Resolve datadog-agent DDOS false positive #299
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: egibs <[email protected]>
egibs
changed the title
egibs
commented
Jun 29, 2024
| @@ -9,6 +8,8 @@ rule ddos_refs : critical { | |||
| $ref = "TSource Engine Query" | |||
| $ref2 = "ackflood" fullword | |||
| $ref3 = "synflood" fullword | |||
| // datadog-agent tracer-fentry-debug.o | |||
| $ignore_ref = "defer_accept.synflood_warned.you" | |||
There was a problem hiding this comment.
@tstromberg -- is this good as-is or should it be more generic?
There was a problem hiding this comment.
More generic proposal added in 98a600c (#299).
Signed-off-by: egibs <[email protected]>
tstromberg
reviewed
Jul 1, 2024
rules/net/ddos.yara
Outdated
| @@ -9,6 +8,8 @@ rule ddos_refs : critical { | |||
| $ref = "TSource Engine Query" | |||
| $ref2 = "ackflood" fullword | |||
| $ref3 = "synflood" fullword | |||
| // datadog-agent tracer-fentry-debug.o | |||
| $ignore_ref = /synflood\_\w+/ | |||
There was a problem hiding this comment.
IMHO, this is too generic of an ignore, and will result in missing hits. Can you find something more specific to datadog-agent - maybe the exact phrase used for synflood_xxx?
Also, please use {0,256} instead of +, as unbounded matches have severe performance impacts in YARA.
There was a problem hiding this comment.
Will do -- I'll go back and limit any other unbounded changes in the other open PRs as well.
tstromberg
approved these changes
Jul 1, 2024
9 tasks
egibs
added a commit
to egibs/malcontent
that referenced
this pull request
Aug 5, 2024
* Avoid datadog-agent DDOS false positive Signed-off-by: egibs <[email protected]> * Make ignore more generic Signed-off-by: egibs <[email protected]> * Revert to exact DataDog reference Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
egibs
added a commit
to egibs/malcontent
that referenced
this pull request
Sep 25, 2024
* Avoid datadog-agent DDOS false positive Signed-off-by: egibs <[email protected]> * Make ignore more generic Signed-off-by: egibs <[email protected]> * Revert to exact DataDog reference Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #289
The original
net/ddosrule was only matching thesynfloodfullwordwhich results in a false positive when scanning thetracer-fentry-debug.ofile indatadog-agentbecause it's a substring match ofdefer_accept.synflood_warned.youThis PR should resolve the false positive.
How I approached this: