Use the include directive to centralize common private rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

rules/anti-behavior/random_behavior.yara

@@ -1,21 +1,6 @@
-import "math"
-
-private rule random_behavior_pythonSetup {
-  strings:
-    $if_distutils  = /from distutils.core import .{0,32}setup/
-    $if_setuptools = /from setuptools import .{0,32}setup/
-    $i_setuptools  = "import setuptools"
-    $setup         = "setup("
-
-    $not_setup_example = ">>> setup("
-    $not_setup_todict  = "setup(**config.todict()"
-    $not_import_quoted = "\"from setuptools import setup"
-    $not_setup_quoted  = "\"setup(name="
-    $not_distutils     = "from distutils.errors import"
+include "rules/global/global.yara"
 
-  condition:
-    filesize < 128KB and $setup and any of ($i*) and none of ($not*)
-}
+import "math"
 
 rule setuptools_random: critical {
   meta:
@@ -27,7 +12,7 @@ rule setuptools_random: critical {
     $not_easy_install = "pid = random.randint(0, sys.maxsize)"
 
   condition:
-    random_behavior_pythonSetup and $ref and none of ($not*)
+    python_setup and $ref and none of ($not*)
 }
 
 rule java_random: low {

rules/anti-static/elf/entropy.yara

@@ -1,14 +1,6 @@
-import "math"
-
-private rule normal_elf {
-  condition:
-    filesize < 64MB and uint32(0) == 1179403647
-}
+include "rules/global/global.yara"
 
-private rule small_elf {
-  condition:
-    filesize < 400KB and uint32(0) == 1179403647
-}
+import "math"
 
 rule higher_elf_entropy_68: medium {
   meta:

rules/anti-static/macho/entropy.yara

@@ -1,17 +1,14 @@
-import "math"
+include "rules/global/global.yara"
 
-private rule smaller_macho {
-  condition:
-    filesize < 64MB and (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962)
-}
+import "math"
 
 rule higher_entropy_6_9: medium {
   meta:
     description = "higher entropy binary (>6.9)"
     filetypes   = "macho"
 
   condition:
-    smaller_macho and math.entropy(1, filesize) >= 6.9
+    small_macho and math.entropy(1, filesize) >= 6.9
 }
 
 rule high_entropy_7_2: high {
@@ -24,5 +21,5 @@ rule high_entropy_7_2: high {
     $bin_java = "bin/java"
 
   condition:
-    smaller_macho and math.entropy(1, filesize) >= 7.2 and not $bin_java
+    small_macho and math.entropy(1, filesize) >= 7.2 and not $bin_java
 }

rules/anti-static/macho/footer.yara

@@ -1,9 +1,6 @@
-import "math"
+include "rules/global/global.yara"
 
-private rule anti_static_macho {
-  condition:
-    (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178)
-}
+import "math"
 
 rule high_entropy_trailer: high {
   meta:
@@ -15,5 +12,5 @@ rule high_entropy_trailer: high {
     $page_zero = "_PAGEZERO"
 
   condition:
-    filesize < 10MB and anti_static_macho and $page_zero and math.entropy(filesize - 1024, filesize - 1) >= 4
+    filesize < 10MB and macho and $page_zero and math.entropy(filesize - 1024, filesize - 1) >= 4
 }

rules/anti-static/packer/aes.yara

@@ -1,10 +1,6 @@
-import "math"
+include "rules/global/global.yara"
 
-private rule smallBinary {
-  condition:
-    // matches ELF or machO binary
-    filesize > 1MB and filesize < 8MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962)
-}
+import "math"
 
 rule go_aes: high {
   meta:
@@ -17,5 +13,5 @@ rule go_aes: high {
     $decrypt = "NewCFBDecrypter"
 
   condition:
-    smallBinary and math.entropy(1, filesize) >= 7 and all of them
+    small_binary and math.entropy(1, filesize) >= 7 and all of them
 }

rules/anti-static/unmarshal/marshal.yara

@@ -1,15 +1,6 @@
-import "math"
-
-private rule pySetup {
-  strings:
-    $i_distutils    = "from distutils.core import setup"
-    $i_setuptools   = "setuptools"
-    $setup          = "setup("
-    $not_setuptools = "setuptools.command"
+include "rules/global/global.yara"
 
-  condition:
-    filesize < 2097152 and $setup and any of ($i*) and none of ($not*)
-}
+import "math"
 
 rule unmarshal_py_marshal: medium {
   meta:
@@ -29,5 +20,5 @@ rule setuptools_py_marshal: suspicious {
     filetypes   = "py"
 
   condition:
-    pySetup and unmarshal_py_marshal
+    python_setup and unmarshal_py_marshal
 }

rules/c2/addr/ip.yara

@@ -1,3 +1,5 @@
+include "rules/global/global.yara"
+
 rule hardcoded_ip: medium {
   meta:
     description = "hardcoded IP address"
@@ -19,11 +21,6 @@ rule hardcoded_ip: medium {
     filesize < 200MB and 1 of ($sus_ip*) and none of ($not*)
 }
 
-private rule ip_elf_or_macho {
-  condition:
-    uint32(0) == 1179403647 or (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178)
-}
-
 rule bin_hardcoded_ip: high {
   meta:
     description = "ELF with hardcoded IP address"
@@ -48,7 +45,7 @@ rule bin_hardcoded_ip: high {
     $not_2345              = "23.45.67.89"
 
   condition:
-    filesize < 12MB and ip_elf_or_macho and 1 of ($sus_ip*) and none of ($not*)
+    filesize < 12MB and elf_or_macho and 1 of ($sus_ip*) and none of ($not*)
 }
 
 rule http_hardcoded_ip: high exfil {

rules/c2/addr/url.yara

@@ -1,9 +1,6 @@
-import "math"
+include "rules/global/global.yara"
 
-private rule elf_or_macho {
-  condition:
-    uint32(0) == 1179403647 or (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178)
-}
+import "math"
 
 rule unusual_nodename: medium {
   meta:

rules/c2/tool_transfer/download.yara

@@ -1,3 +1,5 @@
+include "rules/global/global.yara"
+
 rule download_sites: high {
   meta:
     ref         = "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001"
@@ -113,12 +115,6 @@ rule http_archive_url: medium {
     any of ($ref*) and none of ($not*)
 }
 
-private rule smallerBinary {
-  condition:
-    // matches ELF or machO binary
-    filesize < 10MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962)
-}
-
 rule http_archive_url_higher: high {
   meta:
     description = "accesses hardcoded archive file endpoint"
@@ -129,5 +125,5 @@ rule http_archive_url_higher: high {
     $not_foo_bar = "http://foo/bar.tar"
 
   condition:
-    smallerBinary and any of ($ref*) and none of ($not*)
+    small_binary and any of ($ref*) and none of ($not*)
 }

rules/c2/tool_transfer/macos.yara

@@ -1,12 +1,4 @@
-private rule tool_transfer_macho {
-  strings:
-    $not_jar   = "META-INF/"
-    $not_dwarf = "_DWARF"
-    $not_kext  = "_.SYMDEF SORTED"
-
-  condition:
-    (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178) and none of ($not*)
-}
+include "rules/global/global.yara"
 
 rule macos_chflags_hidden: critical {
   meta:
@@ -38,5 +30,5 @@ rule cocoa_bundle_dropper: critical {
     $platform = "isPlatformOrVariantPlatformVersionAtLeast" fullword
 
   condition:
-    tool_transfer_macho and $shared and 5 of them
+    specific_macho and $shared and 5 of them
 }