Skip to content

fix(js): Reducing severity of javascript issues to reduce false posit… #907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
antitree wants to merge 1 commit into from
Closed

fix(js): Reducing severity of javascript issues to reduce false posit… #907

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions rules/anti-static/obfuscation/js.yara
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ rule character_obfuscation: medium {
obfs_probably_js and filesize < 4MB and all of them
}

rule js_char_code_at_substitution: high {
rule js_char_code_at_substitution: low {
meta:
description = "converts integers into strings and contains a substitution map"
filetypes = "javascript"
Expand All @@ -83,7 +83,7 @@ rule js_char_code_at_substitution: high {
obfs_probably_js and filesize < 256KB and all of them
}

rule child_process: critical {
rule child_process: medium {
meta:
description = "obfuscated javascript that calls external programs"

Expand All @@ -101,7 +101,7 @@ rule child_process: critical {
obfs_probably_js and filesize < 1MB and all of them and math.entropy(1, filesize) >= 6
}

rule ebe: critical {
rule ebe: medium {
meta:
description = "highly obfuscated javascript (eBe)"
filetypes = "javascript"
Expand All @@ -116,7 +116,7 @@ rule ebe: critical {
obfs_probably_js and filesize < 5MB and $function and $charCodeAt and #ref > 10
}

rule ebe_generic: high {
rule ebe_generic: low {
meta:
description = "highly obfuscated javascript"
filetypes = "javascript"
Expand Down Expand Up @@ -168,7 +168,7 @@ rule js_hex_eval_obfuscation: critical {
obfs_probably_js and filesize < 128KB and any of them
}

rule js_hex_obfuscation: critical {
rule js_hex_obfuscation: medium {
meta:
description = "javascript function obfuscation (hex)"

Expand All @@ -180,15 +180,15 @@ rule js_hex_obfuscation: critical {
obfs_probably_js and filesize < 1MB and any of them
}

rule high_entropy: medium {
rule high_entropy: low {
meta:
description = "high entropy javascript (>6)"

condition:
obfs_probably_js and math.entropy(1, filesize) >= 6
}

rule very_high_entropy: critical {
rule very_high_entropy: medium {
meta:
description = "very high entropy javascript (>7)"

Expand All @@ -209,7 +209,7 @@ rule charCodeAtIncrement: medium {
obfs_probably_js and filesize < 4MB and $function and #increment > 1
}

rule js_many_parseInt: high {
rule js_many_parseInt: medium {
meta:
description = "javascript obfuscation (integer parsing)"
filetypes = "javascript"
Expand Down Expand Up @@ -261,7 +261,7 @@ rule unicode_prototype: critical {
obfs_probably_js and any of them
}

rule var_filler: high {
rule var_filler: medium {
meta:
description = "header is filled with excessive variable declarations"

Expand Down Expand Up @@ -327,7 +327,7 @@ rule obfuscated_map_to_array_conversions: high {
obfs_probably_js and #ref > 32
}

rule large_obfuscated_array: high {
rule large_obfuscated_array: medium {
meta:
description = "contains large obfuscated arrays"

Expand Down
2 changes: 1 addition & 1 deletion rules/anti-static/obfuscation/reverse.yara
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ rule string_reversal: medium {
any of them
}

rule function_reversal: high {
rule function_reversal: medium {
meta:
description = "reversed function definition"

Expand Down
Loading