Skip to content

Commit

Permalink
Fedora: Address remaining false-positives within /usr (chainguard-dev…
Browse files Browse the repository at this point in the history
…#603)

* less Fedora false-positives

* add overrides

* format rules

* refresh testdata

* update testdata
  • Loading branch information
tstromberg authored Nov 8, 2024
1 parent db63e0d commit f6769a8
Show file tree
Hide file tree
Showing 96 changed files with 1,132 additions and 1,057 deletions.
2 changes: 1 addition & 1 deletion pkg/action/testdata/scan_archive
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko: medium
c2/addr/ip_port: medium
c2/addr/ip: medium
c2/server_address: medium
collect/archives/zip: medium
credential/keychain: medium
Expand Down
2 changes: 2 additions & 0 deletions pkg/compile/compile.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ var badRules = map[string]bool{
// JPCERT
"malware_PlugX_config": true,
"malware_shellcode_hash": true,
// bartblaze
"Rclone": true,
}

// rulesWithWarnings determines what to do with rules that have known warnings: true=keep, false=disable.
Expand Down
19 changes: 0 additions & 19 deletions rules/c2/addr/http-ip.yara

This file was deleted.

81 changes: 79 additions & 2 deletions rules/c2/addr/ip.yara
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@ rule elf_hardcoded_ip: high {
hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151"

strings:
// stricter version of what's above: excludes 255.* and *.0.* *.1.*
$sus_ipv4 = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword
// stricter version of what's above: excludes 255.* and *.0.* *.1.*, and 8.* (likely Google)
$sus_ipv4 = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2345679])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword

Check warning on line 33 in rules/c2/addr/ip.yara

View check run for this annotation

VirusTotal YARA-CI / Rules Analysis

rules/c2/addr/ip.yara#L33

rule "elf_hardcoded_ip": string "$sus_ipv4" may slow down scanning
$not_version = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])[\.\-]/

Check warning on line 34 in rules/c2/addr/ip.yara

View check run for this annotation

VirusTotal YARA-CI / Rules Analysis

rules/c2/addr/ip.yara#L34

rule "elf_hardcoded_ip": string "$not_version" may slow down scanning
$not_incr = "10.11.12.13"
$not_169 = "169.254.169.254"
Expand All @@ -43,3 +43,80 @@ rule elf_hardcoded_ip: high {
condition:
filesize < 12MB and uint32(0) == 1179403647 and 1 of ($sus_ip*) and none of ($not*)
}

rule http_hardcoded_ip: high exfil {
meta:
description = "hardcoded IP address within a URL"
hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f"
hash_2023_Multios_Trojan_WellMess_bce8 = "bce8ba5b7e6598c15c5ec258199e148272087fde2cd0690ed9b42ba89f2aacea"
hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f"

strings:
$ipv4 = /https*:\/\/([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}[:\/\w\-\?\.\=]{0,64}/
$not_metadata = "http://169.254.169.254"
$not_100 = "http://100.100.100"
$not_11 = "http://11.11.11"
$not_192 = "http://192.168"
$not_169 = "http://169.254"
$not_aria = "http://210.104.33.10/ARIA/"
condition:
$ipv4 and none of ($not*)
}

rule hardcoded_ip_port: high {
meta:
description = "hardcoded IP:port destination"
hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f"
hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500"
hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3"

strings:
$ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}:\d{2,5}/ fullword

Check warning on line 75 in rules/c2/addr/ip.yara

View check run for this annotation

VirusTotal YARA-CI / Rules Analysis

rules/c2/addr/ip.yara#L75

rule "hardcoded_ip_port": string "$ipv4" may slow down scanning
$not_ssdp = "239.255.255.250:1900"
$not_2181 = "10.101.203.230:2181"
$not_meta = "169.254.169.254:80"
$not_vnc = "10.10.10.10:5900"
$not_azure_pgsql = "20.66.25.58:5432"
$not_wireguard = "127.212.121.99:999"
$not_minio = "172.16.34.31:9000"
$not_test = "def test_" fullword
condition:
any of ($ip*) and none of ($not*)
}

rule ip_port_mention: medium {
meta:
description = "mentions an IP and port"
hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e"
hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"

strings:
$camelPort = /[a-z]{0,8}Port/ fullword
$camelIP = /[a-z]{0,8}Ip/ fullword
$underPort = /[a-z]{0,8}_port/ fullword
$underIP = /[a-z]{0,8}_ip/ fullword
$wordPort = "Port" fullword
$wordIP = "IP" fullword
condition:
all of ($camel*) or all of ($under*) or all of ($word*)
}

rule logfile: override {
meta:
description = "logfile"
ip_and_port = "medium"
http_hardcoded_ip = "medium"
exploiter = "medium"
http_ip_url_with_exe = "medium"
filetypes = "txt,log,json"

strings:
$timestamp = "@timestamp"
condition:
any of them
}
56 changes: 0 additions & 56 deletions rules/c2/addr/ip_port.yara

This file was deleted.

23 changes: 0 additions & 23 deletions rules/c2/addr/php.yara

This file was deleted.

26 changes: 0 additions & 26 deletions rules/c2/addr/url-unusual.yara

This file was deleted.

