From 8323907c8bc84ebea669610be8c523d3931dd5e9 Mon Sep 17 00:00:00 2001
From: Evan Gibler <20933572+egibs@users.noreply.github.com>
Date: Mon, 1 Jul 2024 11:16:36 -0500
Subject: [PATCH] Resolve datadog-agent DDOS false positive (#299)

* Avoid datadog-agent DDOS false positive

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Make ignore more generic

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Revert to exact DataDog reference

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/net/ddos.yara | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/net/ddos.yara b/rules/net/ddos.yara
index 4c59a0fe6..85545c9c4 100644
--- a/rules/net/ddos.yara
+++ b/rules/net/ddos.yara
@@ -1,4 +1,3 @@
-
 rule ddos_refs : critical {
   meta:
     description = "Performs DDoS (distributed denial of service) attacks"
@@ -9,6 +8,8 @@ rule ddos_refs : critical {
     $ref = "TSource Engine Query"
     $ref2 = "ackflood" fullword
     $ref3 = "synflood" fullword
+    // datadog-agent tracer-fentry-debug.o
+    $ignore_ref = "defer_accept.synflood_warned.you"
   condition:
-    any of them
+    any of ($ref*) and not $ignore_ref
 }