Allow echo_decode_bash* to execute on larger files (#924)

tstromberg · web-flow · commit 46a3dd921a60 · 2025-05-13T21:22:49.000-07:00
diff --git a/rules/anti-static/base64/exec.yara b/rules/anti-static/base64/exec.yara
@@ -67,7 +67,7 @@ rule echo_decode_bash: critical {
     $redir = /base64 {0,2}(-d|--decode) {0,2}\>.{0,16}[\;\&]\s{0,2}(bash|zsh|sh)/ fullword
 
   condition:
-    filesize < 256KB and any of them
+    filesize < 10MB and any of them
 }
 
 import "math"
@@ -81,7 +81,7 @@ rule echo_decode_bash_probable: high {
     $shell  = /(bash|zsh|sh)/ fullword
 
   condition:
-    filesize < 256KB and any of them and (@shell[#shell] - @decode[#decode]) < 32 and (@shell[#shell] - @decode[#decode]) > 0
+    filesize < 3MB and any of them and (@shell[#shell] - @decode[#decode]) < 32 and (@shell[#shell] - @decode[#decode]) > 0
 }
 
 rule ruby_system_near_enough: critical {

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ rule echo_decode_bash: critical {`
`67`	`67`	`$redir = /base64 {0,2}(-d\|--decode) {0,2}\>.{0,16}[\;\&]\s{0,2}(bash\|zsh\|sh)/ fullword`
`68`	`68`
`69`	`69`	`condition:`
`70`		`- filesize < 256KB and any of them`
	`70`	`+ filesize < 10MB and any of them`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`import "math"`
`@@ -81,7 +81,7 @@ rule echo_decode_bash_probable: high {`
`81`	`81`	`$shell = /(bash\|zsh\|sh)/ fullword`
`82`	`82`
`83`	`83`	`condition:`
`84`		`- filesize < 256KB and any of them and (@shell[#shell] - @decode[#decode]) < 32 and (@shell[#shell] - @decode[#decode]) > 0`
	`84`	`+ filesize < 3MB and any of them and (@shell[#shell] - @decode[#decode]) < 32 and (@shell[#shell] - @decode[#decode]) > 0`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`rule ruby_system_near_enough: critical {`