MalwareBehaviorCatalog follow-up: less naming stutter, less slashes (#…

…558) * rule naming: avoid stutter, further MBC reorg * update testdata * run yr fmt * keep the 3P subdir handling * improve 3rd party rule keys * renamed rules * rename lvt to lvt_locker, remove obsolete false * preserve anti-static * move sus/plugin * fix 3P rendering --------- Co-authored-by: Evan Gibler <[email protected]>
chainguard-dev · Nov 1, 2024 · fffd138 · fffd138
1 parent 282984b
commit fffd138
Show file tree

Hide file tree

Showing 319 changed files with 4,086 additions and 4,087 deletions.
diff --git a/capabilities.md b/capabilities.md
@@ -34,6 +34,7 @@ There are some internal namespaces we use:
 |---|---|
 | 3P | third party queries (unorganized) |
 | false-positives | rules to match known software |
-| sec-tool | known security tools (possibly dangerous) |
-| malware | known malware |
 | internal | other internal rules |
+| malware | known malware |
+| sec-tool | known security tools (possibly dangerous) |
+| sus | suspicious content that can't be otherwise categorized |
diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
@@ -1,9 +1,11 @@
 # testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko: high
 c2/addr/ip_port: medium
+c2/server_address: medium
 c2/tool_transfer/shell: medium
 collect/archives/zip: medium
-credential/keychain/keychain: medium
-credential/ssh/ssh: medium
+credential/keychain: medium
+credential/password: low
+credential/ssh: medium
 credential/ssl/private_key: low
 crypto/aes: low
 crypto/ecdsa: low
@@ -12,109 +14,107 @@ crypto/tls: low
 data/compression/bzip2: low
 data/compression/gzip: low
 data/compression/zstd: low
-data/embedded/embedded/pem/certificate: low
-data/embedded/embedded/pem/test_key: low
-data/embedded/embedded/ssh/signature: medium
-data/embedded/embedded/zstd: medium
+data/embedded/pem_certificate: low
+data/embedded/pem_test_key: low
+data/embedded/ssh_signature: medium
+data/embedded/zstd: medium
 data/encoding/base64: low
 data/encoding/json: low
-data/encoding/json/decode: low
-data/encoding/json/encode: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
 data/hash/blake2b: low
 data/hash/md5: low
-discover/network/interface/list: medium
-discover/network/mac/address: medium
+discover/network/interface_list: medium
+discover/network/mac_address: medium
 discover/network/netstat: medium
 discover/processes/pgrep: medium
-discover/system/cpu/info: low
-discover/system/hostname/get: low
+discover/system/cpu_info: low
+discover/system/hostname_get: low
 discover/system/platform: low
 discover/user/HOME: low
 discover/user/USER: low
-discover/user/username/get: medium
-evasion/bypass_security/linux/selinux: medium
+discover/user/name_get: medium
+evasion/bypass_security/linux/se: medium
 evasion/hidden_files/hidden: medium
 evasion/hide_artifacts/pivot_root: high
+exec/plugin: low
 exec/program: medium
-exec/shell/background/sleep: medium
+exec/shell/background_sleep: medium
 exec/shell/exec: medium
 fs/blkid: low
 fs/directory/create: low
 fs/directory/list: low
 fs/directory/remove: low
-fs/fifo/create: low
+fs/fifo_create: low
 fs/file/delete: low
-fs/file/delete/forcibly: low
+fs/file/delete_forcibly: low
 fs/file/read: low
 fs/file/stat: low
 fs/file/write: low
-fs/link/create: low
-fs/link/read: low
-fs/lock/update: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
 fs/mount: low
-fs/node/create: low
-fs/path/bin/su: low
