From 413cd33d58d3ad4f0546298b289a4b2a53ff9e73 Mon Sep 17 00:00:00 2001
From: Evan Gibler <20933572+egibs@users.noreply.github.com>
Date: Fri, 19 Jul 2024 13:31:04 -0500
Subject: [PATCH] More /dev/tcp rule tweaks for GitLab healthcheck script
 (#372)

* More /dev/tcp rule tweaks for GitLab healthcheck script

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Refresh test data

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/shell/bash_dev_tcp.yara          | 9 ++++++---
 samples/Linux/clean/healthcheck.simple | 1 -
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/rules/shell/bash_dev_tcp.yara b/rules/shell/bash_dev_tcp.yara
index 4aa023bf8..31f0b6368 100644
--- a/rules/shell/bash_dev_tcp.yara
+++ b/rules/shell/bash_dev_tcp.yara
@@ -8,8 +8,11 @@ rule bash_dev_tcp : high exfil {
   strings:
     $ref = "/dev/tcp"
     $posixly_correct = "POSIXLY_CORRECT"
+    $not_comment = "# Check that both our processes are running on their tcp port"
+    $not_get = /GET \/ HTTP\/1.1\n{1,2} >/
+    $not_localhost_8080 = "/dev/tcp/127.0.0.1/8080"
   condition:
-    $ref and not $posixly_correct
+    $ref and not $posixly_correct and none of ($not*)
 }
 
 
@@ -19,8 +22,8 @@ rule bash_dev_tcp_hardcoded_ip : critical {
   strings:
     $dev_tcp = /\/dev\/tcp\/[\w\.]{8,16}\/\d{1,6}/
     $not_comment = "# Check that both our processes are running on their tcp port"
-    $not_get = "GET / HTTP/1.1 >"
+    $not_get = /GET \/ HTTP\/1.1\n{1,2} >/
     $not_localhost_8080 = "/dev/tcp/127.0.0.1/8080"
   condition:
-	  $dev_tcp and none of ($not_*)
+	  $dev_tcp and none of ($not*)
 }
diff --git a/samples/Linux/clean/healthcheck.simple b/samples/Linux/clean/healthcheck.simple
index bbf5018c0..82d988630 100644
--- a/samples/Linux/clean/healthcheck.simple
+++ b/samples/Linux/clean/healthcheck.simple
@@ -1,5 +1,4 @@
 # Linux/clean/healthcheck
 net/http/request
 ref/path/dev
-shell/bash_dev_tcp
 shell/exec