2025/06/02 false positive reduction

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

rules/anti-behavior/blocklist/user.yara

@@ -37,6 +37,9 @@ rule common_username_block_list: critical {
     $ = "test" fullword
     $ = "w0fjuOVmCcP5A" fullword
 
+    $not_grafana1 = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]"
+    $not_grafana2 = "The Grafana LLM plugin is not installed."
+    $not_grafana3 = "grafana.debug.scenes"
     $not_jitsu     = "jitsu.com"
     $not_redpanda  = "redpanda"
     $not_wireshark = "wireshark.org"

rules/anti-static/obfuscation/bitwise.yara

@@ -188,6 +188,17 @@ rule bitwise_obfuscation: critical {
     $f_substr  = "substr("
     $f_ord     = "ord("
 
+    $not_phpseclib1 = "http://phpseclib.sourceforge.net"
+    $not_phpseclib2 = "Pure-PHP PKCS#1 (v2.1) compliant implementation of RSA."
+    $not_phpseclib3 = "Pure-PHP ASN.1 Parser"
+    $not_phpseclib4 = "Pure-PHP arbitrary precision integer arithmetic library."
+    $not_phpseclib5 = "Pure-PHP implementation of SFTP."
+    $not_phpseclib6 = "Pure-PHP implementation of SSHv2."
+    $not_symfony1 = "This file is part of the Symfony package."
+    $not_symfony2 = "(c) Fabien Potencier <fabien@symfony.com>"
+    $not_voku1 = "namespace voku\\helper;"
+    $not_voku2 = "final class ASCII"
+
   condition:
-    filesize < 192KB and $php and any of ($bit*) and 3 of ($f*)
+    filesize < 192KB and $php and any of ($bit*) and 3 of ($f*) and none of ($not*)
 }

rules/anti-static/obfuscation/padding.yara

@@ -5,8 +5,11 @@ rule msxml2_http: critical {
   strings:
     $a = /M.{0,48}S.{0,48}X.{0,48}M.{0,48}L.{0,48}2.{0,48}\.X.{0,48}M.{0,48}L.{0,48}H.{0,48}T.{0,48}T.{0,48}P.{0,48}/
 
+    $not_i18next1 = "i18nextHttpBackend"
+    $not_i18next2 = "u[\"User-Agent\"]=\"i18next-http-backend (node/\".concat(S.process.version,\"; \")"
+
   condition:
-    filesize < 128KB and $a and !a > 32
+    filesize < 128KB and $a and !a > 32 and none of ($not*)
 }
 
 rule obfuscation_base64_str_replace: medium {

rules/anti-static/obfuscation/url.yara

@@ -1,6 +1,6 @@
 import "math"
 
-rule decode_url_component_char_code: critical {
+rule decode_url_component_char_code: high {
   meta:
     description = "decodes obfuscated URL components"
     filetypes   = "js,ts"

rules/exec/remote_commands/code_eval.yara

@@ -46,8 +46,10 @@ rule js_eval_response: critical {
   strings:
     $val = /eval\(\w{0,16}\.responseText\)/
 
+    $not_ejs = /EJS\.|EJS=/
+
   condition:
-    filesize < 1MB and any of ($val*)
+    filesize < 1MB and any of ($val*) and not #not_ejs > 0
 }
 
 rule js_eval_near_enough_fromChar: medium {

rules/false_positives/socat.yara

@@ -0,0 +1,12 @@
+rule socat_override: override {
+  meta:
+    description = "usr/bin/socat1"
+    SEKOIA_Hacktool_Socat_Strings = "high"
+  strings:
+    $socat1 = "socat by Gerhard Rieger and contributors - see www.dest-unreach.org"
+    $socat2 = "/tmp/socat-bind.XXXXXX"
+    $socat3 = "copyright_socat"
+    $socat4 = "socat_"
+  condition:
+    all of them
+}

rules/false_positives/sonarqube.yara

@@ -17,6 +17,7 @@ rule sonar_analyzer_override: override {
   meta:
     description                = "SonarQube SonarAnalyzer.CSharp.dll"
     COD3NYM_Reactor_Indicators = "medium"
+    COD3NYM_SUSP_OBF_NET_Reactor_Indicators_Jan24 = "medium"
 
   strings:
     $ = "SonarAnalyzer" fullword

rules/false_positives/sqlmap.yara

@@ -0,0 +1,13 @@
+rule sqlmap_override: override {
+  meta:
+    description = "metasploit.py"
+    SIGNATURE_BASE_HKTL_Sqlmap = "high"
+    SIGNATURE_BASE_Hacktool_Strings_P0Wnedshell = "high"
+  strings:
+    $sqlmap1 = "Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org/)"
+    $sqlmap2 = "Visit 'https://github.com/sqlmapproject/sqlmap/#installation' for further details"
+    $sqlmap3 = /SqlmapBaseException|SqlmapDataException|SqlmapFilePathException|SqlmapShellQuitException|SqlmapSilentQuitException|SqlmapUserQuitException/
+    $sqlmap4 = "if \"sqlmap.sqlmap\" in sys.modules"
+  condition:
+    all of them
+}

rules/persist/ssh_authorized_keys.yara

@@ -26,6 +26,7 @@ rule ssh_authorized_key_append: critical {
 
     $not_ssh_client = "SSH_AUTH_SOCK"
     $not_example    = "/home/user/.ssh/authorized_keys"
+    $not_example_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCsTcryUl51Q2VSEHqDRNmceUFo55ZtcIwxl2QITbN1RREti5ml/VTytC0yeBOvnZA4x4CFpdw/lCDPk0yrH9Ei5vVkXmOrExdTlT3qI7YaAzj1tUVlBd4S6LX1F7y6VLActvdHuDDuXZXzCDd/97420jrDfWZqJMlUK/EmCE5ParCeHIRIvmBxcEnGfFIsw8xQZl0HphxWOtJil8qsUWSdMyCiJYYQpMoMliO99X40AUc4/AlsyPyT5ddbKk08YrZ+rKDVHF7o29rh4vi5MmHkVgVQHKiKybWlHq+b71gIAUQk9wrJxD+dqt4igrmDSpIjfjwnd+l5UIn5fJSO5DYV4YT/4hwK7OKmuo7OFHD0WyY5YnkYEMtFgzemnRBdE8ulcT60DQpVgRMXFWHvhyCWy0L6sgj1QWDZlLpvsIvNfHsyhKFMG1frLnMt/nP0+YCcfg+v1JYeCKjeoJxB8DWcRBsjzItY0CGmzP8UYZiYKl/2u+2TgFS5r7NWH11bxoUzjKdaa1NLw+ieA8GlBFfCbfWe6YVB9ggUte4VtYFMZGxOjS2bAiYtfgTKFJv+XqORAwExG6+G2eDxIDyo80/OA9IG7Xv/jwQr7D6KDjDuULFcN/iTxuttoKrHeYz1hf5ZQlBdllwJHYx6fK2g8kha6r2JIQKocvsAXiiONqSfw== hello@world.com"
 
   condition:
     all of ($ssh*) and $append and none of ($not*)

tests/npm/2024.testerrrrrrrrrr/init.js.simple

@@ -2,7 +2,7 @@
 anti-static/obfuscation/bool: medium
 anti-static/obfuscation/hex: medium
 anti-static/obfuscation/js: high
-anti-static/obfuscation/url: critical
+anti-static/obfuscation/url: high
 c2/addr/server: medium
 data/encoding/int: medium
 data/encoding/url: medium