diff --git a/rules/kernel/acct.yara b/rules/kernel/acct.yara index af59a5b5f..a4deac70e 100644 --- a/rules/kernel/acct.yara +++ b/rules/kernel/acct.yara @@ -5,6 +5,9 @@ rule acct { description = "switch process accounting on or off" strings: $ref = "acct" fullword + + // from /etc/services + $not_radius = "radius-acct" fullword condition: any of them } \ No newline at end of file diff --git a/rules/net/socks5.yara b/rules/net/socks5.yara index 87cf2267c..2fccf890d 100644 --- a/rules/net/socks5.yara +++ b/rules/net/socks5.yara @@ -5,13 +5,15 @@ rule socks5 : notable { strings: $ref = ".Socks5" $ref2 = "SOCKS5" - $p_connect = "CONNECT %s" - $p_socksproxy = "socksproxy" - $p_socks_proxy = "socks proxy" - $p_socksv5 = "SOCKSv5" - $p_socks_percent = "SOCKS %" - $p_socks5 = "socks5" fullword - $go_socks5 = "go-socks5" + $rp_connect = "CONNECT %s" + $rp_socksproxy = "socksproxy" + $rp_socks_proxy = "socks proxy" + $rp_socksv5 = "SOCKSv5" + $rp_socks_percent = "SOCKS %" + $rp_socks5 = "socks5" fullword + $rgo_socks5 = "go-socks5" + + $not_etc_services = "Registered Ports are not controlled by the IANA" condition: - any of them + any of ($r*) and none of ($not*) } \ No newline at end of file diff --git a/rules/procfs/self-cgroup.yara b/rules/procfs/self-cgroup.yara index 372a96a94..08ccd3e72 100644 --- a/rules/procfs/self-cgroup.yara +++ b/rules/procfs/self-cgroup.yara @@ -3,7 +3,7 @@ rule pid_self_cgroup : notable { meta: description = "accesses /proc files within own cgroup" strings: - $val = /\/proc\/self\/cgroup[\w\/\-]{0,32}/ + $val = /\/proc\/self\/cgroup[a-z\/\-]{0,32}/ condition: any of them } diff --git a/rules/ref/path/dev-shm.yara b/rules/ref/path/dev-shm.yara index 37bcad6fa..c037b2e1e 100644 --- a/rules/ref/path/dev-shm.yara +++ b/rules/ref/path/dev-shm.yara @@ -1,8 +1,18 @@ -rule dev_shm : suspiciuos { +rule dev_shm { meta: - description = "path reference within /dev/shm (world writeable)" + description = "references /dev/shm (world writeable)" + strings: + $ref = /\/dev\/shm\/[\%\w\-\/\.]{0,64}/ + condition: + any of them +} + +rule dev_shm_file : suspicious { + meta: + description = "reference file within /dev/shm (world writeable)" strings: - $ref = /\/dev\/shm\/[%\w\.\-\/]{0,64}/ + // at least two characters to decrease false-positive rate + $ref = /\/dev\/shm\/[\%\w\.]{2,64}/ condition: any of them } @@ -11,17 +21,16 @@ rule dev_shm_sh : critical { meta: description = "References shell script within /dev/shm (world writeable)" strings: - $ref = /\/dev\/shm\/[%\w\.\-\/]{0,64}\.sh/ + $ref = /\/dev\/shm\/[%\w\.\-\/]{0,64}\.sh/ condition: any of them } - rule dev_shm_hidden : critical { meta: description = "path reference within /dev/shm (world writeable)" strings: - $dev_shm = /\/dev\/shm\/\.[%\w\.\-\/]{0,64}/ + $dev_shm = /\/dev\/shm\/\.[%\w\.\-\/]{0,64}/ condition: any of them } \ No newline at end of file diff --git a/rules/ref/program/nmap.yara b/rules/ref/program/nmap.yara index d996105f2..0b7d91100 100644 --- a/rules/ref/program/nmap.yara +++ b/rules/ref/program/nmap.yara @@ -1,6 +1,9 @@ rule nmap : notable { strings: $ref = "nmap" fullword + // referenced by some /etc/protocols files + // example: https://github.com/SerenityOS/serenity/blob/416eb74fa5269d69eefc6baddfb1966c4da2a1e8/Base/etc/protocols#L7 + $not_please = "please install the nmap package" condition: - $ref + $ref and none of ($not*) } \ No newline at end of file diff --git a/rules/ref/words/locked-files.yara b/rules/ref/words/locked-files.yara index ac4eb0b77..9b3827b4c 100644 --- a/rules/ref/words/locked-files.yara +++ b/rules/ref/words/locked-files.yara @@ -1,9 +1,17 @@ -rule lockedFiles : suspicious { +rule lockedFiles : notable { meta: description = "References 'locked files'" strings: - $ref = "lockedFiles" - $ref2 = "lockedFileNames" + $ref = /[\w\/\.]{0,24}lockedFiles/ + condition: + any of them +} + +rule lockedFileNames : notable { + meta: + description = "References 'locked file names'" + strings: + $ref2 = /[\w\/\.]{0,24}lockedFileNames/ condition: any of them } \ No newline at end of file