Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address false positives for Chromium, KOTS, and Nuclei #368

Merged
merged 5 commits into from
Jul 17, 2024
Merged

Address false positives for Chromium, KOTS, and Nuclei #368

merged 5 commits into from
Jul 17, 2024

Conversation

egibs
Copy link
Member

@egibs egibs commented Jul 17, 2024
edited
Loading

This PR addresses critical false positives seen here:

Notes:

I used slightly more specific strings when ignoring the Nuclei false positives since they were originating from JSON content and I wanted to match the exact fields rather than doing something like $not_description = "\"description\": \"".

@egibs egibs requested a review from hectorj2f July 17, 2024 17:40
@egibs egibs changed the title Address false positives for Chromium, Nuclei, and KOTS Address false positives for Chromium, KOTS, and Nuclei Jul 17, 2024
egibs
egibs commented Jul 17, 2024
View reviewed changes
rules/combo/stealer/wallet.yara
@@ -24,6 +24,13 @@ rule crypto_stealer : critical {
$w_trezor = "Trezor"
$w_exodus = "Exodus"
$w_coinomi = "Coinomi"
$not_cats = /\"cats\": \[[^]]{0,64}/
Copy link
Member Author

@egibs egibs Jul 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't an exhaustive representation of the Wapalyzer schema but these strings should be broad enough to match content from those technology files.

egibs added 3 commits July 17, 2024 12:45
@egibs
Sort
beae9ef 
Signed-off-by: egibs <[email protected]>
@egibs
More specific string for kots
aa4b3d7 
Signed-off-by: egibs <[email protected]>
@egibs
Chromium rule parity
4dfaa26 
Signed-off-by: egibs <[email protected]>
hectorj2f
hectorj2f approved these changes Jul 17, 2024
View reviewed changes
Copy link
Member

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@egibs egibs merged commit cc7791f into chainguard-dev:main Jul 17, 2024
6 checks passed
@egibs egibs deleted the 20240717-false-positives branch July 19, 2024 13:21
@egibs egibs mentioned this pull request Jul 29, 2024
Closed
9 tasks
egibs added a commit to egibs/malcontent that referenced this pull request Aug 5, 2024
@egibs
Address false positives for Chromium, KOTS, and Nuclei (chainguard-de…
01f60df 
…v#368)

* Address false positives for Chromium, KOTS, and Nuclei

* Add additional Chromium string

Signed-off-by: egibs <[email protected]>

* Sort

Signed-off-by: egibs <[email protected]>

* More specific string for kots

Signed-off-by: egibs <[email protected]>

* Chromium rule parity

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
egibs added a commit to egibs/malcontent that referenced this pull request Sep 25, 2024
@egibs
Address false positives for Chromium, KOTS, and Nuclei (chainguard-de…
93477ee 
…v#368)

* Address false positives for Chromium, KOTS, and Nuclei

* Add additional Chromium string

Signed-off-by: egibs <[email protected]>

* Sort

Signed-off-by: egibs <[email protected]>

* More specific string for kots

Signed-off-by: egibs <[email protected]>

* Chromium rule parity

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hectorj2f hectorj2f hectorj2f approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egibs @hectorj2f