diff --git a/rules/false_positives/altinity_clickhouse.yara b/rules/false_positives/altinity_clickhouse.yara new file mode 100644 index 000000000..2f2659c8e --- /dev/null +++ b/rules/false_positives/altinity_clickhouse.yara @@ -0,0 +1,12 @@ +rule altinity_clickhouse_keeper_debug: override { + meta: + description = "clickhouse-keeper.debug detached debug symbols file" + fake_section_headers_conflicting_entry_point_address = "harmless" + + strings: + $keeper_dispatcher = "_GLOBAL__sub_I_KeeperDispatcher.cpp" + $keeper_resource = "gkeeper_resource_embedded_xmlData" + + condition: + filesize < 15728640 and all of them +} diff --git a/rules/false_positives/ansible.yara b/rules/false_positives/ansible.yara index 1ca13fcb4..3749b99fd 100644 --- a/rules/false_positives/ansible.yara +++ b/rules/false_positives/ansible.yara @@ -27,3 +27,29 @@ rule ansible_report_coverage: override { condition: filesize < 2048 and all of them } + +rule ansible_shippable_ci: override { + meta: + description = "shippable.sh CI test runners from Ansible collections" + pip_installer_url = "low" + + strings: + $shippable = "SHIPPABLE_BUILD_ID" + $ansible_test = "ansible-test env --dump" + + condition: + filesize < 8192 and all of them +} + +rule ansible_collection_ci_workflow: override { + meta: + description = "Ansible collection CI workflow installing ansible-core for testing" + pip_installer_url = "low" + + strings: + $ansible_core = "Install ansible-core" + $test_deps = "ansible-lint docker flake8 molecule" + + condition: + filesize < 4096 and all of them +} diff --git a/rules/false_positives/cg.yara b/rules/false_positives/cg.yara new file mode 100644 index 000000000..a3992a383 --- /dev/null +++ b/rules/false_positives/cg.yara @@ -0,0 +1,17 @@ +rule cg: override { + meta: + description = "/usr/bin/cg" + rename_system_binary = "low" + powershell_encoded_command_val = "low" + slack_leveldb = "low" + curl_python_pipe = "low" + hidden_short_path_temp = "low" + ssh_backdoor = "low" + + strings: + $go_mod = "chainguard.dev/cg" + $mono = "mono" + + condition: + filesize < 250000000 and all of them +} diff --git a/rules/false_positives/electric.yara b/rules/false_positives/electric.yara new file mode 100644 index 000000000..b2e52a081 --- /dev/null +++ b/rules/false_positives/electric.yara @@ -0,0 +1,13 @@ +rule electric_phoenix_eex: override { + meta: + description = "app/lib/phoenix-*/priv/templates/phx.gen.release/rel/migrate.sh.eex" + SIGNATURE_BASE_WEBSHELL_ASP_Nano = "harmless" + + strings: + $otp_app = "otp_app" + $app_namespace = "app_namespace" + $release_migrate = "Release.migrate" + + condition: + filesize < 500 and all of them +} diff --git a/rules/false_positives/mise.yara b/rules/false_positives/mise.yara index 08a3e41e4..7e58ff3ac 100644 --- a/rules/false_positives/mise.yara +++ b/rules/false_positives/mise.yara @@ -5,8 +5,8 @@ rule mise: override { polkit_pkexec_exploit = "harmless" strings: - $jdx_mise = "jdx/mise" - $mise_jdx_dev = "mise.jdx.dev" + $jdx_mise = "jdx/mise" + $mise_config = "~/.config/mise/config.toml" condition: filesize > 50MB and filesize < 150MB and all of them diff --git a/rules/false_positives/renovate.yara b/rules/false_positives/renovate.yara new file mode 100644 index 000000000..d3f89e2e8 --- /dev/null +++ b/rules/false_positives/renovate.yara @@ -0,0 +1,12 @@ +rule renovate_mise_registry: override { + meta: + description = "/usr/lib/renovate/dist/data/mise-registry.js" + hacktool_chisel = "harmless" + + strings: + $mise_plugins = "mise-plugins/vfox-1password" + $zprint = "kkinnear/zprint" + + condition: + filesize < 300KB and all of them +} diff --git a/rules/false_positives/wazuh.yara b/rules/false_positives/wazuh.yara index f972847c2..433c3d712 100644 --- a/rules/false_positives/wazuh.yara +++ b/rules/false_positives/wazuh.yara @@ -60,6 +60,7 @@ rule wazuh_syscheckd: override { rootkit_high = "medium" cmd_dev_null_quoted = "medium" proc_s_exe = "medium" + curl_easy_exfil = "low" strings: $libwazuhext = "libwazuhext.so"