+fs/node_create: low
+fs/path/bin_su: low
 fs/path/etc: low
-fs/path/etc/hosts: medium
-fs/path/etc/resolv.conf: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
 fs/path/home: medium
-fs/path/home/config: low
+fs/path/home_config: low
 fs/path/relative: medium
 fs/path/root: medium
-fs/path/usr/bin: low
-fs/path/usr/local: medium
-fs/path/usr/sbin: low
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/usr_sbin: low
 fs/path/var: low
 fs/permission/chown: medium
 fs/permission/modify: medium
 fs/swap/off: low
 fs/swap/on: low
-fs/symlink/resolve: low
-fs/tempfile/create: low
+fs/symlink_resolve: low
+fs/tempdir/tempfile_create: low
 fs/unmount: low
-impact/words/exclamation: medium
-impact/words/heartbeat: medium
-impact/words/password: low
-impact/words/plugin: low
-impact/words/server_address: medium
-net/dns/dns: low
-net/dns/dns/reverse: medium
-net/dns/dns/servers: low
-net/dns/dns/txt: low
-net/download/download: medium
+impact/remote_access/heartbeat: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
 net/download/fetch: medium
-net/http/content/length/0: medium
-net/http/http/accept/encoding: low
-net/http/http/auth: low
-net/http/http/cookies: medium
-net/http/http/form/upload: medium
-net/http/http/post: medium
-net/http/http/request: low
-net/http/http2: low
-net/http/http_proxy: low
-net/ip/ip: low
-net/ip/ip/parse: medium
+net/http/2: low
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length_0: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip: low
+net/ip/parse: medium
 net/proxy/socks5: medium
-net/resolve/hostname/resolve: low
-net/socket/socket/listen: low
-net/socket/socket/local_addr: low
-net/socket/socket/peer/address: low
-net/socket/socket/receive: low
-net/socket/socket/send: low
+net/resolve/hostname: low
+net/socket/listen: low
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
 net/tcp/ssh: medium
-net/udp/udp/receive: low
-net/udp/udp/send: low
+net/udp/receive: low
+net/udp/send: low
 net/url/embedded: low
 net/url/encode: medium
 net/url/parse: low
 net/url/request: medium
 os/fd/sendfile: low
 os/kernel/netlink: low
-os/time/clock/set: low
-persist/cron/crontab: medium
-persist/daemon/daemon: medium
+os/time/clock_set: low
+persist/cron/tab: medium
+persist/daemon: medium
 process/chdir: low
 process/chroot: low
 process/executable_path: low
-process/groups/set: low
+process/groups_set: low
 process/unshare: low
+sus/exclamation: medium
diff --git a/pkg/action/testdata/scan_oci b/pkg/action/testdata/scan_oci
@@ -1,17 +1,17 @@
 # testdata/static.tar.xz ∴ /etc/profile: medium
-fs/file/permission/mask/set: none
+fs/file/permission_mask_set: none
 fs/path/etc: low
 fs/path/usr: none
-fs/path/usr/local: medium
+fs/path/usr_local: medium
 persist/shell/bash: medium
 persist/shell/init_files: low
 # testdata/static.tar.xz ∴ /var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json: medium
-net/download/download: medium
+net/download: medium
 net/url/embedded: low
 # testdata/static.tar.xz ∴ /var/lib/db/sbom/tzdata-2024b-r0.spdx.json: medium
-net/download/download: medium
+net/download: medium
 net/url/embedded: low
 os/time/tzinfo: low
 # testdata/static.tar.xz ∴ /var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json: medium
-net/download/download: medium
+net/download: medium
 net/url/embedded: low
diff --git a/pkg/report/report.go b/pkg/report/report.go
@@ -44,32 +44,40 @@ var RiskLevels = map[int]string{
 
 // yaraForge has some very, very long rule names.
 var yaraForgeJunkWords = map[string]bool{
-	"controller":        true,
-	"generic":           true,
+	"0":                 true,
+	"1":                 true,
+	"2":                 true,
 	"apt":               true,
-	"malware":           true,
-	"YARAForge":         true,
-	"exe":               true,
-	"mal":               true,
-	"trojan":            true,
-	"m":                 true,
-	"hunting":           true,
-	"dynamic":           true,
+	"artefacts":         true,
+	"artifacts":         true,
+	"base":              true,
 	"big":               true,
-	"small":             true,
+	"controller":        true,
+	"dynamic":           true,
 	"encoded":           true,
+	"exe":               true,
+	"forensic":          true,
 	"forensicartifacts": true,
-	"lnx":               true,
+	"generic":           true,
+	"greyware":          true,
+	"hunting":           true,
+	"indicator":         true,
+	"keyword":           true,
 	"linux":             true,
+	"lnx":               true,
+	"m":                 true,
+	"mac":               true,
 	"macos":             true,
+	"mal":               true,
+	"malware":           true,
+	"offensive":         true,
 	"osx":               true,
-	"mac":               true,
-	"tool":              true,
-	"keyword":           true,
-	"indicator":         true,
+	"small":             true,
 	"suspicious":        true,
-	"offensive":         true,
-	"greyware":          true,
+	"tool":              true,
+	"trojan":            true,
+	"unix":              true,
+	"YARAForge":         true,
 }
 
 // thirdPartyCriticalSources are 3P sources that default to critical.
@@ -104,18 +112,18 @@ func thirdPartyKey(path string, rule string) string {
 	// include the directory
 	pathParts := strings.Split(path, "/")
 	subDir := pathParts[slices.Index(pathParts, "yara")+1]
-
 	words := []string{subDir}
 
 	// ELASTIC_Linux_Trojan_Gafgyt_E4A1982B
 	words = append(words, strings.Split(strings.ToLower(rule), "_")...)
 
-	// strip off the last wold if it's a hex key
+	// strip off the last word if it's a hex key
 	lastWord := words[len(words)-1]
 	_, err := strconv.ParseUint(lastWord, 16, 64)
 	if err == nil {
 		words = words[0 : len(words)-1]
 	}
+
 	var keepWords []string
 	for x, w := range words {
 		// ends with a date
@@ -134,8 +142,16 @@ func thirdPartyKey(path string, rule string) string {
 		keepWords = keepWords[0:4]
 	}
 
-	key := fmt.Sprintf("3P/%s", strings.Join(keepWords, "/"))
-	return strings.ReplaceAll(key, "signature/base", "signature_base")
+	src := keepWords[0]
+
+	// Fix name for https://github.com/Neo23x0/signature-base within YARAForge
+	if src == "signature" {
+		src = "sig_base"
+	}
+	rulename := keepWords[1:]
+
+	key := fmt.Sprintf("3P/%s/%s", src, strings.Join(rulename, "_"))
+	return key
 }
 
 // thirdParty returns whether the rule is sourced from a 3rd party.
@@ -153,8 +169,26 @@ func generateKey(src string, rule string) string {
 		return thirdPartyKey(src, rule)
 	}
 
-	key := strings.ReplaceAll(src, "-", "/")
-	return strings.ReplaceAll(key, ".yara", "")
+	key := strings.ReplaceAll(src, "-", "_")
+	key = strings.ReplaceAll(key, ".yara", "")
+
+	// Reduce stutter: if the rule is prefixed with the directory name, remove the prefix
+
+	dirParts := strings.Split(key, "/")
+	// ID's generally follow: `<namespace>/<resource>/<technique>`
+	ns := dirParts[0]
+	// namespaces can have dashes, like 'anti-static'
+	ns = strings.ReplaceAll(ns, "_", "-")
+	rsrc := dirParts[len(dirParts)-2]
+	tech := dirParts[len(dirParts)-1]
+
+	tech = strings.ReplaceAll(tech, rsrc, "")
+	tech = strings.ReplaceAll(tech, "__", "_")
+	tech = strings.Trim(tech, "_")
+
+	dirParts[0] = ns
+	dirParts[len(dirParts)-1] = tech
+	return strings.TrimSuffix(strings.Join(dirParts, "/"), "/")
 }
 
 func generateRuleURL(src string, rule string) string {

diff --git a/rules/impact/words/obfuscate.yara → rules/anti-static/obfuscation/obfuscate.yara b/rules/impact/words/obfuscate.yara → rules/anti-static/obfuscation/obfuscate.yara
diff --git a/rules/impact/words/dga.yara → rules/c2/discovery/dga.yara b/rules/impact/words/dga.yara → rules/c2/discovery/dga.yara
diff --git a/rules/impact/words/c2.yara → rules/c2/refs.yara b/rules/impact/words/c2.yara → rules/c2/refs.yara
diff --git a/rules/impact/words/server_address.yara → rules/c2/server_address.yara b/rules/impact/words/server_address.yara → rules/c2/server_address.yara
diff --git a/rules/impact/words/dropper.yara → rules/c2/tool_transfer/dropper.yara b/rules/impact/words/dropper.yara → rules/c2/tool_transfer/dropper.yara
diff --git a/rules/c2/tool_transfer/exe.yara → rules/c2/tool_transfer/exe_url.yara b/rules/c2/tool_transfer/exe.yara → rules/c2/tool_transfer/exe_url.yara
diff --git a/rules/impact/words/payload_url.yara → rules/c2/tool_transfer/payload_url.yara b/rules/impact/words/payload_url.yara → rules/c2/tool_transfer/payload_url.yara
diff --git a/rules/impact/ui/clipboard.yara → rules/credential/clipboard.yara b/rules/impact/ui/clipboard.yara → rules/credential/clipboard.yara
diff --git a/rules/impact/words/keylogger.yara → rules/credential/keylogger.yara b/rules/impact/words/keylogger.yara → rules/credential/keylogger.yara
diff --git a/rules/impact/words/password.yara → rules/credential/password/password.yara b/rules/impact/words/password.yara → rules/credential/password/password.yara
diff --git a/rules/impact/words/password_finder.yara → .../credential/password/password_finder.yara b/rules/impact/words/password_finder.yara → .../credential/password/password_finder.yara
diff --git a/rules/impact/sniffer.yara → rules/credential/sniffer/pcap.yara b/rules/impact/sniffer.yara → rules/credential/sniffer/pcap.yara
diff --git a/.../data/embedded/emdedded-app-manifest.yara → rules/data/embedded/app-manifest.yara b/.../data/embedded/emdedded-app-manifest.yara → rules/data/embedded/app-manifest.yara
diff --git a/rules/impact/suspicious-pdb.yara → ...asion/bypass_security/suspicious-pdb.yara b/rules/impact/suspicious-pdb.yara → ...asion/bypass_security/suspicious-pdb.yara
diff --git a/rules/impact/wiper/sensitive_logs.yara → rules/evasion/logging/wipe.yara b/rules/impact/wiper/sensitive_logs.yara → rules/evasion/logging/wipe.yara
diff --git a/rules/exec/cmd.yara → rules/exec/cmd/cmd.yara b/rules/exec/cmd.yara → rules/exec/cmd/cmd.yara
diff --git a/rules/exec/pipe.yara → rules/exec/cmd/pipe.yara b/rules/exec/pipe.yara → rules/exec/cmd/pipe.yara
diff --git a/rules/impact/words/plugin.yara → rules/exec/plugin/plugin.yara b/rules/impact/words/plugin.yara → rules/exec/plugin/plugin.yara
diff --git a/rules/exec/process-control.yara b/rules/exec/process-control.yara
diff --git a/rules/exec/program-background.yara → rules/exec/program/program-background.yara b/rules/exec/program-background.yara → rules/exec/program/program-background.yara
diff --git a/rules/exec/program.yara → rules/exec/program/program.yara b/rules/exec/program.yara → rules/exec/program/program.yara
diff --git a/rules/exec/scripting/automator_launcher.yara → rules/exec/script/automator_launcher.yara b/rules/exec/scripting/automator_launcher.yara → rules/exec/script/automator_launcher.yara
diff --git a/rules/exec/scripting/osascript.yara → rules/exec/script/osascript.yara b/rules/exec/scripting/osascript.yara → rules/exec/script/osascript.yara
diff --git a/rules/exec/scripting/powershell_encoded.yara → rules/exec/script/powershell_encoded.yara b/rules/exec/scripting/powershell_encoded.yara → rules/exec/script/powershell_encoded.yara
diff --git a/rules/exec/scripting/powershell_hidden.yara → rules/exec/script/powershell_hidden.yara b/rules/exec/scripting/powershell_hidden.yara → rules/exec/script/powershell_hidden.yara
diff --git a/rules/impact/words/collection.yara → rules/exfil/collection.yara b/rules/impact/words/collection.yara → rules/exfil/collection.yara
diff --git a/rules/impact/words/exfil.yara → rules/exfil/exfil.yara b/rules/impact/words/exfil.yara → rules/exfil/exfil.yara
diff --git a/rules/false_positives/filebeat.yara b/rules/false_positives/filebeat.yara
@@ -1,7 +1,7 @@
 rule misp_mdjson: override {
   meta:
     description = "misp_sample.mdjson.log"
-    lvt         = "medium"
+    lvt_locker  = "medium"
 
