From e942313785031c344e1ded69323492dfdaa9ee27 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 2 Jun 2025 18:06:24 -0500 Subject: [PATCH 1/3] Hide noisy error logs; final rule tweaks Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/action/path.go | 6 +++--- rules/false_positives/nextcloud.yara | 13 +++++++++++++ rules/false_positives/sqlmap.yara | 11 +++++------ 3 files changed, 21 insertions(+), 9 deletions(-) create mode 100644 rules/false_positives/nextcloud.yara diff --git a/pkg/action/path.go b/pkg/action/path.go index abece665f..ec1dcafbd 100644 --- a/pkg/action/path.go +++ b/pkg/action/path.go @@ -40,7 +40,7 @@ func findFilesRecursively(ctx context.Context, rootPath string) ([]string, error err = filepath.WalkDir(root, func(path string, info os.DirEntry, err error) error { if err != nil { - logger.Errorf("error: %s: %s", path, err) + logger.Debugf("error: %s: %s", path, err) return nil } if info.IsDir() || strings.Contains(path, "/.git/") { @@ -52,12 +52,12 @@ func findFilesRecursively(ctx context.Context, rootPath string) ([]string, error logger.Debugf("attempting to resolve symlink: %s", path) eval, err := filepath.EvalSymlinks(path) if err != nil { - logger.Errorf("eval: %s: %s", path, err) + logger.Debugf("eval: %s: %s", path, err) return nil } fi, err := os.Stat(eval) if err != nil { - logger.Errorf("stat: %s: %s", path, err) + logger.Debugf("stat: %s: %s", path, err) return nil } if fi.IsDir() { diff --git a/rules/false_positives/nextcloud.yara b/rules/false_positives/nextcloud.yara new file mode 100644 index 000000000..2a59235ab --- /dev/null +++ b/rules/false_positives/nextcloud.yara @@ -0,0 +1,13 @@ +rule vimeo_psalm_md_php_override: override { + meta: + description = "Psalm MD files with PHP code excerpts" + SIGNATURE_BASE_WEBSHELL_PHP_Dynamic = "harmless" + strings: + $ = "Emitted when calling a function on a non-callable variable" + $ = "Emitted when calling a function on a value whose type Psalm cannot infer." + $ = "Emitted when trying to use `null` as a `callable`" + $ = "Emitted when trying to call a function on a value that may not be callable" + $ = "Emitted when trying to call a function on a value that may be null" + condition: + any of them +} diff --git a/rules/false_positives/sqlmap.yara b/rules/false_positives/sqlmap.yara index 269c7866b..b2a527421 100644 --- a/rules/false_positives/sqlmap.yara +++ b/rules/false_positives/sqlmap.yara @@ -5,11 +5,10 @@ rule sqlmap_override: override { SIGNATURE_BASE_Hacktool_Strings_P0Wnedshell = "high" strings: - $sqlmap1 = "Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org/)" - $sqlmap2 = "Visit 'https://github.com/sqlmapproject/sqlmap/#installation' for further details" - $sqlmap3 = /SqlmapBaseException|SqlmapDataException|SqlmapFilePathException|SqlmapShellQuitException|SqlmapSilentQuitException|SqlmapUserQuitException/ - $sqlmap4 = "if \"sqlmap.sqlmap\" in sys.modules" + $c_sqlmap1 = "Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org/)" + $c_sqlmap2 = "Visit 'https://github.com/sqlmapproject/sqlmap/#installation' for further details" + $f_sqlmap3 = /SqlmapBaseException|SqlmapDataException|SqlmapFilePathException|SqlmapShellQuitException|SqlmapSilentQuitException|SqlmapUserQuitException/ + $f_sqlmap4 = "if \"sqlmap.sqlmap\" in sys.modules" condition: - all of them -} + any of ($c*) and all of ($f*) From d03def6348ba6217f286c5eec2b218f6f78b2d2d Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 2 Jun 2025 18:09:51 -0500 Subject: [PATCH 2/3] Run make yara-x-fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/false_positives/nextcloud.yara | 4 +++- rules/false_positives/sqlmap.yara | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/false_positives/nextcloud.yara b/rules/false_positives/nextcloud.yara index 2a59235ab..c41b5d833 100644 --- a/rules/false_positives/nextcloud.yara +++ b/rules/false_positives/nextcloud.yara @@ -1,13 +1,15 @@ rule vimeo_psalm_md_php_override: override { meta: - description = "Psalm MD files with PHP code excerpts" + description = "Psalm MD files with PHP code excerpts" SIGNATURE_BASE_WEBSHELL_PHP_Dynamic = "harmless" + strings: $ = "Emitted when calling a function on a non-callable variable" $ = "Emitted when calling a function on a value whose type Psalm cannot infer." $ = "Emitted when trying to use `null` as a `callable`" $ = "Emitted when trying to call a function on a value that may not be callable" $ = "Emitted when trying to call a function on a value that may be null" + condition: any of them } diff --git a/rules/false_positives/sqlmap.yara b/rules/false_positives/sqlmap.yara index b2a527421..4cbb1305a 100644 --- a/rules/false_positives/sqlmap.yara +++ b/rules/false_positives/sqlmap.yara @@ -12,3 +12,4 @@ rule sqlmap_override: override { condition: any of ($c*) and all of ($f*) +} From f587b9e231017c82bf176599f3dd7f27f2db9074 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 2 Jun 2025 18:10:46 -0500 Subject: [PATCH 3/3] Final tweak Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/false_positives/sqlmap.yara | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/false_positives/sqlmap.yara b/rules/false_positives/sqlmap.yara index 4cbb1305a..8ad89584e 100644 --- a/rules/false_positives/sqlmap.yara +++ b/rules/false_positives/sqlmap.yara @@ -11,5 +11,5 @@ rule sqlmap_override: override { $f_sqlmap4 = "if \"sqlmap.sqlmap\" in sys.modules" condition: - any of ($c*) and all of ($f*) + any of ($c*) and any of ($f*) }