chore(rules): 2026/04/16 FPR (#1473)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

rules/exec/install_additional/pip_install.yara

@@ -61,6 +61,7 @@ rule pip_installer_url: critical {
     $not_langchain_comment1 = "Please install the exllamav2 library with (cuda 12.1 is required)"
     $not_langchain_comment2 = "example : "
     $not_langchain_comment3 = "\"!python -m pip install https://github.com/turboderp/exllamav2/releases/download/v0.0.12/exllamav2-0.0.12+cu121-cp311-cp311-linux_x86_64.whl\""
+    $not_mlflow_docker      = "from mlflow.environment_variables import MLFLOW_DOCKER_OPENJDK_VERSION"
 
   condition:
     filesize < 8192 and $ref and none of ($not*) and (hash.sha256(0, filesize) != "f6a373322759ccc2736fb25d25d8c402dfe16b5d9a57cfccb1ca8cb136e09663")

rules/false_positives/ansible.yara

@@ -14,3 +14,16 @@ rule ansible_override: override {
   condition:
     $ansible and ($async or $become)
 }
+
+rule ansible_report_coverage: override {
+  meta:
+    description       = "report-coverage.sh from Ansible collections CI scripts"
+    pip_installer_url = "low"
+
+  strings:
+    $coverage  = "ansible-test coverage xml"
+    $pipelines = "Generate code coverage reports for uploading to Azure Pipelines"
+
+  condition:
+    filesize < 2048 and all of them
+}

rules/false_positives/bento.yara

@@ -4,9 +4,9 @@ rule bento_bin: override {
     CAPE_Nitrogenloader = "harmless"
 
   strings:
-    $golang = /(google.){0,1}golang.org/
-    $repo   = "github.com/warpstreamlabs/bento"
+    $go_module = "github.com/warpstreamlabs/bento/cmd/bento"
+    $go_pkg    = "github.com/warpstreamlabs/bento/public/service"
 
   condition:
-    filesize < 250MB and #golang > 38000 and #repo > 21000
+    filesize > 200MB and filesize < 300MB and all of them
 }

rules/false_positives/couchdb.yara

@@ -0,0 +1,15 @@
+rule couchdb_doc: override {
+  meta:
+    description           = "/usr/share/couchdb/share/docs/couchdb.1"
+    exotic_tld            = "low"
+    download_sites        = "low"
+    selinux_disable_val   = "low"
+    chmod_group_writeable = "low"
+
+  strings:
+    $apache_couchdb = "Apache CouchDB"
+    $man_header     = "APACHECOUCHDB"
+
+  condition:
+    filesize > 500000 and filesize < 3000000 and all of them
+}

rules/false_positives/fastfetch.yara

@@ -1,13 +1,15 @@
 rule fastfetch_override: override {
   meta:
-    description     = "/usr/bin/fastfetch"
-    proc_d_cmdline  = "medium"
-    proc_d_exe_high = "medium"
+    description       = "/usr/bin/fastfetch, /usr/bin/flashfetch"
+    proc_d_cmdline    = "medium"
+    proc_d_exe_high   = "medium"
+    multiple_gcc      = "harmless"
+    multiple_gcc_high = "medium"
 
   strings:
     $fastfetch = "fastfetch/packages/%s.txt"
     $repo      = "https://github.com/fastfetch-cli/fastfetch"
 
   condition:
-    any of them
+    filesize < 5MB and any of them
 }

rules/false_positives/gemini_cli.yara

@@ -3,14 +3,16 @@ rule gemini_cli_third_party: override {
     description                 = "gemini-cli bundled third-party npm dependencies"
     exotic_tld                  = "low"
     iplookup_website            = "low"
+    geoip_website_value         = "low"
     browser_extension_installer = "low"
     obfuscated_payload          = "low"
+    load_agent_with_payload     = "low"
     bash_persist                = "low"
     bash_persist_persistent     = "low"
 
   strings:
-    $gemini_module = "@google/gemini-cli"
-    $gemini_core   = "gemini-cli-core"
+    $lighthouse = "lighthouse-devtools-mcp-bundle.js"
+    $entities   = "entities-nostats.json"
 
