Add Florian Roth's rules #304
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: egibs <[email protected]>
|
The |
Signed-off-by: egibs <[email protected]>
egibs
commented
Jun 29, 2024
| @@ -58,6 +58,8 @@ func findFilesRecursively(ctx context.Context, root string, c Config) ([]string, | |||
|
|
|||
| // cleanPath removes the temporary directory prefix from the path. | |||
| func cleanPath(path string, prefix string) string { | |||
| // if the path has "private" prefix, remove it | |||
| path = strings.ReplaceAll(path, "/private", "") | |||
There was a problem hiding this comment.
Not sure why this started happening (on MacOS) but the path had a /private/... prefix which caused the TrimPrefix to return the original path unaltered.
egibs
commented
Jun 29, 2024
| /* $command18 = "/mount " ascii prone to FPs */ | ||
|
|
||
| condition: | ||
| ( filename == "sudoers" or filepath contains "/etc/sudoers.d" ) and |
There was a problem hiding this comment.
The filename and filepath external variables were present in 12 of the copied rule files so I excluded those from the update.sh rsync.
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
egibs
added a commit
to egibs/malcontent
that referenced
this pull request
Jun 30, 2024
Signed-off-by: egibs <[email protected]>
|
Since Florian is also the guy behind YARAForge, I suspect the best of his rules are already part of bincapz. Is there anything you feel like is missing? |
tstromberg
added a commit
that referenced
this pull request
Jul 1, 2024
* Tweak password_finder_mimipenguin rule Signed-off-by: egibs <[email protected]> * Move Finder to extra strings Signed-off-by: egibs <[email protected]> * Remove overlapping strings related to #304 Signed-off-by: egibs <[email protected]> * Update rules/combo/stealer/password.yara Signed-off-by: Evan Gibler <[email protected]> * Add mimipenguin samples Signed-off-by: egibs <[email protected]> * Fix simple results Signed-off-by: egibs <[email protected]> * Tweak rule now that we have samples Signed-off-by: egibs <[email protected]> * Fix tests Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]> Signed-off-by: Evan Gibler <[email protected]> Co-authored-by: Thomas Strömberg <[email protected]>
That's a good question. I'll comb through them and see if there's something more targeted we can implement. I'll carry over the path formatting fix into a new PR. |
|
Closing for now. Cherry-picking specific rules and adding samples for them is more useful than adding all of the rules (some of which may cause false positives or need to be turned off). |
egibs
added a commit
to egibs/malcontent
that referenced
this pull request
Aug 5, 2024
* Tweak password_finder_mimipenguin rule Signed-off-by: egibs <[email protected]> * Move Finder to extra strings Signed-off-by: egibs <[email protected]> * Remove overlapping strings related to chainguard-dev#304 Signed-off-by: egibs <[email protected]> * Update rules/combo/stealer/password.yara Signed-off-by: Evan Gibler <[email protected]> * Add mimipenguin samples Signed-off-by: egibs <[email protected]> * Fix simple results Signed-off-by: egibs <[email protected]> * Tweak rule now that we have samples Signed-off-by: egibs <[email protected]> * Fix tests Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]> Signed-off-by: Evan Gibler <[email protected]> Co-authored-by: Thomas Strömberg <[email protected]>
egibs
added a commit
to egibs/malcontent
that referenced
this pull request
Sep 25, 2024
* Tweak password_finder_mimipenguin rule Signed-off-by: egibs <[email protected]> * Move Finder to extra strings Signed-off-by: egibs <[email protected]> * Remove overlapping strings related to chainguard-dev#304 Signed-off-by: egibs <[email protected]> * Update rules/combo/stealer/password.yara Signed-off-by: Evan Gibler <[email protected]> * Add mimipenguin samples Signed-off-by: egibs <[email protected]> * Fix simple results Signed-off-by: egibs <[email protected]> * Tweak rule now that we have samples Signed-off-by: egibs <[email protected]> * Fix tests Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]> Signed-off-by: Evan Gibler <[email protected]> Co-authored-by: Thomas Strömberg <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to: #267
Florian Roth's signature-base repository contains a lot of interesting rules.
TBD how much overlap there is with what we currently have but I wanted to get a PR going to add them -- we'll also want to ensure that YaraCI doesn't have any false negatives.
The repository is licensed under DRL 1.1 which allows us to integrate these rules so long as we attribute them appropriately (which will happen automatically via Rule metadata).