New false positive rules (#502)

chainguard-dev · Oct 8, 2024 · aba2f82 · aba2f82
1 parent 4b04854
commit aba2f82
Show file tree

Hide file tree

Showing 54 changed files with 1,653 additions and 226 deletions.
diff --git a/pkg/action/scan.go b/pkg/action/scan.go
@@ -211,7 +211,7 @@ func cachedRules(ctx context.Context, fss []fs.FS) (*yara.Rules, error) {
 
 // recursiveScan recursively YARA scans the configured paths - handling archives and OCI images.
 //
-//nolint:gocognit // ignoring complexity of 101 > 98
+//nolint:gocognit,cyclop // ignoring complexity of 101,38
 func recursiveScan(ctx context.Context, c malcontent.Config) (*malcontent.Report, error) {
 	logger := clog.FromContext(ctx)
 	logger.Debug("recursive scan", slog.Any("config", c))
@@ -225,7 +225,9 @@ func recursiveScan(ctx context.Context, c malcontent.Config) (*malcontent.Report
 	var scanPathFindings sync.Map
 
 	for _, scanPath := range c.ScanPaths {
-		c.Renderer.Scanning(ctx, scanPath)
+		if c.Renderer != nil {
+			c.Renderer.Scanning(ctx, scanPath)
+		}
 		logger.Debug("recursive scan", slog.Any("scanPath", scanPath))
 		imageURI := ""
 		ociExtractPath := ""

diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go
@@ -59,6 +59,9 @@ var badRules = map[string]bool{
 	"Windows_API_Function": true,
 	// TTC-CERT
 	"cve_202230190_html_payload": true,
+	// JPCERT
+	"malware_PlugX_config":   true,
+	"malware_shellcode_hash": true,
 }
 
 // rulesWithWarnings determines what to do with rules that have known warnings: true=keep, false=disable.

diff --git a/pkg/report/report.go b/pkg/report/report.go
@@ -652,6 +652,9 @@ func handleOverrides(original, override []*malcontent.Behavior) []*malcontent.Be
 		if b, exists := behaviorMap[o.Override]; exists {
 			b.RiskLevel = o.RiskLevel
 			b.RiskScore = o.RiskScore
+
+			// Delete the override rule from the behavior map
+			delete(behaviorMap, o.RuleName)
 		}
 	}
 

diff --git a/rules/combo/dropper/shell.yara b/rules/combo/dropper/shell.yara
@@ -40,7 +40,7 @@ rule curl_chmod_relative_run_tiny : critical {
     filesize < 6KB and all of them
 }
 
-rule curl_tor_chmod_relative_run : critical {
+rule curl_tor_chmod_relative_run : high {
   meta:
     description = "change dir, fetch file via tor, make it executable, and run it"
     hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
@@ -55,8 +55,10 @@ rule curl_tor_chmod_relative_run : critical {
     $curl = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
     $chmod = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/
     $dot_slash = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
+
+  $not_go = "listen.onionndots"
   condition:
-     any of ($tor*) and $cd and $curl and $chmod and $dot_slash
+     any of ($tor*) and $cd and $curl and $chmod and $dot_slash and filesize < 1MB and none of ($not*)
 }
 
