forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fedora: Address remaining false-positives within /usr (chainguard-dev…
…#603) * less Fedora false-positives * add overrides * format rules * refresh testdata * update testdata
- Loading branch information
1 parent
db63e0d
commit f6769a8
Showing
96 changed files
with
1,132 additions
and
1,057 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
private rule elf_or_macho { | ||
condition: | ||
uint32(0) == 1179403647 or (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178) | ||
} | ||
|
||
rule unusual_nodename: medium { | ||
meta: | ||
description = "Contains HTTP hostname with a long node name" | ||
|
||
strings: | ||
$ref = /https*:\/\/\w{16,}\// | ||
condition: | ||
filesize < 5MB and $ref | ||
} | ||
|
||
rule exotic_tld: high { | ||
meta: | ||
description = "Contains HTTP hostname with unusual top-level domain" | ||
|
||
strings: | ||
$http_exotic_tld = /https*:\/\/[\w\-\.]{1,128}\.(vip|red|cc|wtf|top|pw|ke|space|zw|bd|ke|am|sbs|date|pw|quest|cd|bid|xyz|cm|xxx|casino|online|poker)\// | ||
$not_electron = "ELECTRON_RUN_AS_NODE" | ||
$not_nips = "nips.cc" | ||
$not_gov_bd = ".gov.bd" | ||
$not_eol = "endoflife.date" | ||
$not_whois = "bdia.btcl.com.bd" | ||
condition: | ||
filesize < 10MB and any of ($http*) and none of ($not_*) | ||
} | ||
|
||
rule binary_http_url_with_question: high { | ||
meta: | ||
description = "contains hardcoded endpoint with a question mark" | ||
|
||
strings: | ||
$ref = /https*:\/\/[\w\.\/]{8,160}\.[a-zA-Z]{2,3}\?[\w\=\&]{0,32}/ | ||
condition: | ||
filesize < 150MB and elf_or_macho and any of them | ||
} | ||
|
||
rule script_with_binary_http_url_with_question: high { | ||
meta: | ||
description = "contains hardcoded endpoint with a question mark" | ||
|
||
strings: | ||
$f_import = "import" fullword | ||
$f_require = "require" fullword | ||
$f_curl = "curl" fullword | ||
$f_wget = "wget" fullword | ||
$f_requests = "requests.get" fullword | ||
$f_requests_post = "requests.post" fullword | ||
$f_urllib = "urllib.request" fullword | ||
$f_urlopen = "urlopen" fullword | ||
$ref = /https*:\/\/[\w\.\/]{8,160}\.[a-zA-Z]{2,3}\?[\w\=\&]{0,32}/ | ||
condition: | ||
filesize < 256KB and any of ($f*) and $ref | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,46 @@ | ||
rule exotic_pid_file: high { | ||
rule users_pid_file: high { | ||
meta: | ||
description = "unusual pid (process id) file location" | ||
hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" | ||
hash_2023_UPX_0a07c056fec72668d3f05863f103987cc1aaec92e72148bf16db6cfd58308617_elf_x86_64 = "94f4de1bd8c85b8f820bab936ec16cdb7f7bc19fa60d46ea8106cada4acc79a2" | ||
hash_2024_Downloads_4b97 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" | ||
description = "unusual pid (process id) file location" | ||
|
||
strings: | ||
$p_users = /\/Users\/[%\w\.\-\/]{0,64}\.pid/ | ||
$p_tmp = /\/tmp\/[%\w\.\-\/]{0,64}\.pid/ | ||
$p_hidden = /[\w\/]{0,32}\/\.[\%\w\.\-\/]{0.16}\.pid/ | ||
$not_nginx = "/tmp/nginx/nginx.pid" | ||
$p_users = /\/Users\/[%\w\.\-\/]{0,64}\.pid/ | ||
condition: | ||
any of ($p*) and none of ($not*) | ||
filesize < 100MB and any of ($p*) | ||
} | ||
|
||
rule hidden_pid_file: high { | ||
meta: | ||
description = "unusual pid (process id) file location" | ||
|
||
strings: | ||
$p_hidden = /[\w\/]{0,32}\/\.[\%\w\.\-\/]{0.16}\.pid/ | ||
condition: | ||
filesize < 100MB and any of ($p*) | ||
} | ||
|
||
rule tmp_pid_file: high { | ||
meta: | ||
description = "unusual pid (process id) file location" | ||
|
||
strings: | ||
$p_tmp = /\/tmp\/[%\w\.\-\/]{0,64}\.pid/ | ||
condition: | ||
filesize < 100MB and any of ($p*) | ||
} | ||
|
||
rule known_tmp_pid_file: override { | ||
meta: | ||
description = "well-known pid file locations" | ||
tmp_pid_file = "medium" | ||
|
||
strings: | ||
$not_nginx = "/tmp/nginx/nginx.pid" | ||
$not_intel_speed = "/tmp/hfi-events.pid" | ||
$not_podman = "/tmp/pause.pid" | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.