   strings:
     $attribute = "Attribute"

diff --git a/rules/false_positives/sqlpad.yara b/rules/false_positives/sqlpad.yara
diff --git a/rules/fs/directory-create.yara → rules/fs/directory/directory-create.yara b/rules/fs/directory-create.yara → rules/fs/directory/directory-create.yara
diff --git a/rules/fs/directory-list.yara → rules/fs/directory/directory-list.yara b/rules/fs/directory-list.yara → rules/fs/directory/directory-list.yara
diff --git a/rules/fs/directory-remove.yara → rules/fs/directory/directory-remove.yara b/rules/fs/directory-remove.yara → rules/fs/directory/directory-remove.yara
diff --git a/rules/fs/directory-traverse.yara → rules/fs/directory/directory-traverse.yara b/rules/fs/directory-traverse.yara → rules/fs/directory/directory-traverse.yara
diff --git a/rules/fs/file-access-check.yara → rules/fs/file/file-access-check.yara b/rules/fs/file-access-check.yara → rules/fs/file/file-access-check.yara
diff --git a/rules/fs/file-capabilities-set.yara → rules/fs/file/file-capabilities-set.yara b/rules/fs/file-capabilities-set.yara → rules/fs/file/file-capabilities-set.yara
diff --git a/rules/fs/file-copy.yara → rules/fs/file/file-copy.yara b/rules/fs/file-copy.yara → rules/fs/file/file-copy.yara
diff --git a/rules/fs/file-create.yara → rules/fs/file/file-create.yara b/rules/fs/file-create.yara → rules/fs/file/file-create.yara
diff --git a/rules/fs/file-delete-forcibly.yara → rules/fs/file/file-delete-forcibly.yara b/rules/fs/file-delete-forcibly.yara → rules/fs/file/file-delete-forcibly.yara
diff --git a/rules/fs/file-delete.yara → rules/fs/file/file-delete.yara b/rules/fs/file-delete.yara → rules/fs/file/file-delete.yara
diff --git a/rules/fs/file-flags-change.yara → rules/fs/file/file-flags-change.yara b/rules/fs/file-flags-change.yara → rules/fs/file/file-flags-change.yara
diff --git a/rules/fs/file-make_executable.yara → rules/fs/file/file-make_executable.yara b/rules/fs/file-make_executable.yara → rules/fs/file/file-make_executable.yara
diff --git a/rules/fs/file-open-by_handle.yara → rules/fs/file/file-open-by_handle.yara b/rules/fs/file-open-by_handle.yara → rules/fs/file/file-open-by_handle.yara
diff --git a/rules/fs/file-open.yara → rules/fs/file/file-open.yara b/rules/fs/file-open.yara → rules/fs/file/file-open.yara
diff --git a/rules/fs/file-permission-mask-set.yara → rules/fs/file/file-permission-mask-set.yara b/rules/fs/file-permission-mask-set.yara → rules/fs/file/file-permission-mask-set.yara
diff --git a/rules/fs/file-permissions-setuid.yara → rules/fs/file/file-permissions-setuid.yara b/rules/fs/file-permissions-setuid.yara → rules/fs/file/file-permissions-setuid.yara