61 changes: 61 additions & 0 deletions rules/c2/addr/url.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
private rule elf_or_macho {
condition:
uint32(0) == 1179403647 or (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178)
}

rule unusual_nodename: medium {
meta:
description = "Contains HTTP hostname with a long node name"

strings:
$ref = /https*:\/\/\w{16,}\//
condition:
filesize < 5MB and $ref
}

rule exotic_tld: high {
meta:
description = "Contains HTTP hostname with unusual top-level domain"

strings:
$http_exotic_tld = /https*:\/\/[\w\-\.]{1,128}\.(vip|red|cc|wtf|top|pw|ke|space|zw|bd|ke|am|sbs|date|pw|quest|cd|bid|xyz|cm|xxx|casino|online|poker)\//
$not_electron = "ELECTRON_RUN_AS_NODE"
$not_nips = "nips.cc"
$not_gov_bd = ".gov.bd"
$not_eol = "endoflife.date"
$not_whois = "bdia.btcl.com.bd"
condition:
filesize < 10MB and any of ($http*) and none of ($not_*)
}

rule binary_http_url_with_question: high {
meta:
description = "contains hardcoded endpoint with a question mark"

strings:
$ref = /https*:\/\/[\w\.\/]{8,160}\.[a-zA-Z]{2,3}\?[\w\=\&]{0,32}/
condition:
filesize < 150MB and elf_or_macho and any of them
}

rule script_with_binary_http_url_with_question: high {
meta:
description = "contains hardcoded endpoint with a question mark"

strings:
$f_import = "import" fullword
$f_require = "require" fullword
$f_curl = "curl" fullword
$f_wget = "wget" fullword
$f_requests = "requests.get" fullword
$f_requests_post = "requests.post" fullword
$f_urllib = "urllib.request" fullword
$f_urlopen = "urlopen" fullword
$ref = /https*:\/\/[\w\.\/]{8,160}\.[a-zA-Z]{2,3}\?[\w\=\&]{0,32}/
condition:
filesize < 256KB and any of ($f*) and $ref
}
5 changes: 3 additions & 2 deletions rules/c2/tool_transfer/binary.yara
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,10 @@ rule chmod_executable_shell_binary: high {
strings:
$chmod = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/
$chmod2 = /chmod [\-\w ]{0,4}\+[rw]{0,2}[75][ \$\@\w\/\.]{0,64}/
$http = "http:"
$https = "https:"
$http = "http://"
$https = "https://"
$not_example = "try 'chmod +x'"
$not_make = "chmod a+x $@"
condition:
filesize < 10MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of ($chmod*) and any of ($http*) and none of ($not*)
Expand Down
2 changes: 1 addition & 1 deletion rules/c2/tool_transfer/download.yara
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ rule download_sites: high {
$d_pastebinger = "paste.bingner.com"
$d_transfer_sh = "transfer.sh"
$d_rentry = "rentry.co" fullword
$d_pastebin = /pastebin.[\w]{2,3}/ fullword
$d_pastebin = /pastebin\.[\w]{2,3}/ fullword
$d_penyacom = "penyacom"
$d_controlc = "controlc.com"
$d_anotepad = "anotepad.com"
Expand Down
1 change: 1 addition & 0 deletions rules/discover/system/platform.yara
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ rule npm_uname: medium {
$ = "os.platform()"
$ = "os.arch()"
$ = "os.release()"
$ = "os.type()"
condition:
any of them
Expand Down
50 changes: 40 additions & 10 deletions rules/evasion/hidden_paths/odd_pidfile.yara
Original file line number Diff line number Diff line change
@@ -1,16 +1,46 @@
rule exotic_pid_file: high {
rule users_pid_file: high {
meta:
description = "unusual pid (process id) file location"
hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f"
hash_2023_UPX_0a07c056fec72668d3f05863f103987cc1aaec92e72148bf16db6cfd58308617_elf_x86_64 = "94f4de1bd8c85b8f820bab936ec16cdb7f7bc19fa60d46ea8106cada4acc79a2"
hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4"
description = "unusual pid (process id) file location"

strings:
$p_users = /\/Users\/[%\w\.\-\/]{0,64}\.pid/
$p_tmp = /\/tmp\/[%\w\.\-\/]{0,64}\.pid/
$p_hidden = /[\w\/]{0,32}\/\.[\%\w\.\-\/]{0.16}\.pid/
$not_nginx = "/tmp/nginx/nginx.pid"
$p_users = /\/Users\/[%\w\.\-\/]{0,64}\.pid/
condition:
any of ($p*) and none of ($not*)
filesize < 100MB and any of ($p*)
}

rule hidden_pid_file: high {
meta:
description = "unusual pid (process id) file location"

strings:
$p_hidden = /[\w\/]{0,32}\/\.[\%\w\.\-\/]{0.16}\.pid/
condition:
filesize < 100MB and any of ($p*)
}

rule tmp_pid_file: high {
meta:
description = "unusual pid (process id) file location"

strings:
$p_tmp = /\/tmp\/[%\w\.\-\/]{0,64}\.pid/
condition:
filesize < 100MB and any of ($p*)
}

rule known_tmp_pid_file: override {
meta:
description = "well-known pid file locations"
tmp_pid_file = "medium"

strings:
$not_nginx = "/tmp/nginx/nginx.pid"
$not_intel_speed = "/tmp/hfi-events.pid"
$not_podman = "/tmp/pause.pid"
condition:
any of them
}
2 changes: 1 addition & 1 deletion rules/false_positives/flatpak.yara
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
rule flatpak: override {
meta:
description = "flatpak"
lvt_locker = "medium"
hidden_x11 = "medium"

strings:
$flatpak = "FLATPAK_BINARY" fullword
Expand Down
Loading

0 comments on commit f6769a8

Please sign in to comment.