Update to latest YARA Forge release (2024-04-07) #106
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
One of the most common sources of diffs we are seeing comparing the filesystems of APKs is when there is an ABI change, but not an actual capability change. This shows up as a potentially noisy Deleted / Added with the full capability listing. This change adds a post-pass to the reporting computation that walks the Added/Deleted file lists, and if two paths are a >90% match, then we treat them as a "move" and combine their reports in a similar fashion to modifications. This also incorporates the notion of moves into the report and adjusts some of the rendering to surface these as moves with the similarity score (so we can tune this). Signed-off-by: Matt Moore <[email protected]>
I think the test was wrong, because I see the combo/backdoor/py_setuptools when I run this: ``` ➜ bincapz git:(fix-tests) ✗ go run . third_party/yara-rules-full.yar testdata/Python/valyrian_debug_setup.py | grep combo/backdoor 3/HIGH combo/backdoor/py_setuptools python library installer that executes external commands: "os.system( setup( setuptools" ``` And the other one seems like it does indeed just print `.` instead of the full path: ``` ➜ bincapz git:(fix-tests) ✗ go run . -diff testdata/macOS/libffmpeg.dirty.dylib testdata/macOS/libffmpeg.dylib Changed: . Previous Risk: 🚨 4/CRITICAL New Risk: ✅ 2/MEDIUM ``` Signed-off-by: Ville Aikas <[email protected]>
Signed-off-by: Ville Aikas <[email protected]>
…v#97. Signed-off-by: Ville Aikas <[email protected]>
* add boilerplates and ci jobs for lint * install deps * install deps * fix lints
Bumps [golang.org/x/term](https://github.com/golang/term) from 0.18.0 to 0.19.0. - [Commits](golang/term@v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Move to clog, plumb context through as necessary. Signed-off-by: Ville Aikas <[email protected]> * fix lint. Signed-off-by: Ville Aikas <[email protected]> --------- Signed-off-by: Ville Aikas <[email protected]>
|
there is some lint errors, can you take a look @tstromberg ? |
|
It seems to be part of some This linter won't work well with third party code. I'll see if there is a way to turn it off for the third-party directory. |
|
I think we can add the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As per the new makefile rule in #105
Contrary to the huge diff, there are only a few new rule additions:
+BINARYALERT_Hacktool_Windows_Cobaltstrike_Artifact_Exe
+ELASTIC_Linux_Exploit_Log4J_7Fc4D480
+ELASTIC_Linux_Trojan_Merlin_55Beddd3
+ELASTIC_Linux_Trojan_Xzbackdoor_74E87A9D
+RUSSIANPANDA_Win_Mal_Koi_Loader
+RUSSIANPANDA_Win_Mal_Koi_Loader_Decrypted
+RUSSIANPANDA_Win_Mal_Koistealer_PS