From 489173c40b84d36910cc53a835ae950ff716aa35 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Fri, 6 Jun 2025 08:18:11 -0500
Subject: [PATCH] Clean up false positives for EOL Go and Linux Test Project

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/false_positives/go_1.17.yara | 11 +++++++++++
 rules/false_positives/ltp.yara     | 24 ++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 rules/false_positives/go_1.17.yara
 create mode 100644 rules/false_positives/ltp.yara

diff --git a/rules/false_positives/go_1.17.yara b/rules/false_positives/go_1.17.yara
new file mode 100644
index 000000000..206e6133a
--- /dev/null
+++ b/rules/false_positives/go_1.17.yara
@@ -0,0 +1,11 @@
+rule go_1_17_override: override {
+  meta:
+    description                            = "linux_amd64/link"
+    ARKBIRD_SOLG_APT_APT34_RDAT_Feb_2021_1 = "low"
+
+  strings:
+    $build_id = "OZ4MIHRt5yYNzPxU6QuH/qAeXWMvY1RJrUXB6xka1/4fdCwddvzTvjJBZrCo2S/DCU7CoUCdrRvbKi6ROH6"
+
+  condition:
+    all of them
+}
diff --git a/rules/false_positives/ltp.yara b/rules/false_positives/ltp.yara
new file mode 100644
index 000000000..000dfbfc4
--- /dev/null
+++ b/rules/false_positives/ltp.yara
@@ -0,0 +1,24 @@
+rule ltp_dirtypipe_override: override {
+  meta:
+    description                          = "testcases/bin/dirtypipe"
+    Linux_Exploit_CVE_2022_0847_e831c285 = "high"
+
+  strings:
+    $dirtypipe = "@dirtypipe.c"
+    $ltp       = "LTPROOT                  Prefix for installed LTP (default: /opt/ltp)"
+
+  condition:
+    all of them
+}
+
+rule ltp_runsched_override: override {
+  meta:
+    description                                   = "testcases/bin/run_sched_cliserv.sh"
+    SIGNATURE_BASE_WEBSHELL_ASPX_Proxyshell_Aug15 = "harmless"
+
+  strings:
+    $cmd = "pthcli 127.0.0.1 $LTPROOT/testcases/bin/data"
+
+  condition:
+    all of them
+}