diff --git a/rules/fs/file-read.yara → rules/fs/file/file-read.yara b/rules/fs/file-read.yara → rules/fs/file/file-read.yara
diff --git a/rules/fs/file-rename.yara → rules/fs/file/file-rename.yara b/rules/fs/file-rename.yara → rules/fs/file/file-rename.yara
diff --git a/rules/fs/file-stat.yara → rules/fs/file/file-stat.yara b/rules/fs/file-stat.yara → rules/fs/file/file-stat.yara
diff --git a/rules/fs/file-sync.yara → rules/fs/file/file-sync.yara b/rules/fs/file-sync.yara → rules/fs/file/file-sync.yara
diff --git a/rules/fs/file-times-set.yara → rules/fs/file/file-times-set.yara b/rules/fs/file-times-set.yara → rules/fs/file/file-times-set.yara
diff --git a/rules/fs/file-truncate.yara → rules/fs/file/file-truncate.yara b/rules/fs/file-truncate.yara → rules/fs/file/file-truncate.yara
diff --git a/rules/fs/file-write.yara → rules/fs/file/file-write.yara b/rules/fs/file-write.yara → rules/fs/file/file-write.yara
diff --git a/rules/fs/path-from-cookie.yara → rules/fs/path/path-from-cookie.yara b/rules/fs/path-from-cookie.yara → rules/fs/path/path-from-cookie.yara
diff --git a/rules/fs/permission-chown.yara → rules/fs/permission/permission-chown.yara b/rules/fs/permission-chown.yara → rules/fs/permission/permission-chown.yara
diff --git a/rules/fs/permission-get.yara → rules/fs/permission/permission-get.yara b/rules/fs/permission-get.yara → rules/fs/permission/permission-get.yara
diff --git a/rules/fs/permission-modify-dangerous.yara → ...rmission/permission-modify-dangerous.yara b/rules/fs/permission-modify-dangerous.yara → ...rmission/permission-modify-dangerous.yara
diff --git a/rules/fs/permission-modify.yara → rules/fs/permission/permission-modify.yara b/rules/fs/permission-modify.yara → rules/fs/permission/permission-modify.yara
diff --git a/rules/fs/swap-off.yara → rules/fs/swap/swap-off.yara b/rules/fs/swap-off.yara → rules/fs/swap/swap-off.yara
diff --git a/rules/fs/swap-on.yara → rules/fs/swap/swap-on.yara b/rules/fs/swap-on.yara → rules/fs/swap/swap-on.yara
diff --git a/rules/fs/TEMP.yara → rules/fs/tempdir/TEMP.yara b/rules/fs/TEMP.yara → rules/fs/tempdir/TEMP.yara
diff --git a/rules/fs/TMPDIR.yara → rules/fs/tempdir/TMPDIR.yara b/rules/fs/TMPDIR.yara → rules/fs/tempdir/TMPDIR.yara
diff --git a/rules/fs/tempdir-create.yara → rules/fs/tempdir/tempdir-create.yara b/rules/fs/tempdir-create.yara → rules/fs/tempdir/tempdir-create.yara
diff --git a/rules/fs/tempdir.yara → rules/fs/tempdir/tempdir.yara b/rules/fs/tempdir.yara → rules/fs/tempdir/tempdir.yara
diff --git a/rules/fs/tempfile-create.yara → rules/fs/tempdir/tempfile-create.yara b/rules/fs/tempfile-create.yara → rules/fs/tempdir/tempfile-create.yara