chore(yara): Log rule loading and check view section size

Log the loading of the YARA rule and check the size of the view of section. Small sections should not be candidates for scanning.
rabbitstack · Nov 22, 2024 · e7f02ca · e7f02ca
1 parent b69ade4
commit e7f02ca
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/pkg/yara/scanner.go b/pkg/yara/scanner.go
@@ -103,6 +103,7 @@ func NewScanner(psnap ps.Snapshotter, config config.Config) (Scanner, error) {
 				return nil
 			}
 			rulesInCompiler.Add(1)
+			log.Infof("loading yara rule(s) from %s", filepath.Join(path, fi.Name()))
 
 			return nil
 		})
@@ -277,7 +278,8 @@ func (s scanner) Scan(e *kevent.Kevent) (bool, error) {
 		// scan process mapping a suspicious RX/RWX section view
 		pid := e.Kparams.MustGetPid()
 		prot := e.Kparams.MustGetUint32(kparams.MemProtect)
-		if e.PID != 4 && ((prot&kevent.SectionRX) != 0 && (prot&kevent.SectionRWX) != 0) {
+		size := e.Kparams.MustGetUint64(kparams.FileViewSize)
+		if e.PID != 4 && size >= 4096 && ((prot&kevent.SectionRX) != 0 && (prot&kevent.SectionRWX) != 0) {
 			filename := e.GetParamAsString(kparams.FileName)
 			// skip mappings of signed images
 			addr := e.Kparams.MustGetUint64(kparams.FileViewBase)

diff --git a/pkg/yara/scanner_test.go b/pkg/yara/scanner_test.go
@@ -725,6 +725,7 @@ func TestScan(t *testing.T) {
 					Kparams: kevent.Kparams{
 						kparams.ProcessID:    {Name: kparams.ProcessID, Type: kparams.PID, Value: pid},
 						kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7ffe0000)},
+						kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)},
 						kparams.MemProtect:   {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(kevent.SectionRX), Flags: kevent.ViewProtectionFlags},
 					},
 					Metadata: make(map[kevent.MetadataKey]any),
@@ -780,6 +781,7 @@ func TestScan(t *testing.T) {
 					Kparams: kevent.Kparams{
 						kparams.ProcessID:    {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1123)},
 						kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7f3e1000)},
+						kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)},
 						kparams.MemProtect:   {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(kevent.SectionRX), Flags: kevent.ViewProtectionFlags},
 					},
 					Metadata: make(map[kevent.MetadataKey]any),
@@ -828,6 +830,7 @@ func TestScan(t *testing.T) {
 					Kparams: kevent.Kparams{
 						kparams.ProcessID:    {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(321321)},
 						kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7ffe0000)},
+						kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)},
 						kparams.MemProtect:   {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(0x10000), Flags: kevent.ViewProtectionFlags},
 					},
 					Metadata: make(map[kevent.MetadataKey]any),
@@ -877,6 +880,7 @@ func TestScan(t *testing.T) {
 						kparams.ProcessID:    {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1123)},
 						kparams.FileName:     {Name: kparams.FileName, Type: kparams.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "regedit.exe")},
 						kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7ffe0000)},
+						kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)},
 						kparams.MemProtect:   {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(kevent.SectionRWX), Flags: kevent.ViewProtectionFlags},
 					},
 					Metadata: make(map[kevent.MetadataKey]any),