Skip to content

Commit

Permalink
Address false positives for mlflow and pytorch (chainguard-dev#387)
Browse files Browse the repository at this point in the history
* Address false positives for mlflow and pytorch

Signed-off-by: egibs <[email protected]>

* Add samples

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
  • Loading branch information
egibs authored Jul 30, 2024
1 parent 305e3b5 commit 0ad9320
Show file tree
Hide file tree
Showing 7 changed files with 217 additions and 1 deletion.
2 changes: 2 additions & 0 deletions rules/combo/backdoor/php.yara
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ rule php_urlvar_recon_exec : critical {
$x_POST = "_POST"
$not_php = "PHP_VERSION_ID"
$not_mongosh = "$ mongosh [options] [db address] [file names (ending in .js or .mongodb)]"
$not_mongosh_php = { 3C 3F 70 68 70 00 00 00 01 0C 51 61 03 00 00 00 02 00 00 00 3F 3E }
$not_php_group = "Copyright (c) The PHP Group"
$not_workaround = "/* workaround for chrome bug "
Expand Down Expand Up @@ -170,6 +171,7 @@ rule php_post_system : medium {
$method_get = "_GET"
$system = "system("
$not_mongosh = "$ mongosh [options] [db address] [file names (ending in .js or .mongodb)]"
$not_mongosh_php = { 3C 3F 70 68 70 00 00 00 01 0C 51 61 03 00 00 00 02 00 00 00 3F 3E }
$not_php_group = "Copyright (c) The PHP Group"
$not_workaround = "/* workaround for chrome bug "
Expand Down
5 changes: 4 additions & 1 deletion rules/combo/dropper/python.yara
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,11 @@ rule py_dropper_chmod : critical {
$val_x = "+x"
$val_exec = "755"
$val_rwx = "777"
$not_magic_trace = "print(f\"Downloading magic_trace to: {magic_trace_cache}\")"
$not_magic_trace_chmod = "subprocess.run([\"chmod\", \"+x\", magic_trace_cache])"
$not_facebook = "# Copyright (c) Facebook, Inc. and its affiliates."
condition:
filesize < 16384 and py_fetcher and py_runner and $chmod and any of ($val*)
filesize < 16384 and py_fetcher and py_runner and $chmod and any of ($val*) and none of ($not*)
}

