Skip to content

Commit

Permalink
Teach malcontent about more Python maliciousness (#639)
Browse files Browse the repository at this point in the history
* Teach malcontent about more Python maliciousness

* refresh testdata

* rule tuning

* Update third-party rules as of 2024-11-18 (#641)

Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>

* Don't consider .mdiff or .sdiff files in discoverTestData (#637)

Signed-off-by: egibs <[email protected]>

* update sample commit

* update testdata

* rule tuning

---------

Signed-off-by: egibs <[email protected]>
Co-authored-by: octo-sts[bot] <157150467+octo-sts[bot]@users.noreply.github.com>
Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Evan Gibler <[email protected]>
  • Loading branch information
4 people authored Nov 18, 2024
1 parent 16cfd8b commit 24e39d3
Show file tree
Hide file tree
Showing 175 changed files with 1,207 additions and 118 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@


SAMPLES_REPO ?= chainguard-dev/malcontent-samples
SAMPLES_COMMIT ?= 8c02e6ef4d3a67e4e45f58e1b1b05a586e8bc24f
SAMPLES_COMMIT ?= 35fa24a7f08b2363b0f4df9b86d6ecee7a0f6ead

# BEGIN: lint-install ../malcontent
# http://github.com/tinkerbell/lint-install
Expand Down
40 changes: 32 additions & 8 deletions pkg/action/testdata/scan_archive
Original file line number Diff line number Diff line change
Expand Up @@ -196,15 +196,15 @@
"RuleName": "crypto_aes"
},
{
"Description": "Uses crypto/cipher",
"Description": "mentions 'ciphertext'",
"MatchStrings": [
"XORKeyStream"
"ciphertext"
],
"RiskScore": 0,
"RiskLevel": "NONE",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#go_cipher",
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext",
"ID": "crypto/cipher",
"RuleName": "go_cipher"
"RuleName": "ciphertext"
},
{
"Description": "Uses the Go crypto/ecdsa library",
Expand Down Expand Up @@ -1740,6 +1740,18 @@
"ID": "fs/symlink_resolve",
"RuleName": "realpath"
},
{
"Description": "temp",
"MatchStrings": [
"getenv",
"temp"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp",
"ID": "fs/tempdir/TEMP",
"RuleName": "temp"
},
{
"Description": "Uses mktemp to create temporary files",
"MatchStrings": [
Expand Down Expand Up @@ -1904,7 +1916,7 @@
"RuleName": "content_type"
},
{
"Description": "makes HTTP requests with basic authentication",
"Description": "makes HTTP requests with Bearer authentication",
"MatchStrings": [
"WWW-Authenticate",
"Www-Authenticate",
Expand Down Expand Up @@ -1945,7 +1957,8 @@
"MatchStrings": [
"POST",
"application/json",
"application/x-www-form-urlencoded"
"application/x-www-form-urlencoded",
"post"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
Expand Down Expand Up @@ -2003,6 +2016,17 @@
"ID": "net/ip",
"RuleName": "packets"
},
{
"Description": "connects to an arbitrary hostname:port",
"MatchStrings": [
"host to transport"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port",
"ID": "net/ip/host_port",
"RuleName": "host_port"
},
{
"Description": "parses IP address (IPv4 or IPv6)",
"MatchStrings": [
Expand Down
19 changes: 19 additions & 0 deletions rules/anti-static/base64/import.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rule b64_as_int: critical {
meta:
description = "hides term 'base64' within an integer array"

strings:
$f_decode = "decode"
$f_ord = "ord"
$ib = "98,"
$ia = "97,"
$is = "115,"
$ie = "101,"
$i6 = "54,"
$i4 = "52"
condition:
any of ($f*) and all of ($i*) and @ia > @ib and @is > @ia and @ie > @is and @i6 > @ie and @i4 > @i6 and @i6 - @ib <= 48
}
15 changes: 15 additions & 0 deletions rules/anti-static/obfuscation/hex.yara
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,18 @@ rule hex_parse_base64_high: high {
filesize < 32KB and any of ($lang*) and any of ($b*) and none of ($not*)
}

rule mega_string: high {
meta:
description = "python script decodes large hexadecimal string"

strings:
$unhexlify = "unhexlify"
$hex_multiline_single = /= {0,2}'''[\/\da-fA-F]{1024}/
$hex_multiline_double = /= {0,2}"""[\/\da-fA-F]{1024}/
$hex_line_single = /= '[\/\da-fA-F]{1024}/
$hex_line_double = /= "[\/\da-fA-F]{1024}/
condition:
filesize < 5MB and $unhexlify and any of ($hex*)
}
Loading

0 comments on commit 24e39d3

Please sign in to comment.