chore(rules): 2026/04/16 FPR

rules/exec/install_additional/pip_install.yara

@@ -61,6 +61,7 @@ rule pip_installer_url: critical {
     $not_langchain_comment1 = "Please install the exllamav2 library with (cuda 12.1 is required)"
     $not_langchain_comment2 = "example : "
     $not_langchain_comment3 = "\"!python -m pip install https://github.com/turboderp/exllamav2/releases/download/v0.0.12/exllamav2-0.0.12+cu121-cp311-cp311-linux_x86_64.whl\""
+    $not_mlflow_docker      = "from mlflow.environment_variables import MLFLOW_DOCKER_OPENJDK_VERSION"
 
   condition:
     filesize < 8192 and $ref and none of ($not*) and (hash.sha256(0, filesize) != "f6a373322759ccc2736fb25d25d8c402dfe16b5d9a57cfccb1ca8cb136e09663")

rules/false_positives/ansible.yara

@@ -14,3 +14,16 @@ rule ansible_override: override {
   condition:
     $ansible and ($async or $become)
 }
+
+rule ansible_report_coverage: override {
+  meta:
+    description       = "report-coverage.sh from Ansible collections CI scripts"
+    pip_installer_url = "low"
+
+  strings:
+    $coverage  = "ansible-test coverage xml"
+    $pipelines = "Generate code coverage reports for uploading to Azure Pipelines"
+
+  condition:
+    filesize < 2048 and all of them
+}

rules/false_positives/bento.yara

@@ -4,9 +4,9 @@ rule bento_bin: override {
     CAPE_Nitrogenloader = "harmless"
 
   strings:
-    $golang = /(google.){0,1}golang.org/
-    $repo   = "github.com/warpstreamlabs/bento"
+    $go_module = "github.com/warpstreamlabs/bento/cmd/bento"
+    $go_pkg    = "github.com/warpstreamlabs/bento/public/service"
 
   condition:
-    filesize < 250MB and #golang > 38000 and #repo > 21000
+    filesize > 200MB and filesize < 300MB and all of them
 }

rules/false_positives/couchdb.yara

@@ -0,0 +1,15 @@
+rule couchdb_doc: override {
+  meta:
+    description           = "/usr/share/couchdb/share/docs/couchdb.1"
+    exotic_tld            = "low"
+    download_sites        = "low"
+    selinux_disable_val   = "low"
+    chmod_group_writeable = "low"
+
+  strings:
+    $apache_couchdb = "Apache CouchDB"
+    $man_header     = "APACHECOUCHDB"
+
+  condition:
+    filesize > 500000 and filesize < 3000000 and all of them
+}

rules/false_positives/fastfetch.yara

@@ -1,13 +1,15 @@
 rule fastfetch_override: override {
   meta:
-    description     = "/usr/bin/fastfetch"
-    proc_d_cmdline  = "medium"
-    proc_d_exe_high = "medium"
+    description       = "/usr/bin/fastfetch, /usr/bin/flashfetch"
+    proc_d_cmdline    = "medium"
+    proc_d_exe_high   = "medium"
+    multiple_gcc      = "harmless"
+    multiple_gcc_high = "medium"
 
   strings:
     $fastfetch = "fastfetch/packages/%s.txt"
     $repo      = "https://github.com/fastfetch-cli/fastfetch"
 
   condition:
-    any of them
+    filesize < 5MB and any of them
 }

rules/false_positives/gemini_cli.yara

@@ -3,14 +3,16 @@ rule gemini_cli_third_party: override {
     description                 = "gemini-cli bundled third-party npm dependencies"
     exotic_tld                  = "low"
     iplookup_website            = "low"
+    geoip_website_value         = "low"
     browser_extension_installer = "low"
     obfuscated_payload          = "low"
+    load_agent_with_payload     = "low"
     bash_persist                = "low"
     bash_persist_persistent     = "low"
 
