Rule improvements based on temporal analysis

rules/kernel/acct.yara

@@ -5,6 +5,9 @@ rule acct {
 		description = "switch process accounting on or off"
 	strings:
 		$ref = "acct" fullword
+
+		// from /etc/services
+		$not_radius = "radius-acct" fullword
 	condition:
 		any of them
 }

rules/net/socks5.yara

@@ -5,13 +5,15 @@ rule socks5 : notable {
 	strings:
 		$ref = ".Socks5"
 		$ref2 = "SOCKS5"
-	    $p_connect = "CONNECT %s"
-		$p_socksproxy = "socksproxy"
-		$p_socks_proxy = "socks proxy"
-		$p_socksv5 = "SOCKSv5"
-		$p_socks_percent = "SOCKS %"
-		$p_socks5 = "socks5" fullword
-		$go_socks5 = "go-socks5"
+	    $rp_connect = "CONNECT %s"
+		$rp_socksproxy = "socksproxy"
+		$rp_socks_proxy = "socks proxy"
+		$rp_socksv5 = "SOCKSv5"
+		$rp_socks_percent = "SOCKS %"
+		$rp_socks5 = "socks5" fullword
+		$rgo_socks5 = "go-socks5"
+
+		$not_etc_services = "Registered Ports are not controlled by the IANA"
 	condition:
-		any of them
+		any of ($r*) and none of ($not*)
 }

rules/procfs/self-cgroup.yara

@@ -3,7 +3,7 @@ rule pid_self_cgroup : notable {
 	meta:
 		description = "accesses /proc files within own cgroup"
 	strings:
-		$val = /\/proc\/self\/cgroup[\w\/\-]{0,32}/
+		$val = /\/proc\/self\/cgroup[a-z\/\-]{0,32}/
 	condition:
 		any of them
 }

rules/ref/path/dev-shm.yara

@@ -1,8 +1,18 @@
-rule dev_shm : suspiciuos {
+rule dev_shm {
 	meta:
-		description = "path reference within /dev/shm (world writeable)"
+		description = "references /dev/shm (world writeable)"
+	strings:
+		$ref = /\/dev\/shm\/[\%\w\-\/\.]{0,64}/
+	condition:
+		any of them
+}
+
+rule dev_shm_file : suspicious {
+	meta:
+		description = "reference file within /dev/shm (world writeable)"
 	strings:
-		$ref = /\/dev\/shm\/[%\w\.\-\/]{0,64}/ 
+		// at least two characters to decrease false-positive rate
+		$ref = /\/dev\/shm\/[\%\w\.]{2,64}/
 	condition:
 		any of them
 }
@@ -11,17 +21,16 @@ rule dev_shm_sh : critical {
 	meta:
 		description = "References shell script within /dev/shm (world writeable)"
 	strings:
-		$ref = /\/dev\/shm\/[%\w\.\-\/]{0,64}\.sh/ 
+		$ref = /\/dev\/shm\/[%\w\.\-\/]{0,64}\.sh/
 	condition:
 		any of them
 }
 
-
 rule dev_shm_hidden : critical {
 	meta:
 		description = "path reference within /dev/shm (world writeable)"
 	strings:
-		$dev_shm = /\/dev\/shm\/\.[%\w\.\-\/]{0,64}/ 
+		$dev_shm = /\/dev\/shm\/\.[%\w\.\-\/]{0,64}/
 	condition:
 		any of them
 }

rules/ref/program/nmap.yara

@@ -1,6 +1,9 @@
 rule nmap : notable {
   strings:
 	$ref = "nmap" fullword
+	// referenced by some /etc/protocols files
+	// example: https://github.com/SerenityOS/serenity/blob/416eb74fa5269d69eefc6baddfb1966c4da2a1e8/Base/etc/protocols#L7
+	$not_please = "please install the nmap package"
   condition:
-	$ref
+	$ref and none of ($not*)
 }

rules/ref/words/locked-files.yara

@@ -1,9 +1,17 @@
-rule lockedFiles : suspicious {
+rule lockedFiles : notable {
 	meta:
 		description = "References 'locked files'"
 	strings:
-		$ref = "lockedFiles"
-		$ref2 = "lockedFileNames"
+		$ref = /[\w\/\.]{0,24}lockedFiles/
+	condition:
+		any of them
+}
+
+rule lockedFileNames : notable {
+	meta:
+		description = "References 'locked file names'"
+	strings:
+		$ref2 = /[\w\/\.]{0,24}lockedFileNames/
 	condition:
 		any of them
 }