Fix up tests

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

pkg/programkind/programkind_test.go

@@ -49,7 +49,7 @@ func TestPath(t *testing.T) {
 		{"/etc/systemd/system/launcher.service", &FileType{MIME: "text/x-systemd", Ext: "service"}},
 		{"yarn-package.json", &FileType{MIME: "application/json", Ext: "json"}},
 		{"/home/yeti/.hidden/package.json", &FileType{MIME: "application/json", Ext: "json"}},
-		{"unknown.json", nil},
+		{"unknown.json", &FileType{MIME: "application/json", Ext: "json"}},
 	}
 	for _, tt := range tests {
 		t.Run(tt.in, func(t *testing.T) {

pkg/report/report.go

@@ -365,7 +365,7 @@ func TrimPrefixes(path string, prefixes []string) string {
 	return path
 }
 
-// fileMatchesRules checks the scanned file's type against a rule's defined filetypes
+// fileMatchesRules checks the scanned file's type against a rule's defined filetypes.
 func fileMatchesRule(meta []yarax.Metadata, mime string) bool {
 	for _, m := range meta {
 		if m.Identifier() == "filetypes" {

rules/c2/tool_transfer/download.yara

@@ -26,6 +26,7 @@ rule download_sites: high {
     $not_manual      = "manually upload"
     $not_paste_go    = "paste.go"
     $not_netlify     = "netlify.app"
+    $not_misp_galaxy = "misp-galaxy:"
 
   condition:
     any of ($d_*) and none of ($not*)
@@ -56,8 +57,10 @@ rule pastebin: medium {
   strings:
     $d_pastebin = /[\w\.]{1,128}astebin[\w\.\/]{1,128}/
 
+    $not_misp_galaxy = "misp-galaxy:"
+
   condition:
-    any of ($d_*)
+    any of ($d_*) and none of ($not*)
 }
 
 rule program_dropper_url: medium {

rules/c2/tool_transfer/exe_url.yara

@@ -5,6 +5,7 @@ rule http_url_with_exe: high {
   strings:
     $exe_url         = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.exe/
     $not_mongodb_404 = "https://docs.mongodb.com/manual/reference/method/Bulk.exe"
+    $not_elastic     = "\"license\": \"Elastic License v2\""
 
   condition:
     any of ($exe*) and none of ($not*)
@@ -17,8 +18,10 @@ rule http_ip_url_with_exe: critical {
   strings:
     $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.exe/
 
+    $not_elastic = "\"license\": \"Elastic License v2\""
+
   condition:
-    any of ($exe*)
+    any of ($exe*) and none of ($not*)
 }
 
 rule http_url_with_msi: high {
@@ -28,8 +31,10 @@ rule http_url_with_msi: high {
   strings:
     $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.msi/
 
+    $not_elastic = "\"license\": \"Elastic License v2\""
+
   condition:
-    any of ($exe*)
+    any of ($exe*) and none of ($not*)
 }
 
 rule http_ip_url_with_msi: critical {
@@ -39,8 +44,10 @@ rule http_ip_url_with_msi: critical {
   strings:
     $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.msi/
 
+    $not_elastic = "\"license\": \"Elastic License v2\""
+
   condition:
-    any of ($exe*)
+    any of ($exe*) and none of ($not*)
 }
 
 rule http_url_with_powershell: high {
@@ -50,8 +57,10 @@ rule http_url_with_powershell: high {
   strings:
     $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.ps1/
 
+    $not_elastic = "\"license\": \"Elastic License v2\""
+
   condition:
-    any of ($exe*)
+    any of ($exe*) and none of ($not*)
 }
 
 rule http_ip_url_with_powershell: critical {
@@ -61,6 +70,8 @@ rule http_ip_url_with_powershell: critical {
   strings:
     $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.ps1/
 