   condition:
     filesize < 100MB and all of them

rules/false_positives/grub.yara

@@ -1,6 +1,6 @@
 rule grub_boot_images: override {
   meta:
-    description     = "GRUB i386-pc boot images"
+    description     = "GRUB i386-pc boot images (boot.image, boot_hybrid.image)"
     single_load_rwe = "medium"
 
   strings:
@@ -9,3 +9,55 @@ rule grub_boot_images: override {
   condition:
     filesize < 64KB and $grub
 }
+
+rule grub_cdboot_image: override {
+  meta:
+    description     = "GRUB i386-pc CD boot image"
+    single_load_rwe = "medium"
+
+  strings:
+    $cdrom_fail = "cdrom read fails"
+    $no_boot    = "no boot info"
+
+  condition:
+    filesize < 8KB and all of them
+}
+
+rule grub_diskboot_image: override {
+  meta:
+    description     = "GRUB i386-pc disk boot image"
+    single_load_rwe = "medium"
+
+  strings:
+    $blocklist    = "blocklist_default_start"
+    $notification = "notification_string"
+
+  condition:
+    filesize < 8KB and all of them
+}
+
+rule grub_lnxboot_image: override {
+  meta:
+    description     = "GRUB i386-pc Linux boot image"
+    single_load_rwe = "medium"
+
+  strings:
+    $move_mem = "move memory fails"
+    $setup    = "setup_sects"
+
+  condition:
+    filesize < 8KB and all of them
+}
+
+rule grub_pxeboot_image: override {
+  meta:
+    description     = "GRUB i386-pc PXE boot image"
+    single_load_rwe = "medium"
+
+  strings:
+    // PXE boot stub: mov dl,0x7f followed by far jump to 0x0000:0x8200
+    $pxe_entry = { b2 7f ea 00 82 00 00 }
+
+  condition:
+    filesize < 4096 and $pxe_entry
+}

rules/false_positives/keep.yara

@@ -0,0 +1,14 @@
+rule keep_ui_tweetnacl: override {
+  meta:
+    description                  = "keep-ui Next.js server chunk containing bundled tweetnacl crypto library"
+    from_secret_key              = "low"
+    unsigned_bitwise_math_excess = "low"
+
+  strings:
+    $nacl_box_keypair = "crypto_box_keypair"
+    $nacl_secretbox   = "nacl.secretbox"
+    $sentry           = "_sentryDebugIds"
+
+  condition:
+    filesize < 1048576 and all of them
+}

rules/false_positives/kibana.yara

@@ -34,6 +34,21 @@ rule security_solution_plugin: override {
     filesize < 5MB and all of ($license*) and $security_solution and ($jsonp or $xpac)
 }
 
+rule security_solution_prepackaged_rules_index: override {
+  meta:
+    description     = "prepackaged_rules/index.js"
+    backdoor_likely = "low"
+    reverse_shell   = "low"
+    ssh_backdoor    = "low"
+
+  strings:
+    $elastic_copyright = "Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V."
+    $raw_rules         = "exports.rawRules"
+
+  condition:
+    filesize < 200KB and all of them
+}
+
 rule security_detection_engine: override {
   meta:
     casing_obfuscation                          = "low"

rules/false_positives/knative.yara

@@ -9,3 +9,17 @@ rule kobalos_override: override {
   condition:
     (hash.sha256(0, filesize) == "572235f7943a8bab5377ed94c9dbdd8c2471e08e19ff6bc1edd0f1f3680ab25d")
 }
+
+rule knative_eventing_ingress: override {
+  meta:
+    description                        = "knative-eventing ingress binary"
+    ESET_Kobalos                       = "harmless"
+    SIGNATURE_BASE_APT_MAL_LNX_Kobalos = "harmless"
+
+  strings:
+    $knative_eventing = "knative.dev/eventing"
+    $ingress_module   = "knative.dev/eventing/cmd/broker/ingress"
+
+  condition:
+    filesize < 100MB and all of them
+}