 
@@ -167,4 +169,4 @@ rule obsessive_dropper : critical {
 		$cmd_chmod = "chmod" fullword
 	condition:
 		filesize < 768 and any of ($http*) and 2 of ($tool*) and any of ($cmd*)
-}
+}
diff --git a/rules/false_positives/datadog.yara b/rules/false_positives/datadog.yara
@@ -0,0 +1,11 @@
+rule ddtrace_rules_json : override {
+  meta:
+    description = "appsec/rules.json"
+    linux_multi_persist = "medium"
+  strings:
+    $datadog = /[Dd]atadog/
+    $datadog_generic = /[Dd]atadog \w{0,32}/
+    $datadog_test_scanner = "Datadog test scanner"
+  condition:
+    all of them
+}
diff --git a/rules/false_positives/k8s_dashboard.yara b/rules/false_positives/k8s_dashboard.yara
@@ -0,0 +1,15 @@
+rule mode_php_js : override {
+  meta:
+    description = "mode-php.js, mode-php_laravel_blade.js"
+    php_executor = "high"
+  strings:
+    $ace_define = "ace.define"
+    $ace_lib = "ace/lib"
+    $ace_mode = "ace/mode"
+    $ace_require = "ace.require"
+    $mode_php_laravel_blade = "ace/mode/php_laravel_blade"
+    $php_worker = "ace/mode/php_worker"
+    $php_worker2 = "PhpWorker"
+  condition:
+    6 of them
+}
diff --git a/rules/false_positives/nvim.yara b/rules/false_positives/nvim.yara
@@ -0,0 +1,10 @@
+rule nvim_binary : override {
+  meta:
+    description = "nvim"
+    linux_multi_persist = "medium"
+  strings:
+    $nvim_generic = /nvim_\w{0,32}/
+    $nvim_path = "/home/build/src/nvim"
+  condition:
+    all of them
+}
diff --git a/rules/false_positives/rancher.yara b/rules/false_positives/rancher.yara
@@ -0,0 +1,13 @@
+rule pull_scripts : override {
+  meta:
+    curl_chmod_relative_run_tiny = "medium"
+    description = "pull-scripts"
+  strings:
+    $binary = "BINARY_NAME=\"charts-build-scripts_${OS}_${ARCH}.exe\""
+    $chmod = "chmod +x ./bin/charts-build-scripts"
+    $echo1 = "echo \"Downloading charts-build-scripts version ${CHARTS_BUILD_SCRIPTS_REPO}@${CHARTS_BUILD_SCRIPT_VERSION}\""
+    $echo2 = "echo \"${BINARY_NAME} => ./bin/charts-build-scripts\""
+    $version_cmd = "./bin/charts-build-scripts --version"
+  condition:
+    all of them
+}
diff --git a/rules/false_positives/tensorflow_model_analysis.yara b/rules/false_positives/tensorflow_model_analysis.yara
@@ -0,0 +1,13 @@
+rule tfjs_predict_extractor_util : override {
+  meta:
+    description = "tfjs_predict_extractor_util.py"
+    py_dropper_chmod = "medium"
+  strings:
+    $copyright_google = "# Copyright 2019 Google LLC"
+    $subprocess_chmod = "subprocess.check_call(['chmod', '+x', path])"
+    $tfjs_predict_extractor = "Utilities for tfjs_predict_extractor."
+    $tfjs_url_linux = "http://storage.googleapis.com/tfjs-inference/tfjs-inference-linux"
+    $tfjs_url_macos = "http://storage.googleapis.com/tfjs-inference/tfjs-inference-macos"
+  condition:
+    all of them
+}
diff --git a/rules/false_positives/trivy.yara b/rules/false_positives/trivy.yara
@@ -0,0 +1,11 @@
+rule trivy_binary : override {
+  meta:
+    curl_tor_chmod_relative_run = "medium"
+    description = "trivy"
+  strings:
+    $aqua_security_trivy = "aquasecurity:trivy"
+    $trivy_install = "# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh"
+    $trivy_repo = "github.com/aquasecurity/trivy"
+  condition:
+    all of them
+}
diff --git a/rules/false_positives/vitess.yara b/rules/false_positives/vitess.yara
@@ -0,0 +1,12 @@
+rule vitess : override {
+  meta:
+    linux_multi_persist = "medium"
+    description = "vitess"
+  strings:
+    $issue = "This error should not happen and is a bug. Please file an issue on GitHub: https://github.com/vitessio/vitess/issues/new/choose"
+    $vitess = "vitess"
+    $vitess_io = "vitess.io"
+    $vitess_repo = "https://github.com/vitessio"
+  condition:
+    all of them
+}
diff --git a/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
@@ -20,12 +20,12 @@ env/LANG
 env/TEMP
 env/USER
 evasion/base64/decode
-evasion/int_to_char
 evasion/unusual_include
 exec/cmd
 exec/program
 exec/program/background
 exec/shell_command
+false_positives/k8s_dashboard
 fd/read
 fs/directory/create
 fs/directory/remove

diff --git a/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
@@ -19,7 +19,6 @@ env/HOME
 env/TEMP
 env/USER
 evasion/base64/decode
-evasion/int_to_char
 evasion/unusual_include
 exec/cmd
 exec/program

