From ad56581cc6003cf748352d3d74483226489bdd8e Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Sat, 29 Jun 2024 09:08:20 -0500
Subject: [PATCH 1/3] Avoid datadog-agent DDOS false positive

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/net/ddos.yara | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/net/ddos.yara b/rules/net/ddos.yara
index 4c59a0fe6..85545c9c4 100644
--- a/rules/net/ddos.yara
+++ b/rules/net/ddos.yara
@@ -1,4 +1,3 @@
-
 rule ddos_refs : critical {
   meta:
     description = "Performs DDoS (distributed denial of service) attacks"
@@ -9,6 +8,8 @@ rule ddos_refs : critical {
     $ref = "TSource Engine Query"
     $ref2 = "ackflood" fullword
     $ref3 = "synflood" fullword
+    // datadog-agent tracer-fentry-debug.o
+    $ignore_ref = "defer_accept.synflood_warned.you"
   condition:
-    any of them
+    any of ($ref*) and not $ignore_ref
 }

From 98a600cb4c6bf77b7056e06ef1107dbbf03a74d9 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Sat, 29 Jun 2024 14:49:59 -0500
Subject: [PATCH 2/3] Make ignore more generic

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/net/ddos.yara | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/net/ddos.yara b/rules/net/ddos.yara
index 85545c9c4..67a1ffe0b 100644
--- a/rules/net/ddos.yara
+++ b/rules/net/ddos.yara
@@ -9,7 +9,7 @@ rule ddos_refs : critical {
     $ref2 = "ackflood" fullword
     $ref3 = "synflood" fullword
     // datadog-agent tracer-fentry-debug.o
-    $ignore_ref = "defer_accept.synflood_warned.you"
+    $ignore_ref = /synflood\_\w+/
   condition:
     any of ($ref*) and not $ignore_ref
 }

From e5488929cbe0b4ebb5e3a1e150f001296da31e32 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Mon, 1 Jul 2024 10:11:27 -0500
Subject: [PATCH 3/3] Revert to exact DataDog reference

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/net/ddos.yara | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/net/ddos.yara b/rules/net/ddos.yara
index 67a1ffe0b..85545c9c4 100644
--- a/rules/net/ddos.yara
+++ b/rules/net/ddos.yara
@@ -9,7 +9,7 @@ rule ddos_refs : critical {
     $ref2 = "ackflood" fullword
     $ref3 = "synflood" fullword
     // datadog-agent tracer-fentry-debug.o
-    $ignore_ref = /synflood\_\w+/
+    $ignore_ref = "defer_accept.synflood_warned.you"
   condition:
     any of ($ref*) and not $ignore_ref
 }