rule tuning

chainguard-dev · Dec 17, 2024 · 92dee88 · 92dee88
1 parent a1c8fbc
commit 92dee88
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 22 deletions.
diff --git a/rules/false_positives/trino_upx.yara b/rules/false_positives/trino_upx.yara
@@ -1,20 +1,21 @@
 rule trino_upx_override: override {
   meta:
-    description            = "https://trino.io/ - UPX encrypted and crazy"
-	upx = "medium"
-	high_entropy_header = "medium"
-	normal_elf_high_entropy_7_4 = "medium"
-	obfuscated_elf = "medium"
+    description                 = "https://trino.io/ - UPX encrypted and crazy"
+    upx                         = "medium"
+    high_entropy_header         = "medium"
+    normal_elf_high_entropy_7_4 = "medium"
+    obfuscated_elf              = "medium"
 
   strings:
-	$ = "Go buildinf"
-	$ = "p\tgiNub.com/fdih/"
-	$ = "kTixuOsFBOtGYSTLRLWK6G"
-	$ = "wnwmwkwbqc"
-	$ = "zYna%i%qj%"
-	$ = "kUNKNOWN:$"
-	$ = "q\tcCuXMaxlebo"
-	$ = "lmRnTEOIt"
+    $ = "Go buildinf"
+    $ = "p\tgiNub.com/fdih/"
+    $ = "kTixuOsFBOtGYSTLRLWK6G"
+    $ = "wnwmwkwbqc"
+    $ = "zYna%i%qj%"
+    $ = "kUNKNOWN:$"
+    $ = "q\tcCuXMaxlebo"
+    $ = "lmRnTEOIt"
+
   condition:
-    filesize > 1MB and filesize < 3MB and 85% of them
+    filesize > 1MB and filesize < 3MB and 85 % of them
 }
diff --git a/rules/malware/family/beurk.yara b/rules/malware/family/beurk.yara
@@ -23,12 +23,13 @@ rule beurk_xor: critical linux {
     ref       = "https://github.com/unix-thrust/beurk"
 
   strings:
-    $x_BEURK = "BEURK" xor(1-31) fullword
-    $x_BEURK2 = "BEURK" xor(33-255) fullword
-    $x_b3urkR0cks = "b3urkR0cks" xor(1-31)
+    $x_BEURK       = "BEURK" xor(1-31) fullword
+    $x_BEURK2      = "BEURK" xor(33-255) fullword
+    $x_b3urkR0cks  = "b3urkR0cks" xor(1-31)
     $x_b3urkR0cks2 = "b3urkR0cks" xor(33-255)
 
     $dlsym = "dlsym" fullword
+
   condition:
     filesize < 2MB and $dlsym and any of ($x*)
 }

diff --git a/rules/persist/shell/bash.yara b/rules/persist/shell/bash.yara
@@ -26,10 +26,10 @@ rule bash_persist_persistent: high {
     $ref3 = ".profile"
     $ref4 = ".bashrc"
 
-    $not_bash = "POSIXLY_CORRECT"
-    $not_csh  = ".cshrc"
-    $not_tcsh = "tcsh" fullword
-	$not_tcshrc = ".tcshrc"
+    $not_bash   = "POSIXLY_CORRECT"
+    $not_csh    = ".cshrc"
+    $not_tcsh   = "tcsh" fullword
+    $not_tcshrc = ".tcshrc"
 
   condition:
     3 of them and none of ($not*)
@@ -58,7 +58,7 @@ rule bash_logout_persist: high {
     $not_comment = "# ~/.bash_logout"
     $not_clear   = "/usr/bin/clear_console"
     $not_csh     = ".cshrc"
-	$not_tcshrc = ".tcshrc"
+    $not_tcshrc  = ".tcshrc"
 
   condition:
     filesize < 2097152 and any of ($ref*) and none of ($not*)