+    $not_elastic = "\"license\": \"Elastic License v2\""
+
   condition:
-    any of ($exe*)
+    any of ($exe*) and none of ($not*)
 }

rules/exfil/discord.yara

@@ -3,23 +3,23 @@ rule discord_bot: high {
     description = "Uses the Discord webhooks API"
 
   strings:
-    $webhook_endpoint = /discordapp.com\/api\/webhooks[\/\d]{0,32}/
+    $webhook_endpoint  = /discordapp.com\/api\/webhooks[\/\d]{0,32}/
     $webhook_endpoint2 = /discord.com\/api\/webhooks[\/\d]{0,32}/
-    $l_discordjs = "discord.js"
-    $l_discord4j = "discord4j"
-    $l_discordgo = "discordgo"
-    $l_discord = "import discord"
-    $l_disnake = "import disnake"
-    $l_hikari = "import hikari"
-    $l_interactions = "import interactions"
-    $l_nextcord = "import nextcord"
-    $l_jda = "net.dv8tion:JDA"
-    $l_discordia = "discordia"
-    $l_eris = /require\(("|')eris("|')\);/
-    $l_oceanic = /require\(("|')oceanic.js("|')\);/
-    $l_discordphp = "use Discord\\Discord;"
+    $l_discordjs       = "discord.js"
+    $l_discord4j       = "discord4j"
+    $l_discordgo       = "discordgo"
+    $l_discord         = "import discord"
+    $l_disnake         = "import disnake"
+    $l_hikari          = "import hikari"
+    $l_interactions    = "import interactions"
+    $l_nextcord        = "import nextcord"
+    $l_jda             = "net.dv8tion:JDA"
+    $l_discordia       = "discordia"
+    $l_eris            = /require\(("|')eris("|')\);/
+    $l_oceanic         = /require\(("|')oceanic.js("|')\);/
+    $l_discordphp      = "use Discord\\Discord;"
 
-    $not_pypi_index = /\"index_date\":\"\d{4}-\d{2}\d{2}\"/
+    $not_pypi_index  = /\"index_date\":\"\d{4}-\d{2}\d{2}\"/
     $not_pypi_index2 = "\"package_names\""
 
   condition:

rules/impact/remote_access/botnet.yara

@@ -28,10 +28,11 @@ rule botnet_high: high {
     description = "References a 'botnet'"
 
   strings:
-    $bot_deployed  = "bot deployed"
-    $botnet        = "Botnet"
-    $not_phishing  = "phishing"
-    $not_keylogger = "keylogger"
+    $bot_deployed                = "bot deployed"
+    $botnet                      = "Botnet"
+    $not_phishing                = "phishing"
+    $not_keylogger               = "keylogger"
+    $not_wikiticker_contribution = "Undid revision 680586363 by"
 
   condition:
     filesize < 20MB and any of ($bot*) and none of ($not*)

rules/impact/remote_access/reverse_shell.yara

@@ -9,6 +9,7 @@ rule reverse_shell: high {
     $r_reverse_space_shell  = "reverse shell" nocase fullword
     $r_revshell             = "revshell"
     $r_stdin_redir          = "0>&1" fullword
+    $not_elastic    = "\"license\": \"Elastic License v2\""
     $not_ref_1              = "reverse shellConf"
     $not_ref_2              = "reverse shellshare"
     $not_pypi_index         = "testpack-id-lb001"
@@ -27,6 +28,7 @@ rule possible_reverse_shell: medium {
     $sh_bash   = "/bin/bash"
     $sh        = "/bin/sh"
 
+    $not_elastic    = "\"license\": \"Elastic License v2\""
     $not_uc2        = "ucs2reverse"
     $not_pypi_index = "testpack-id-lb001"
 

tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple

@@ -1,6 +1,5 @@
-# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: high
+# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: medium
 3P/sig_base/hacktool_strings_p0wnedshell: low
-c2/tool_transfer/exe_url: high
 c2/tool_transfer/os: low
 exec/shell/power: medium
 impact/infection/infected: medium

tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple

@@ -1,6 +1,5 @@
-# linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: high
+# linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: medium
 3P/sig_base/p0wnedpotato: low
-c2/tool_transfer/exe_url: high
 c2/tool_transfer/os: low
 exec/shell/power: medium
 net/download: medium

tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple

@@ -1,7 +1,6 @@
-# linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: high
+# linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: medium
 3P/sig_base/hacktool_strings_p0wnedshell: low
 c2/addr/url: medium
-c2/tool_transfer/exe_url: high
 c2/tool_transfer/os: low
 credential/password: low
 exec/shell/power: medium