   strings:
-    $gemini_module = "@google/gemini-cli"
-    $gemini_core   = "gemini-cli-core"
+    $lighthouse = "lighthouse-devtools-mcp-bundle.js"
+    $entities   = "entities-nostats.json"
 
   condition:
     filesize < 100MB and all of them

rules/false_positives/grub.yara

@@ -1,6 +1,6 @@
 rule grub_boot_images: override {
   meta:
-    description     = "GRUB i386-pc boot images"
+    description     = "GRUB i386-pc boot images (boot.image, boot_hybrid.image)"
     single_load_rwe = "medium"
 
   strings:
@@ -9,3 +9,55 @@ rule grub_boot_images: override {
   condition:
     filesize < 64KB and $grub
 }
+
+rule grub_cdboot_image: override {
+  meta:
+    description     = "GRUB i386-pc CD boot image"
+    single_load_rwe = "medium"
+
+  strings:
+    $cdrom_fail = "cdrom read fails"
+    $no_boot    = "no boot info"
+
+  condition:
+    filesize < 8KB and all of them
+}
+
+rule grub_diskboot_image: override {
+  meta:
+    description     = "GRUB i386-pc disk boot image"
+    single_load_rwe = "medium"
+
+  strings:
+    $blocklist    = "blocklist_default_start"
+    $notification = "notification_string"
+
+  condition:
+    filesize < 8KB and all of them
+}
+
+rule grub_lnxboot_image: override {
+  meta:
+    description     = "GRUB i386-pc Linux boot image"
+    single_load_rwe = "medium"
+
+  strings:
+    $move_mem = "move memory fails"
+    $setup    = "setup_sects"
+
+  condition:
+    filesize < 8KB and all of them
+}
+
+rule grub_pxeboot_image: override {
+  meta:
+    description     = "GRUB i386-pc PXE boot image"
+    single_load_rwe = "medium"
+
+  strings:
+    // PXE boot stub: mov dl,0x7f followed by far jump to 0x0000:0x8200
+    $pxe_entry = { b2 7f ea 00 82 00 00 }
+
+  condition:
+    filesize < 4096 and $pxe_entry
+}

rules/false_positives/keep.yara

@@ -0,0 +1,14 @@
+rule keep_ui_tweetnacl: override {
+  meta:
+    description                  = "keep-ui Next.js server chunk containing bundled tweetnacl crypto library"
+    from_secret_key              = "low"
+    unsigned_bitwise_math_excess = "low"
+
+  strings:
+    $nacl_box_keypair = "crypto_box_keypair"
+    $nacl_secretbox   = "nacl.secretbox"
+    $sentry           = "_sentryDebugIds"
+
+  condition:
+    filesize < 1048576 and all of them
+}

rules/false_positives/kibana.yara

@@ -34,6 +34,21 @@ rule security_solution_plugin: override {
     filesize < 5MB and all of ($license*) and $security_solution and ($jsonp or $xpac)
 }
 
+rule security_solution_prepackaged_rules_index: override {
+  meta:
+    description     = "prepackaged_rules/index.js"
+    backdoor_likely = "low"
+    reverse_shell   = "low"
+    ssh_backdoor    = "low"
+
+  strings:
+    $elastic_copyright = "Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V."
+    $raw_rules         = "exports.rawRules"
+
+  condition:
+    filesize < 200KB and all of them
+}
+
 rule security_detection_engine: override {
   meta:
     casing_obfuscation                          = "low"

rules/false_positives/knative.yara

@@ -9,3 +9,17 @@ rule kobalos_override: override {
   condition:
     (hash.sha256(0, filesize) == "572235f7943a8bab5377ed94c9dbdd8c2471e08e19ff6bc1edd0f1f3680ab25d")
 }
+
+rule knative_eventing_ingress: override {
+  meta:
+    description                        = "knative-eventing ingress binary"
+    ESET_Kobalos                       = "harmless"
+    SIGNATURE_BASE_APT_MAL_LNX_Kobalos = "harmless"
+
+  strings:
+    $knative_eventing = "knative.dev/eventing"
+    $ingress_module   = "knative.dev/eventing/cmd/broker/ingress"
+
+  condition:
+    filesize < 100MB and all of them
+}

rules/false_positives/kuma.yara

@@ -1,7 +1,8 @@
 rule kuma_cp: override {
   meta:
-    description  = "kuma-cp - Kuma service mesh control plane"
-    ESET_Kobalos = "harmless"
+    description                        = "kuma-cp - Kuma service mesh control plane"
+    ESET_Kobalos                       = "harmless"
+    SIGNATURE_BASE_APT_MAL_LNX_Kobalos = "harmless"
 
   strings:
     $kuma_module = "github.com/kumahq/kuma"

rules/false_positives/librechat.yara

@@ -0,0 +1,14 @@
+rule librechat_anthropic_thinking: override {
+  meta:
+    description                                                       = "@librechat/agents Anthropic Claude thinking tests and scripts"
+    SIGNATURE_BASE_SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_1 = "harmless"
+    SIGNATURE_BASE_SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_2 = "harmless"
+
+  strings:
+    $anchor1  = "createContentAggregator"
+    $anchor2  = "_convertMessagesToAnthropicPayload"
+    $thinking = "ANTHROPIC_MAGIC_STRING_TRIGGER_REDACTED_THINKING_"
+
+  condition:
+    filesize < 200KB and $thinking and 1 of ($anchor*)
+}

rules/false_positives/ltp.yara

@@ -4,7 +4,7 @@ rule ltp_dirtypipe_override: override {
     Linux_Exploit_CVE_2022_0847_e831c285 = "high"
 
   strings:
-    $dirtypipe = "@dirtypipe.c"
+    $dirtypipe = "dirtypipe.c"
     $ltp       = "LTPROOT                  Prefix for installed LTP (default: /opt/ltp)"
 
   condition:

rules/false_positives/lustre.yara

@@ -30,3 +30,17 @@ rule sanity_test: override {
   condition:
     filesize < 2MB and #lustre > 200 and all of them
 }
+
+rule monitor_lustrefs: override {
+  meta:
+    description       = "monitor_lustrefs"
+    proc_d_cmdline    = "medium"
+    multiple_gcc_high = "medium"
+
+  strings:
+    $monitor = "Monitor some file operations on a lustre fs"
+    $usage   = "LUSTRE_MOUNT_DIR"
+
+  condition:
+    filesize < 100KB and all of them
+}

rules/false_positives/mise.yara

@@ -0,0 +1,13 @@
+rule mise: override {
+  meta:
+    description           = "/usr/bin/mise"
+    hacktool_chisel       = "harmless"
+    polkit_pkexec_exploit = "harmless"
+
+  strings:
+    $jdx_mise     = "jdx/mise"
+    $mise_jdx_dev = "mise.jdx.dev"
+
+  condition:
+    filesize > 50MB and filesize < 150MB and all of them
+}

rules/false_positives/netty_boringssl.yara

@@ -0,0 +1,13 @@
+rule netty_boringssl_dll: override {
+  meta:
+    description               = "Netty native BoringSSL Windows DLLs (tcnative, quiche)"
+    CAPE_Nitrogenloaderconfig = "harmless"
+
+  strings:
+    $jni_tcnative = "JNI_OnLoad_netty_tcnative"
+    $jni_quiche   = "JNI_OnLoad_netty_quiche"
+    $boringssl    = "boringssl"
+
+  condition:
+    filesize < 10MB and $boringssl and ($jni_tcnative or $jni_quiche)
+}

rules/false_positives/nltk.yara

@@ -4,7 +4,7 @@ rule nltk_test_pathsec: override {
     ELCEEF_Obfuscated_IP_Address_In_URL = "harmless"
 
   strings:
-    $test_pathsec    = "test_pathsec"
+    $ssrf_test       = "test_ssrf_ip_obfuscation"
     $nltk_pathsec    = "nltk.pathsec"
     $nltk_downloader = "nltk.downloader"
 