diff --git a/test_data/javascript/clean/mode-php.js.simple b/test_data/javascript/clean/mode-php.js.simple
@@ -0,0 +1,65 @@
+# javascript/clean/mode-php.js
+combo/backdoor/php
+combo/net/tunnel_proxy
+compression/bzip2
+compression/gzip
+databases/mysql
+databases/sqlite
+encoding/base64
+encoding/reverse
+env/USER
+evasion/base64/decode
+exec/program
+exec/program/background
+exec/shell_command
+fs/directory/create
+fs/directory/remove
+fs/fifo/create
+fs/file/delete
+fs/file/delete/forcibly
+fs/file/truncate
+fs/link/read
+fs/lock/update
+fs/node/create
+fs/permission/modify
+fs/symlink/resolve
+fs/watch
+hash/md5
+kernel/acct
+kernel/hostname/get
+kernel/platform
+net/fetch
+net/hostname/resolve
+net/hostport/parse
+net/http/cookies
+net/http/form/upload
+net/http/post
+net/ip/parse
+net/ip/resolve
+net/ip/string
+net/socket/connect
+net/socket/listen
+net/socket/local/address
+net/socket/peer/address
+net/socket/receive
+net/socket/send
+net/upload
+net/url/encode
+process/chroot
+process/effective/groupid/get
+process/groupid/set
+process/parent_pid/get
+process/userid/set
+process/username/get
+random/insecure
+ref/daemon
+ref/ip_port
+ref/path/etc
+ref/path/hidden
+ref/site/url
+ref/words/agent
+ref/words/password
+ref/words/plugin
+ref/words/spoof
+secrets/private_key
+tty/pathname
diff --git a/test_data/javascript/clean/mode-php_laravel_blade.js.simple b/test_data/javascript/clean/mode-php_laravel_blade.js.simple
@@ -0,0 +1,65 @@
+# javascript/clean/mode-php_laravel_blade.js
+combo/backdoor/php
+combo/net/tunnel_proxy
+compression/bzip2
+compression/gzip
+databases/mysql
+databases/sqlite
+encoding/base64
+encoding/reverse
+env/USER
+evasion/base64/decode
+exec/program
+exec/program/background
+exec/shell_command
+fs/directory/create
+fs/directory/remove
+fs/fifo/create
+fs/file/delete
+fs/file/delete/forcibly
+fs/file/truncate
+fs/link/read
+fs/lock/update
+fs/node/create
+fs/permission/modify
+fs/symlink/resolve
+fs/watch
+hash/md5
+kernel/acct
+kernel/hostname/get
+kernel/platform
+net/fetch
+net/hostname/resolve
+net/hostport/parse
+net/http/cookies
+net/http/form/upload
+net/http/post
+net/ip/parse
+net/ip/resolve
+net/ip/string
+net/socket/connect
+net/socket/listen
+net/socket/local/address
+net/socket/peer/address
+net/socket/receive
+net/socket/send
+net/upload
+net/url/encode
+process/chroot
+process/effective/groupid/get
+process/groupid/set
+process/parent_pid/get
+process/userid/set
+process/username/get
+random/insecure
+ref/daemon
+ref/ip_port
+ref/path/etc
+ref/path/hidden
+ref/site/url
+ref/words/agent
+ref/words/password
+ref/words/plugin
+ref/words/spoof
+secrets/private_key
+tty/pathname
diff --git a/test_data/javascript/clean/napi_rs_runtime.js.simple b/test_data/javascript/clean/napi_rs_runtime.js.simple
@@ -4,7 +4,6 @@ data/embedded/base64/url
 encoding/base64
 encoding/json/decode
 encoding/json/encode
-evasion/int_to_char
 fd/write
 fs/directory/create
 fs/directory/list

diff --git a/test_data/javascript/clean/securityDashboards.plugin.js.simple b/test_data/javascript/clean/securityDashboards.plugin.js.simple
@@ -10,7 +10,6 @@ databases/mysql
 encoding/base64
 encoding/json/decode
 encoding/json/encode
-evasion/int_to_char
 evasion/xor/commands
 fs/link/create
 fs/lock/update

diff --git a/test_data/linux/2022.Symbiote/kerneldev.so.bkp.simple b/test_data/linux/2022.Symbiote/kerneldev.so.bkp.simple
@@ -1,6 +1,5 @@
 # linux/2022.Symbiote/kerneldev.so.bkp
 3P/threat_hunting/keylogger
-combo/stealer/pam
 dylib/symbol/address
 evasion/process/hide
 fs/link/read

diff --git a/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
@@ -2,7 +2,6 @@
 3P/elastic/threat
 combo/backdoor/kill_rm
 combo/botnet/systemctl
-combo/dropper/binary
 combo/dropper/shell
 combo/stealer/linux_server
 combo/stealer/ssh

diff --git a/...024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/...024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
@@ -1,7 +1,6 @@
 # linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72
 3P/elastic/threat
 3P/threat_hunting/xmrig
-combo/stealer/pam
 compression/gzip
 crypto/aes
 crypto/ecdsa

diff --git a/test_data/linux/clean/appsec-rules.json.simple b/test_data/linux/clean/appsec-rules.json.simple
@@ -15,7 +15,6 @@ databases/sqlite
 device/hardware/enumeration
 encoding/base64
 evasion/base64/decode
-evasion/int_to_char
 exec/shell_command
 fs/fifo/create
 fs/file/times/set

diff --git a/test_data/linux/clean/chezmoi.simple b/test_data/linux/clean/chezmoi.simple
@@ -41,7 +41,6 @@ env/TMPDIR
 env/USER
 env/get
 evasion/content/length/0
-evasion/int_to_char
 evasion/xor/commands
 exec/cmd
 exec/program