diff --git a/rules/exec/install_additional/pip_install.yara b/rules/exec/install_additional/pip_install.yara index 9e1019881..e58f63edd 100644 --- a/rules/exec/install_additional/pip_install.yara +++ b/rules/exec/install_additional/pip_install.yara @@ -61,6 +61,7 @@ rule pip_installer_url: critical { $not_langchain_comment1 = "Please install the exllamav2 library with (cuda 12.1 is required)" $not_langchain_comment2 = "example : " $not_langchain_comment3 = "\"!python -m pip install https://github.com/turboderp/exllamav2/releases/download/v0.0.12/exllamav2-0.0.12+cu121-cp311-cp311-linux_x86_64.whl\"" + $not_mlflow_docker = "from mlflow.environment_variables import MLFLOW_DOCKER_OPENJDK_VERSION" condition: filesize < 8192 and $ref and none of ($not*) and (hash.sha256(0, filesize) != "f6a373322759ccc2736fb25d25d8c402dfe16b5d9a57cfccb1ca8cb136e09663") diff --git a/rules/false_positives/ansible.yara b/rules/false_positives/ansible.yara index 64f12a192..1ca13fcb4 100644 --- a/rules/false_positives/ansible.yara +++ b/rules/false_positives/ansible.yara @@ -14,3 +14,16 @@ rule ansible_override: override { condition: $ansible and ($async or $become) } + +rule ansible_report_coverage: override { + meta: + description = "report-coverage.sh from Ansible collections CI scripts" + pip_installer_url = "low" + + strings: + $coverage = "ansible-test coverage xml" + $pipelines = "Generate code coverage reports for uploading to Azure Pipelines" + + condition: + filesize < 2048 and all of them +} diff --git a/rules/false_positives/bento.yara b/rules/false_positives/bento.yara index 55333203c..98eb2fe5d 100644 --- a/rules/false_positives/bento.yara +++ b/rules/false_positives/bento.yara @@ -4,9 +4,9 @@ rule bento_bin: override { CAPE_Nitrogenloader = "harmless" strings: - $golang = /(google.){0,1}golang.org/ - $repo = "github.com/warpstreamlabs/bento" + $go_module = "github.com/warpstreamlabs/bento/cmd/bento" + $go_pkg = "github.com/warpstreamlabs/bento/public/service" condition: - filesize < 250MB and #golang > 38000 and #repo > 21000 + filesize > 200MB and filesize < 300MB and all of them } diff --git a/rules/false_positives/couchdb.yara b/rules/false_positives/couchdb.yara new file mode 100644 index 000000000..28a53b27d --- /dev/null +++ b/rules/false_positives/couchdb.yara @@ -0,0 +1,15 @@ +rule couchdb_doc: override { + meta: + description = "/usr/share/couchdb/share/docs/couchdb.1" + exotic_tld = "low" + download_sites = "low" + selinux_disable_val = "low" + chmod_group_writeable = "low" + + strings: + $apache_couchdb = "Apache CouchDB" + $man_header = "APACHECOUCHDB" + + condition: + filesize > 500000 and filesize < 3000000 and all of them +} diff --git a/rules/false_positives/fastfetch.yara b/rules/false_positives/fastfetch.yara index 2327da126..c44f58b46 100644 --- a/rules/false_positives/fastfetch.yara +++ b/rules/false_positives/fastfetch.yara @@ -1,13 +1,15 @@ rule fastfetch_override: override { meta: - description = "/usr/bin/fastfetch" - proc_d_cmdline = "medium" - proc_d_exe_high = "medium" + description = "/usr/bin/fastfetch, /usr/bin/flashfetch" + proc_d_cmdline = "medium" + proc_d_exe_high = "medium" + multiple_gcc = "harmless" + multiple_gcc_high = "medium" strings: $fastfetch = "fastfetch/packages/%s.txt" $repo = "https://github.com/fastfetch-cli/fastfetch" condition: - any of them + filesize < 5MB and any of them } diff --git a/rules/false_positives/gemini_cli.yara b/rules/false_positives/gemini_cli.yara index 37eeda761..5ec619acc 100644 --- a/rules/false_positives/gemini_cli.yara +++ b/rules/false_positives/gemini_cli.yara @@ -3,14 +3,16 @@ rule gemini_cli_third_party: override { description = "gemini-cli bundled third-party npm dependencies" exotic_tld = "low" iplookup_website = "low" + geoip_website_value = "low" browser_extension_installer = "low" obfuscated_payload = "low" + load_agent_with_payload = "low" bash_persist = "low" bash_persist_persistent = "low" strings: - $gemini_module = "@google/gemini-cli" - $gemini_core = "gemini-cli-core" + $lighthouse = "lighthouse-devtools-mcp-bundle.js" + $entities = "entities-nostats.json" condition: filesize < 100MB and all of them diff --git a/rules/false_positives/grub.yara b/rules/false_positives/grub.yara index 2df56b1fa..e2587193f 100644 --- a/rules/false_positives/grub.yara +++ b/rules/false_positives/grub.yara @@ -1,6 +1,6 @@ rule grub_boot_images: override { meta: - description = "GRUB i386-pc boot images" + description = "GRUB i386-pc boot images (boot.image, boot_hybrid.image)" single_load_rwe = "medium" strings: @@ -9,3 +9,55 @@ rule grub_boot_images: override { condition: filesize < 64KB and $grub } + +rule grub_cdboot_image: override { + meta: + description = "GRUB i386-pc CD boot image" + single_load_rwe = "medium" + + strings: + $cdrom_fail = "cdrom read fails" + $no_boot = "no boot info" + + condition: + filesize < 8KB and all of them +} + +rule grub_diskboot_image: override { + meta: + description = "GRUB i386-pc disk boot image" + single_load_rwe = "medium" + + strings: + $blocklist = "blocklist_default_start" + $notification = "notification_string" + + condition: + filesize < 8KB and all of them +} + +rule grub_lnxboot_image: override { + meta: + description = "GRUB i386-pc Linux boot image" + single_load_rwe = "medium" + + strings: + $move_mem = "move memory fails" + $setup = "setup_sects" + + condition: + filesize < 8KB and all of them +} + +rule grub_pxeboot_image: override { + meta: + description = "GRUB i386-pc PXE boot image" + single_load_rwe = "medium" + + strings: + // PXE boot stub: mov dl,0x7f followed by far jump to 0x0000:0x8200 + $pxe_entry = { b2 7f ea 00 82 00 00 } + + condition: + filesize < 4096 and $pxe_entry +} diff --git a/rules/false_positives/keep.yara b/rules/false_positives/keep.yara new file mode 100644 index 000000000..dd73f2019 --- /dev/null +++ b/rules/false_positives/keep.yara @@ -0,0 +1,14 @@ +rule keep_ui_tweetnacl: override { + meta: + description = "keep-ui Next.js server chunk containing bundled tweetnacl crypto library" + from_secret_key = "low" + unsigned_bitwise_math_excess = "low" + + strings: + $nacl_box_keypair = "crypto_box_keypair" + $nacl_secretbox = "nacl.secretbox" + $sentry = "_sentryDebugIds" + + condition: + filesize < 1048576 and all of them +} diff --git a/rules/false_positives/kibana.yara b/rules/false_positives/kibana.yara index 56a30396f..a4e878cf6 100644 --- a/rules/false_positives/kibana.yara +++ b/rules/false_positives/kibana.yara @@ -34,6 +34,21 @@ rule security_solution_plugin: override { filesize < 5MB and all of ($license*) and $security_solution and ($jsonp or $xpac) } +rule security_solution_prepackaged_rules_index: override { + meta: + description = "prepackaged_rules/index.js" + backdoor_likely = "low" + reverse_shell = "low" + ssh_backdoor = "low" + + strings: + $elastic_copyright = "Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V." + $raw_rules = "exports.rawRules" + + condition: + filesize < 200KB and all of them +} + rule security_detection_engine: override { meta: casing_obfuscation = "low" diff --git a/rules/false_positives/knative.yara b/rules/false_positives/knative.yara