private rule pythonSetup {
Expand Down
1 change: 1 addition & 0 deletions rules/evasion/base64-php_functions.yara
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ rule base64_php_functions : medium {
$f_wp_verify_nonce = "wp_verify_nonce" base64
$not_comment = "// processing instruction, e.g. <?php ?>"
$not_mongosh = "$ mongosh [options] [db address] [file names (ending in .js or .mongodb)]"
$not_mongosh_php = { 3C 3F 70 68 70 00 00 00 01 0C 51 61 03 00 00 00 02 00 00 00 3F 3E }
condition:
$php and $base64_decode and any of ($f_*) and none of ($not*)
Expand Down
Binary file added samples/Linux/clean/mongosh
Binary file not shown.
161 changes: 161 additions & 0 deletions samples/Linux/clean/mongosh.simple
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
# Linux/clean/mongosh
archives/unarchive
cloud/aws/metadata
cloud/google/metadata
combo/backdoor/kill_rm
combo/critical_paths
combo/dropper/shell
combo/net/scan_tool
combo/net/tunnel_proxy
compression/bzip2
compression/gzip
compression/zstd
crypto/aes
crypto/ed25519
crypto/file/encrypter
crypto/tls
data/embedded/base64/gzip
data/embedded/base64/terms
data/embedded/base64/url
data/embedded/html
data/embedded/pem/certificate
data/embedded/pem/private_key
databases/postgresql
databases/sqlite
dylib/address/check
dylib/iterate
dylib/symbol/address
encoding/base64
encoding/json/decode
encoding/json/encode
env/HOME
env/LANG
env/SHELL
env/TEMP
env/TERM
env/TMPDIR
env/USER
env/get
evasion/base64/decode
evasion/base64/php_functions
evasion/hex
exec/cmd
exec/program
exec/program/background
exec/shell_echo
fd/read
fd/write
fs/directory/create
fs/directory/list
fs/directory/remove
fs/file/capabilities/set
fs/file/delete
fs/file/delete/forcibly
fs/file/read
fs/file/stat
fs/file/times/set
fs/file/truncate
fs/file/write
fs/link/read
fs/lock/update
fs/mount
fs/permission/chown
fs/permission/modify
fs/symlink/resolve
fs/tempdir
fs/tempdir/create
fs/watch
group/lookup
hash/sha256
kernel/acct
kernel/hostname/get
kernel/platform
kernel/sysinfo
mem/anonymous/file
net/bpf
net/dns/over/https
net/dns/reverse
net/dns/txt
net/download
net/fetch
net/ftp
net/hostname/resolve
net/hostport/parse
net/http/accept/encoding
net/http/auth
net/http/cookies
net/http/form/upload
net/http/post
net/http/request
net/http2
net/http_proxy
net/icmp
net/interface/get
net/interface/list
net/ip/multicast/send
net/ip/parse
net/ip/resolve
net/ip/send/unicast
net/ip/string
net/mac/address
net/oauth2
net/sendfile
net/socket/connect
net/socket/listen
net/socket/local/address
net/socket/peer/address
net/socket/receive
net/socket/send
net/socks5
net/ssh
net/upload
net/url
net/url/encode
net/url/request
net/websocket
net/wireless
process/chdir
process/chroot
process/groupid/set
process/groups/set
process/multithreaded
process/name/get
process/namespace/set
process/parent_pid/get
process/userid/set
process/username/get
procfs/cpuinfo
procfs/meminfo
procfs/self/cgroup
procfs/self/exe
procfs/stat
random/insecure
ref/extensions/office
ref/ip/dns_resolver
ref/ip_port
ref/path/etc
ref/path/file/url
ref/path/hidden
ref/path/home_library
ref/path/tmp
ref/path/usr/bin
ref/program/ancient_gcc
ref/program/nmap
ref/program/osascript
ref/program/powershell
ref/site/http/dynamic
ref/site/url
ref/words/exclamation
ref/words/heartbeat
ref/words/intercept
ref/words/leetspeak
ref/words/obfuscate
ref/words/password
ref/words/plugin
ref/words/server_address
ref/words/spoof
secrets/aws
secrets/private_key
shell/exec
shell/pipe_sh
tty/pathname
42 changes: 42 additions & 0 deletions samples/Python/clean/magic_trace/magic_trace.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Copyright (c) Facebook, Inc. and its affiliates.
# All rights reserved.
#
# This source code is licensed under the BSD-style license found in the
# LICENSE file in the root directory of this source tree.
import os
import signal
import subprocess
from contextlib import contextmanager


@contextmanager
def magic_trace(output="trace.fxt", magic_trace_cache="/tmp/magic-trace"):
pid = os.getpid()
if not os.path.exists(magic_trace_cache):
print(f"Downloading magic_trace to: {magic_trace_cache}")
subprocess.run(
[
"wget",
"-O",
magic_trace_cache,
"-q",
"https://github.com/janestreet/magic-trace/releases/download/v1.0.2/magic-trace",
]
)
subprocess.run(["chmod", "+x", magic_trace_cache])
args = [magic_trace_cache, "attach", "-pid", str(pid), "-o", output]
p = subprocess.Popen(args, stderr=subprocess.PIPE, encoding="utf-8")
while True:
x = p.stderr.readline()
print(x)
if "Attached" in x:
break
try:
yield
finally:
p.send_signal(signal.SIGINT)
r = p.wait()
print(p.stderr.read())
p.stderr.close()
if r != 0:
raise ValueError(f"magic_trace exited abnormally: {r}")
7 changes: 7 additions & 0 deletions samples/Python/clean/magic_trace/magic_trace.py.simple
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Python/clean/magic_trace/magic_trace.py
exec/program
fd/read
fs/permission/modify
net/download
ref/path/tmp
ref/site/url

0 comments on commit 0ad9320

Please sign in to comment.