New false positive rules #502
Conversation
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
| @@ -0,0 +1,15 @@ | |||
| rule clickhouse_binary : override { | |||
| meta: | |||
| malware_PlugX_config = "high" | |||
There was a problem hiding this comment.
This should be ignore or something equivalent, it's a complete false-positive, AFAIK.
There was a problem hiding this comment.
Addressed in e716ba1 (#502).
| meta: | ||
| malware_PlugX_config = "high" | ||
| description = "clickhouse" | ||
| original_severity = "critical" |
There was a problem hiding this comment.
Remove - this is going to go obsolete quickly.
| $clickhouse_site = "https://clickhouse.com" | ||
| $usage = "Usage: ./clickhouse" | ||
| condition: | ||
| all of them |
There was a problem hiding this comment.
That seems fragile - how about: 75% of them
There was a problem hiding this comment.
Addressed in e716ba1 (#502).
| strings: | ||
| $clickhouse_binary = "/usr/bin/clickhouse" | ||
| $clickhouse_client = "clickhouse-client" | ||
| $clickhouse_service = /clickhouse-\w{0,32}/ fullword |
There was a problem hiding this comment.
I'd remove this slower regexp.
There was a problem hiding this comment.
Addressed in e716ba1 (#502).
rules/false_positives/datadog.yara
Outdated
| meta: | ||
| description = "appsec/rules.json" | ||
| linux_multi_persist = "high" | ||
| original_severity = "critical" |
There was a problem hiding this comment.
Addressed in e716ba1 (#502).
rules/false_positives/rancher.yara
Outdated
| @@ -0,0 +1,14 @@ | |||
| rule pull_script : override { | |||
| meta: | |||
| curl_chmod_relative_run_tiny = "high" | |||
There was a problem hiding this comment.
since it's a known-good, let's say medium
There was a problem hiding this comment.
Addressed in e716ba1 (#502).
| meta: | ||
| description = "tfjs_predict_extractor_util.py" | ||
| original_severity = "critical" | ||
| py_dropper_chmod = "high" |
There was a problem hiding this comment.
Addressed in e716ba1 (#502).
rules/false_positives/trivy.yara
Outdated
| @@ -0,0 +1,12 @@ | |||
| rule trivy_binary : override { | |||
| meta: | |||
| curl_tor_chmod_relative_run = "high" | |||
There was a problem hiding this comment.
Addressed in e716ba1 (#502).
rules/false_positives/vitess.yara
Outdated
| @@ -0,0 +1,13 @@ | |||
| rule vitess : override { | |||
| meta: | |||
| linux_multi_persist = "high" | |||
There was a problem hiding this comment.
Addressed in e716ba1 (#502).
rules/false_positives/wolfictl.yara
Outdated
| @@ -0,0 +1,14 @@ | |||
| rule wolfictl_binary : override { | |||
| meta: | |||
| curl_tor_chmod_relative_run = "high" | |||
There was a problem hiding this comment.
I'm starting to see a pattern here: I think curl_tor_chmod_relative_run should be made "high" for now. It's too noisy for critical.
There was a problem hiding this comment.
Addressed in e716ba1 (#502).
rules/false_positives/wolfictl.yara
Outdated
| original_severity = "critical" | ||
| strings: | ||
| $chainguard = "chainguard.dev" | ||
| $false_positive_string = "domaingophertelnetreturn.locallisten.onionndots:sendtoip" |
There was a problem hiding this comment.
Instead of handling the false-positive here: add listen.onionndots as a not_go anti-match string within the curl_tor_chmod_relative_run rule or make .onion a wholeword match. The rule isn't intended to capture it.
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
This PR utilizes our new override capability to add per-binary override rules for critical false positives.
The final formatting/structure on these rules is TBD.
This PR depends on chainguard-dev/malcontent-samples#10 (I placed its contents in my local
out/samples-directory to generate the report contents).