2025/06/02 false positive reduction (#976)

* 2025/06/02 false positive reduction

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

rules/anti-behavior/blocklist/user.yara

@@ -37,6 +37,9 @@ rule common_username_block_list: critical {
     $ = "test" fullword
     $ = "w0fjuOVmCcP5A" fullword
 
+    $not_grafana1  = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]"
+    $not_grafana2  = "The Grafana LLM plugin is not installed."
+    $not_grafana3  = "grafana.debug.scenes"
     $not_jitsu     = "jitsu.com"
     $not_redpanda  = "redpanda"
     $not_wireshark = "wireshark.org"

rules/anti-static/obfuscation/bitwise.yara

@@ -173,7 +173,7 @@ rule bidirectional_bitwise_math_php: high {
     filesize < 192KB and all of them
 }
 
-rule bitwise_obfuscation: critical {
+rule bitwise_obfuscation: high {
   meta:
     description = "uses bitwise math to obfuscate code"
     ref         = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection"

rules/anti-static/obfuscation/padding.yara

@@ -5,8 +5,11 @@ rule msxml2_http: critical {
   strings:
     $a = /M.{0,48}S.{0,48}X.{0,48}M.{0,48}L.{0,48}2.{0,48}\.X.{0,48}M.{0,48}L.{0,48}H.{0,48}T.{0,48}T.{0,48}P.{0,48}/
 
+    $not_i18next1 = "i18nextHttpBackend"
+    $not_i18next2 = "u[\"User-Agent\"]=\"i18next-http-backend (node/\".concat(S.process.version,\"; \")"
+
   condition:
-    filesize < 128KB and $a and !a > 32
+    filesize < 128KB and $a and !a > 32 and none of ($not*)
 }
 
 rule obfuscation_base64_str_replace: medium {

rules/anti-static/obfuscation/url.yara

@@ -1,6 +1,6 @@
 import "math"
 
-rule decode_url_component_char_code: critical {
+rule decode_url_component_char_code: high {
   meta:
     description = "decodes obfuscated URL components"
     filetypes   = "js,ts"

rules/exec/remote_commands/code_eval.yara

@@ -46,8 +46,10 @@ rule js_eval_response: critical {
   strings:
     $val = /eval\(\w{0,16}\.responseText\)/
 
+    $not_ejs = /EJS\.|EJS=/
+
   condition:
-    filesize < 1MB and any of ($val*)
+    filesize < 1MB and any of ($val*) and not #not_ejs > 0
 }
 
 rule js_eval_near_enough_fromChar: medium {

rules/false_positives/socat.yara

@@ -0,0 +1,14 @@
+rule socat_override: override {
+  meta:
+    description                   = "usr/bin/socat1"
+    SEKOIA_Hacktool_Socat_Strings = "high"
+
+  strings:
+    $socat1 = "socat by Gerhard Rieger and contributors - see www.dest-unreach.org"
+    $socat2 = "/tmp/socat-bind.XXXXXX"
+    $socat3 = "copyright_socat"
+    $socat4 = "socat_"
+
+  condition:
+    all of them
+}

rules/false_positives/sonarqube.yara

@@ -15,8 +15,9 @@ rule sonarqube_tutorial_app: override {
 
 rule sonar_analyzer_override: override {
   meta:
-    description                = "SonarQube SonarAnalyzer.CSharp.dll"
-    COD3NYM_Reactor_Indicators = "medium"
+    description                                   = "SonarQube SonarAnalyzer.CSharp.dll"
+    COD3NYM_Reactor_Indicators                    = "medium"
+    COD3NYM_SUSP_OBF_NET_Reactor_Indicators_Jan24 = "medium"
 
   strings:
     $ = "SonarAnalyzer" fullword

rules/false_positives/sqlmap.yara

@@ -0,0 +1,15 @@
+rule sqlmap_override: override {
+  meta:
+    description                                 = "metasploit.py"
+    SIGNATURE_BASE_HKTL_Sqlmap                  = "high"
+    SIGNATURE_BASE_Hacktool_Strings_P0Wnedshell = "high"
+
+  strings:
+    $sqlmap1 = "Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org/)"
+    $sqlmap2 = "Visit 'https://github.com/sqlmapproject/sqlmap/#installation' for further details"
+    $sqlmap3 = /SqlmapBaseException|SqlmapDataException|SqlmapFilePathException|SqlmapShellQuitException|SqlmapSilentQuitException|SqlmapUserQuitException/
+    $sqlmap4 = "if \"sqlmap.sqlmap\" in sys.modules"
+
+  condition:
+    all of them
+}

rules/persist/ssh_authorized_keys.yara

@@ -24,8 +24,9 @@ rule ssh_authorized_key_append: critical {
     $append  = "appendFile"
     $ssh_rsa = /ssh-[dr]sa [\w\+\/\=]{0,1024} [\w\-\.]{0,32}\@[\w\.\-]{1,64}/
 
-    $not_ssh_client = "SSH_AUTH_SOCK"
-    $not_example    = "/home/user/.ssh/authorized_keys"
+    $not_ssh_client  = "SSH_AUTH_SOCK"
+    $not_example     = "/home/user/.ssh/authorized_keys"
+    $not_example_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCsTcryUl51Q2VSEHqDRNmceUFo55ZtcIwxl2QITbN1RREti5ml/VTytC0yeBOvnZA4x4CFpdw/lCDPk0yrH9Ei5vVkXmOrExdTlT3qI7YaAzj1tUVlBd4S6LX1F7y6VLActvdHuDDuXZXzCDd/97420jrDfWZqJMlUK/EmCE5ParCeHIRIvmBxcEnGfFIsw8xQZl0HphxWOtJil8qsUWSdMyCiJYYQpMoMliO99X40AUc4/AlsyPyT5ddbKk08YrZ+rKDVHF7o29rh4vi5MmHkVgVQHKiKybWlHq+b71gIAUQk9wrJxD+dqt4igrmDSpIjfjwnd+l5UIn5fJSO5DYV4YT/4hwK7OKmuo7OFHD0WyY5YnkYEMtFgzemnRBdE8ulcT60DQpVgRMXFWHvhyCWy0L6sgj1QWDZlLpvsIvNfHsyhKFMG1frLnMt/nP0+YCcfg+v1JYeCKjeoJxB8DWcRBsjzItY0CGmzP8UYZiYKl/2u+2TgFS5r7NWH11bxoUzjKdaa1NLw+ieA8GlBFfCbfWe6YVB9ggUte4VtYFMZGxOjS2bAiYtfgTKFJv+XqORAwExG6+G2eDxIDyo80/OA9IG7Xv/jwQr7D6KDjDuULFcN/iTxuttoKrHeYz1hf5ZQlBdllwJHYx6fK2g8kha6r2JIQKocvsAXiiONqSfw== hello@world.com"
 
   condition:
     all of ($ssh*) and $append and none of ($not*)

tests/npm/2024.testerrrrrrrrrr/init.js.simple

@@ -2,7 +2,7 @@
 anti-static/obfuscation/bool: medium
 anti-static/obfuscation/hex: medium
 anti-static/obfuscation/js: high
-anti-static/obfuscation/url: critical
+anti-static/obfuscation/url: high
 c2/addr/server: medium
 data/encoding/int: medium
 data/encoding/url: medium