Address Kibana false positives (chainguard-dev#391)

Signed-off-by: egibs <[email protected]>

pkg/compile/compile.go

@@ -29,6 +29,7 @@ var badRules = map[string]bool{
 	"DELIVRTO_SUSP_HTML_WASM_Smuggling":                   true,
 	"SIGNATURE_BASE_FVEY_Shadowbroker_Auct_Dez16_Strings": true,
 	"ELASTIC_Macos_Creddump_Keychainaccess_535C1511":      true,
+	"SIGNATURE_BASE_Reconcommands_In_File":                true,
 	// ThreatHunting Keywords (some duplicates)
 	"Adobe_XMP_Identifier":                       true,
 	"Antivirus_Signature_signature_keyword":      true,

rules/combo/backdoor/php.yara

@@ -116,8 +116,13 @@ rule php_eval_gzinflate_base64_backdoor : critical {
     $f_gzinflate = "gzinflate("
     $f_base64_decode = "base64_decode"
 
-    $not_php = "PHP_FLOAT_DIG" fullword
+    $not_js = " ?? "
+    $not_js2 = " === "
+    $not_js3 = "const"
+    $not_js4 = "this."
+    $not_js5 = "throw"
     $not_mongosh_php = { 3C 3F 70 68 70 00 00 00 01 0C 51 61 03 00 00 00 02 00 00 00 3F 3E }
+    $not_php = "PHP_FLOAT_DIG" fullword
     $not_workaround = "/* workaround for chrome bug "
   condition:
     all of ($f*) and none of ($not*)

rules/secrets/keychain-dump.yara

@@ -4,7 +4,9 @@ rule security_dump_keychain : critical {
     hash_2011_bin_kd = "8eb5ab5d71c84c9927b420948abedcf510369c8d566ee94c0cb5bc276d0d0a72"
   strings:
     $dump = "dump-keychain"
-    $ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    $dump and not $ctkcard
+    $dump and none of ($not*)
 }

rules/secrets/keychain.yara

@@ -8,8 +8,10 @@ rule keychain : medium macos {
   strings:
     $ref = "Keychain"
     $ref2 = "keychain"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    any of them
+    any of ($ref*) and none of ($not*)
 }
 
 rule macos_library_keychains : medium {
@@ -20,26 +22,32 @@ rule macos_library_keychains : medium {
     hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2"
   strings:
     $ref = "/Library/Keychains"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    any of them
+    $ref and none of ($not*)
 }
 
 rule find_generic_password : high {
   meta:
     description = "Looks up a password from the Keychain"
   strings:
     $ref = /find-generic-passsword[ \-\w\']{0,32}/
-    $ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    $ref and not $ctkcard
+    $ref and none of ($not*)
 }
 
 rule find_internet_password : high {
   meta:
     description = "Looks up an internet password from the Keychain"
   strings:
     $ref = /find-internet-passsword[ \-\w\']{0,32}/
-    $ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    $ref and not $ctkcard
+    $ref and none of ($not*)
 }