index 811d82c36..b6f1f1810 100644 --- a/rules/false_positives/knative.yara +++ b/rules/false_positives/knative.yara @@ -9,3 +9,17 @@ rule kobalos_override: override { condition: (hash.sha256(0, filesize) == "572235f7943a8bab5377ed94c9dbdd8c2471e08e19ff6bc1edd0f1f3680ab25d") } + +rule knative_eventing_ingress: override { + meta: + description = "knative-eventing ingress binary" + ESET_Kobalos = "harmless" + SIGNATURE_BASE_APT_MAL_LNX_Kobalos = "harmless" + + strings: + $knative_eventing = "knative.dev/eventing" + $ingress_module = "knative.dev/eventing/cmd/broker/ingress" + + condition: + filesize < 100MB and all of them +} diff --git a/rules/false_positives/kuma.yara b/rules/false_positives/kuma.yara index 0147e3c9c..66ecf2eed 100644 --- a/rules/false_positives/kuma.yara +++ b/rules/false_positives/kuma.yara @@ -1,7 +1,8 @@ rule kuma_cp: override { meta: - description = "kuma-cp - Kuma service mesh control plane" - ESET_Kobalos = "harmless" + description = "kuma-cp - Kuma service mesh control plane" + ESET_Kobalos = "harmless" + SIGNATURE_BASE_APT_MAL_LNX_Kobalos = "harmless" strings: $kuma_module = "github.com/kumahq/kuma" diff --git a/rules/false_positives/librechat.yara b/rules/false_positives/librechat.yara new file mode 100644 index 000000000..0aad87b33 --- /dev/null +++ b/rules/false_positives/librechat.yara @@ -0,0 +1,14 @@ +rule librechat_anthropic_thinking: override { + meta: + description = "@librechat/agents Anthropic Claude thinking tests and scripts" + SIGNATURE_BASE_SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_1 = "harmless" + SIGNATURE_BASE_SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_2 = "harmless" + + strings: + $anchor1 = "createContentAggregator" + $anchor2 = "_convertMessagesToAnthropicPayload" + $thinking = "ANTHROPIC_MAGIC_STRING_TRIGGER_REDACTED_THINKING_" + + condition: + filesize < 200KB and $thinking and 1 of ($anchor*) +} diff --git a/rules/false_positives/ltp.yara b/rules/false_positives/ltp.yara index 000dfbfc4..cd58aca91 100644 --- a/rules/false_positives/ltp.yara +++ b/rules/false_positives/ltp.yara @@ -4,7 +4,7 @@ rule ltp_dirtypipe_override: override { Linux_Exploit_CVE_2022_0847_e831c285 = "high" strings: - $dirtypipe = "@dirtypipe.c" + $dirtypipe = "dirtypipe.c" $ltp = "LTPROOT Prefix for installed LTP (default: /opt/ltp)" condition: diff --git a/rules/false_positives/lustre.yara b/rules/false_positives/lustre.yara index df8835cb1..ef2ffef01 100644 --- a/rules/false_positives/lustre.yara +++ b/rules/false_positives/lustre.yara @@ -30,3 +30,17 @@ rule sanity_test: override { condition: filesize < 2MB and #lustre > 200 and all of them } + +rule monitor_lustrefs: override { + meta: + description = "monitor_lustrefs" + proc_d_cmdline = "medium" + multiple_gcc_high = "medium" + + strings: + $monitor = "Monitor some file operations on a lustre fs" + $usage = "LUSTRE_MOUNT_DIR" + + condition: + filesize < 100KB and all of them +} diff --git a/rules/false_positives/mise.yara b/rules/false_positives/mise.yara new file mode 100644 index 000000000..08a3e41e4 --- /dev/null +++ b/rules/false_positives/mise.yara @@ -0,0 +1,13 @@ +rule mise: override { + meta: + description = "/usr/bin/mise" + hacktool_chisel = "harmless" + polkit_pkexec_exploit = "harmless" + + strings: + $jdx_mise = "jdx/mise" + $mise_jdx_dev = "mise.jdx.dev" + + condition: + filesize > 50MB and filesize < 150MB and all of them +} diff --git a/rules/false_positives/netty_boringssl.yara b/rules/false_positives/netty_boringssl.yara new file mode 100644 index 000000000..59434e4be --- /dev/null +++ b/rules/false_positives/netty_boringssl.yara @@ -0,0 +1,13 @@ +rule netty_boringssl_dll: override { + meta: + description = "Netty native BoringSSL Windows DLLs (tcnative, quiche)" + CAPE_Nitrogenloaderconfig = "harmless" + + strings: + $jni_tcnative = "JNI_OnLoad_netty_tcnative" + $jni_quiche = "JNI_OnLoad_netty_quiche" + $boringssl = "boringssl" + + condition: + filesize < 10MB and $boringssl and ($jni_tcnative or $jni_quiche) +} diff --git a/rules/false_positives/nltk.yara b/rules/false_positives/nltk.yara index 1e9e9a810..39a3d739a 100644 --- a/rules/false_positives/nltk.yara +++ b/rules/false_positives/nltk.yara @@ -4,7 +4,7 @@ rule nltk_test_pathsec: override { ELCEEF_Obfuscated_IP_Address_In_URL = "harmless" strings: - $test_pathsec = "test_pathsec" + $ssrf_test = "test_ssrf_ip_obfuscation" $nltk_pathsec = "nltk.pathsec" $nltk_downloader = "nltk.downloader" diff --git a/rules/false_positives/openfga.yara b/rules/false_positives/openfga.yara new file mode 100644 index 000000000..589da2f65 --- /dev/null +++ b/rules/false_positives/openfga.yara @@ -0,0 +1,13 @@ +rule openfga: override { + meta: + description = "/usr/bin/openfga - OpenFGA authorization server" + ESET_Kobalos = "harmless" + SIGNATURE_BASE_APT_MAL_LNX_Kobalos = "harmless" + + strings: + $openfga_module = "github.com/openfga/openfga" + $openfga_api = "github.com/openfga/api/proto" + + condition: + filesize < 100MB and all of them +} diff --git a/rules/false_positives/qemu.yara b/rules/false_positives/qemu.yara index 6268ea83a..12aa721ad 100644 --- a/rules/false_positives/qemu.yara +++ b/rules/false_positives/qemu.yara @@ -2,6 +2,7 @@ rule qemu: override { meta: description = "QEMU" proc_d_cmdline = "medium" + ESET_Moose_2 = "harmless" strings: $module = "QEMU_MODULE" diff --git a/rules/false_positives/scap_security_guide.yara b/rules/false_positives/scap_security_guide.yara new file mode 100644 index 000000000..b4f4adc2b --- /dev/null +++ b/rules/false_positives/scap_security_guide.yara @@ -0,0 +1,20 @@ +rule scap_security_guide_content: override { + meta: + description = "SCAP Security Guide compliance content XML files" + password_finder_mimipenguin = "low" + password_prompt_high = "low" + rename_system_binary = "low" + kmem = "low" + multiple_sys_commands = "low" + linux_multi_persist = "low" + ssh_backdoor = "low" + bash_history_high = "low" + linux_server_stealer = "low" + + strings: + $scap_sg = "from SCAP Security Guide" + $ssg_id = ":ssg-" + + condition: + filesize < 30MB and all of them +} diff --git a/rules/false_positives/sqlmap.yara b/rules/false_positives/sqlmap.yara index 8346903a8..3d2b01c59 100644 --- a/rules/false_positives/sqlmap.yara +++ b/rules/false_positives/sqlmap.yara @@ -8,7 +8,7 @@ rule sqlmap_override: override { backdoor_caps = "medium" strings: - $c_sqlmap1 = "Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org/)" + $c_sqlmap1 = "sqlmap developers (https://sqlmap.org)" $c_sqlmap2 = "Visit 'https://github.com/sqlmapproject/sqlmap/#installation' for further details" $f_sqlmap3 = /SqlmapBaseException|SqlmapDataException|SqlmapFilePathException|SqlmapShellQuitException|SqlmapSilentQuitException|SqlmapUserQuitException/ $f_sqlmap4 = "if \"sqlmap.sqlmap\" in sys.modules" diff --git a/rules/false_positives/stress_ng.yara b/rules/false_positives/stress_ng.yara index b0e8e084a..9b1ac4d0a 100644 --- a/rules/false_positives/stress_ng.yara +++ b/rules/false_positives/stress_ng.yara @@ -6,6 +6,7 @@ rule stress_ng: override { kmem = "medium" multiple_gcc = "harmless" multiple_gcc_high = "medium" + proc_s_cmdline = "medium" strings: $stress_version = "stress-ng-version" diff --git a/rules/false_positives/tigera_operator.yara b/rules/false_positives/tigera_operator.yara index 8a4d19085..5e84f99f6 100644 --- a/rules/false_positives/tigera_operator.yara +++ b/rules/false_positives/tigera_operator.yara @@ -2,6 +2,7 @@ rule tigera_operator: override { meta: description = "tigera-operator (Calico networking) Go binary" SIGNATURE_BASE_WEBSHELL_H4Ntu_Shell_Powered_Tsoi = "harmless" + SIGNATURE_BASE_H4Ntu_Shell__Powered_By_Tsoi_ = "harmless" SIGNATURE_BASE_Ironshell_Php = "harmless" SIGNATURE_BASE_Lamashell_Php = "harmless" SIGNATURE_BASE_Safe0Ver_Shell__Safe_Mod_Bypass_By_Evilc0Der_Php = "harmless" diff --git a/rules/false_positives/torch_C.yara b/rules/false_positives/torch_C.yara index 3ce89477b..d9202166a 100644 --- a/rules/false_positives/torch_C.yara +++ b/rules/false_positives/torch_C.yara @@ -1,11 +1,12 @@ rule torch_C_cpython: override { meta: - description = "torch/_C.cpython-*-linux-gnu.so" - upx_elf_tampered = "medium" + description = "torch/_C.cpython-*-linux-gnu.so" + upx_elf_tampered = "medium" + upx_antiunpack_elf64 = "harmless" strings: - $pytorch = "PyTorch" - $torch_c = "torch._C" + $torch_stub = "torch/csrc/stub.c" + $libtorch_dep = "libtorch_python.so" condition: filesize < 500MB and all of them diff --git a/rules/false_positives/torchvision_libs.yara b/rules/false_positives/torchvision_libs.yara index b2ad62b1f..1c07a7e52 100644 --- a/rules/false_positives/torchvision_libs.yara +++ b/rules/false_positives/torchvision_libs.yara @@ -1,13 +1,13 @@ rule libpng_override: override { meta: - description = "libpng16.ca116d9f.so.16" + description = "libpng16.*.so.16" upx_antiunpack_elf64 = "harmless" strings: $libpng1 = "Application built with libpng-" $libpng2 = "libpng version" - $libpng3 = "0123456789ABCDEFlibpng warning: %s" - $libpng4 = "libpng16.so.16" + $libpng3 = "libpng warning: %s" + $libpng4 = "libpng error: %s" condition: all of them diff --git a/rules/false_positives/vmtools.yara b/rules/false_positives/vmtools.yara index bfb65105e..a7bd72104 100644 --- a/rules/false_positives/vmtools.yara +++ b/rules/false_positives/vmtools.yara @@ -1,11 +1,12 @@ rule vmtools: override { meta: - description = "vmtools" - backdoor = "medium" - proc_net_route_high = "medium" - proc_s_exe = "medium" - sys_net_recon_exfil = "medium" - proc_s_cmdline = "medium" + description = "vmtools" + backdoor = "medium" + proc_net_route_high = "medium" + proc_s_exe = "medium" + sys_net_recon_exfil = "medium" + proc_s_cmdline = "medium" + readdir_dlsym_interceptor = "medium" strings: $vmtools = "VMTools" fullword diff --git a/rules/false_positives/wazuh.yara b/rules/false_positives/wazuh.yara index 1ad8cfd04..bc3c9ce7b 100644 --- a/rules/false_positives/wazuh.yara +++ b/rules/false_positives/wazuh.yara @@ -12,3 +12,24 @@ rule wazuh_policy_monitoring: override { condition: filesize < 5MB and all of them } + +rule wazuh_mitre_db: override { + meta: + description = "MITRE ATT&CK database shipped with Wazuh Manager" + SIGNATURE_BASE_Hacktool_Strings_P0Wnedshell = "harmless" + SIGNATURE_BASE_Mimikatz_Memory_Rule_1 = "harmless" + SIGNATURE_BASE_APT_UA_Hermetic_Wiper_Artefacts_Feb22_1 = "harmless" + KPortScan = "harmless" + RDPWrap = "harmless" + security_dump_keychain = "low" + fake_kworker = "low" + hacktool_mimikatz = "low" + + strings: + $mitre_attack_pattern = "attack-pattern--" + $mitre_detection = "mitre_detection" + $create_technique = "CREATE TABLE technique" + + condition: + filesize > 10MB and filesize < 20MB and all of them +}