,
"rot13_str_replace": true,
"base64_str_replace": true,
"DynastyPersist_offensive_tool_keyword": false,
"gzinflate_str_replace": true,
"php_str_replace_obfuscation": true,
"hardcoded_ip_port": true,
"base64_str_replace": true,
"systemd_no_comments_or_documentation": true,
"sleep_and_background": true,
"hardcoded_ip": true,
"Microsoft_Excel_with_Macrosheet": true,
"nmap_offensive_tool_keyword": false,
"opaque_binary": true,
"PDF_with_Embedded_RTF_OLE_Newlines": true,
"Powershell_Case": true,
"php_short_concat": true,
"php_short_concat_multiple": true,
"php_short_concat": true,
"php_str_replace_obfuscation": true,
"Powershell_Case": true,
"RDPassSpray_offensive_tool_keyword": false,
"nmap_offensive_tool_keyword": false,
"DynastyPersist_offensive_tool_keyword": false,
"rot13_str_replace": true,
"sleep_and_background": true,
"str_replace_obfuscation": true,
"systemd_no_comments_or_documentation": true,
}

func Recursive(ctx context.Context, fss []fs.FS) (*yara.Rules, error) {
Expand Down

0 comments on commit 8c46f3d

Please sign in to comment.