Reduce some random Linux false positives (#501)

chainguard-dev · Oct 7, 2024 · 4b04854 · 4b04854
1 parent 1fe7d0f
commit 4b04854
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 9 deletions.
diff --git a/rules/combo/backdoor/remote_eval.yara b/rules/combo/backdoor/remote_eval.yara
@@ -22,11 +22,13 @@ rule remote_eval_close : critical {
     hash_2019_active_controller_middleware = "9a85e7aee672b1258b3d4606f700497d351dd1e1117ceb0e818bfea7922b9a96"
     hash_2023_1_1_6_payload = "cbe882505708c72bc468264af4ef5ae5de1b75de1f83bba4073f91568d9d20a1"
     hash_2023_0_0_7_payload = "bb6ca6bfd157c39f4ec27589499d3baaa9d1b570e622722cb9bddfff25127ac9"
+	filetypes = "php"
   strings:
+	$php = "<?php"
     $eval = "eval("
     $header = /(GET|POST|COOKIE|cookie)/
   condition:
-    math.max(@header, @eval) - math.min(@header, @eval) < 96
+    filesize < 16KB and $php and math.max(@header, @eval) - math.min(@header, @eval) < 96
 }
 
 rule python_exec_near_requests : critical {

diff --git a/rules/combo/stealer/browser.yara b/rules/combo/stealer/browser.yara
@@ -89,7 +89,7 @@ rule userdata_browser_archiver : high {
     $b_Safari = "Safari"
     $b_Chrome = "Chrome"
 	$b_moz = "Roaming/Moz"
-	$b_Opera = "Opera"
+	$b_Opera = "Opera" fullword
 
     $not_chromium = "ChromiumBrowser"
     $not_chromium_comment = "When this is enabled, Chromium can use"
@@ -100,8 +100,9 @@ rule userdata_browser_archiver : high {
     $not_ff_js = "Firefox can even throw an error"
     $not_generated_comment = "// This file is generated"
     $not_generated_file = "/utils/generate_types/index.js"
+	$not_no_user_data = "No User Data"
   condition:
-    any of ($d*) and any of ($h*) and any of ($z*) and 3 of ($b*) and none of ($not*)
+    filesize < 10MB and any of ($d*) and any of ($h*) and any of ($z*) and 3 of ($b*) and none of ($not*)
 }
 
 rule smaller_userdata_browser_archiver : high {

diff --git a/rules/evasion/int_to_char.yara b/rules/evasion/int_to_char.yara
@@ -1,10 +1,10 @@
 
-rule js_char_code_at : high {
+rule js_char_code_at : medium {
   meta:
     description = "converts strings into integers"
 	filetypes = "javascript"
   strings:
     $charCodeAt = "fromCharCode" fullword
   condition:
-    any of them
+    filesize < 16KB and any of them
 }
diff --git a/rules/evasion/reversed_functions.yara b/rules/evasion/reversed_functions.yara
@@ -1,23 +1,26 @@
-rule reversed_function_names : critical {
+rule small_reversed_function_names : critical {
 	meta:
 		description = "Contains function names in reverse"
 		credit = "Initially ported from https://github.com/jvoisin/php-malware-finder"
+		filetypes = "php"
     strings:
+		$php = "<?php"
 		$create_function = "create_function"
 		$r_system = "metsys"
 		$r_passthru = "urhtssap"
 		$r_include = "edulcni"
 		$r_shell_execute = "etucexe_llehs"
 		$r_base64_decode = "edoced_46esab"
 	condition:
-		$create_function and any of ($r*)
+		filesize < 64KB and $php and $create_function and any of ($r*)
 }
 
 rule strrev_short : medium {
 	meta:
 		description = "calls strrev on a short string"
+		filetypes = "php"
 	strings:
 		$strrev = /strrev\(['"][\w\=]{0,5}]'"]\)/
 	condition:
-		$strrev
+		filesize < 32KB and $strrev
 }
diff --git a/rules/ref/words/password_finder.yara b/rules/ref/words/password_finder.yara
@@ -9,7 +9,17 @@ rule password_finder_generic : high {
     $ref = "findPassword"
     $ref2 = "find_password"
   condition:
-    any of them
+	filesize < 25MB and any of them
+}
+
+rule gnome_keyring_sync : override {
+	meta:
+		description = "looks up passwords via gnome_keyring"
+		password_finder_generic = "medium"
+	strings:
+		$ref = "gnome_keyring_find_password_sync"
+	condition:
+		filesize > 5MB and any of them
 }
 
 rule password_dumper_generic : high {