rules/false_positives/openfga.yara

@@ -0,0 +1,13 @@
+rule openfga: override {
+  meta:
+    description                        = "/usr/bin/openfga - OpenFGA authorization server"
+    ESET_Kobalos                       = "harmless"
+    SIGNATURE_BASE_APT_MAL_LNX_Kobalos = "harmless"
+
+  strings:
+    $openfga_module = "github.com/openfga/openfga"
+    $openfga_api    = "github.com/openfga/api/proto"
+
+  condition:
+    filesize < 100MB and all of them
+}

rules/false_positives/qemu.yara

@@ -2,6 +2,7 @@ rule qemu: override {
   meta:
     description    = "QEMU"
     proc_d_cmdline = "medium"
+    ESET_Moose_2   = "harmless"
 
   strings:
     $module  = "QEMU_MODULE"

rules/false_positives/scap_security_guide.yara

@@ -0,0 +1,20 @@
+rule scap_security_guide_content: override {
+  meta:
+    description                 = "SCAP Security Guide compliance content XML files"
+    password_finder_mimipenguin = "low"
+    password_prompt_high        = "low"
+    rename_system_binary        = "low"
+    kmem                        = "low"
+    multiple_sys_commands       = "low"
+    linux_multi_persist         = "low"
+    ssh_backdoor                = "low"
+    bash_history_high           = "low"
+    linux_server_stealer        = "low"
+
+  strings:
+    $scap_sg = "from SCAP Security Guide"
+    $ssg_id  = ":ssg-"
+
+  condition:
+    filesize < 30MB and all of them
+}

rules/false_positives/sqlmap.yara

@@ -8,7 +8,7 @@ rule sqlmap_override: override {
     backdoor_caps                               = "medium"
 
   strings:
-    $c_sqlmap1 = "Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org/)"
+    $c_sqlmap1 = "sqlmap developers (https://sqlmap.org)"
     $c_sqlmap2 = "Visit 'https://github.com/sqlmapproject/sqlmap/#installation' for further details"
     $f_sqlmap3 = /SqlmapBaseException|SqlmapDataException|SqlmapFilePathException|SqlmapShellQuitException|SqlmapSilentQuitException|SqlmapUserQuitException/
     $f_sqlmap4 = "if \"sqlmap.sqlmap\" in sys.modules"

rules/false_positives/stress_ng.yara

@@ -6,6 +6,7 @@ rule stress_ng: override {
     kmem              = "medium"
     multiple_gcc      = "harmless"
     multiple_gcc_high = "medium"
+    proc_s_cmdline    = "medium"
 
   strings:
     $stress_version = "stress-ng-version"

rules/false_positives/tigera_operator.yara

@@ -2,6 +2,7 @@ rule tigera_operator: override {
   meta:
     description                                                     = "tigera-operator (Calico networking) Go binary"
     SIGNATURE_BASE_WEBSHELL_H4Ntu_Shell_Powered_Tsoi                = "harmless"
+    SIGNATURE_BASE_H4Ntu_Shell__Powered_By_Tsoi_                    = "harmless"
     SIGNATURE_BASE_Ironshell_Php                                    = "harmless"
     SIGNATURE_BASE_Lamashell_Php                                    = "harmless"
     SIGNATURE_BASE_Safe0Ver_Shell__Safe_Mod_Bypass_By_Evilc0Der_Php = "harmless"

rules/false_positives/torch_C.yara

@@ -1,11 +1,12 @@
 rule torch_C_cpython: override {
   meta:
-    description      = "torch/_C.cpython-*-linux-gnu.so"
-    upx_elf_tampered = "medium"
+    description          = "torch/_C.cpython-*-linux-gnu.so"
+    upx_elf_tampered     = "medium"
+    upx_antiunpack_elf64 = "harmless"
 
   strings:
-    $pytorch = "PyTorch"
-    $torch_c = "torch._C"
+    $torch_stub   = "torch/csrc/stub.c"
+    $libtorch_dep = "libtorch_python.so"
 
   condition:
     filesize < 500MB and all of them