Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yara-x rule compilation shows errors and warnings #638

Closed
egibs opened this issue Nov 17, 2024 · 1 comment
Closed

yara-x rule compilation shows errors and warnings #638

egibs opened this issue Nov 17, 2024 · 1 comment
Labels
rules Adds or modifies YARA Rules

Comments

@egibs
Copy link
Member

egibs commented Nov 17, 2024
edited
Loading

I was messing around with yara-x today and tried to compile our rules. Some of our rules aren't compatible ({ and } need to be escaped in regex patterns, for one, so I ran this with --relaxed-re-syntax), but a lot were displayed with warnings/suggestions and we also have duplicate identifiers:

error[E012]: duplicate rule `chromium_master_password`
 --> rules/credential/browser/chromium_master_password.yara:1:6
  |
1 | rule chromium_master_password: high {
  |      ^^^^^^^^^^^^^^^^^^^^^^^^ duplicate declaration of `chromium_master_password`
  |
 ::: rules/credential/browser/chromium_credit_cards.yara:1:6
  |
1 | rule chromium_master_password: critical {
  |      ------------------------ note: `chromium_master_password` declared here for the first time
  |
error[E012]: duplicate rule `sigaction_SIGALRM`
 --> rules/os/signal/handle-ALRM.yara:1:6
  |
1 | rule sigaction_SIGALRM: harmless {
  |      ^^^^^^^^^^^^^^^^^ duplicate declaration of `sigaction_SIGALRM`
  |
 ::: rules/os/signal/handle-WINCH.yara:1:6
  |
1 | rule sigaction_SIGALRM: harmless {
  |      ----------------- note: `sigaction_SIGALRM` declared here for the first time
  |
error[E012]: duplicate rule `listen`
 --> rules/net/socket/socket-listen.yara:1:6
  |
1 | rule listen: medium {
  |      ^^^^^^ duplicate declaration of `listen`
  |
 ::: rules/net/socket/pair.yara:1:6
  |
1 | rule listen: medium {
  |      ------ note: `listen` declared here for the first time
  |
error[E012]: duplicate rule `listen_tcp`
 --> rules/net/tcp/listen.yara:1:6
  |
1 | rule listen_tcp: medium {
  |      ^^^^^^^^^^ duplicate declaration of `listen_tcp`
  |
 ::: rules/net/tcp/connect.yara:1:6
  |
1 | rule listen_tcp: medium {
  |      ---------- note: `listen_tcp` declared here for the first time
  |
error[E012]: duplicate rule `elf_or_macho`
  --> rules/c2/addr/ip.yara:22:14
   |
22 | private rule elf_or_macho {
   |              ^^^^^^^^^^^^ duplicate declaration of `elf_or_macho`
   |
  ::: rules/c2/addr/url.yara:1:14
   |
 1 | private rule elf_or_macho {
   |              ------------ note: `elf_or_macho` declared here for the first time
   |
error[E012]: duplicate rule `macho`
  --> rules/c2/tool_transfer/macos.yara:1:14
   |
 1 | private rule macho {
   |              ^^^^^ duplicate declaration of `macho`
   |
  ::: rules/net/download/fetch.yara:35:14
   |
35 | private rule macho {
   |              ----- note: `macho` declared here for the first time
   |
error[E012]: duplicate rule `stealthworker`
 --> rules/malware/family/stealthworker.yara:1:6
  |
1 | rule stealthworker: critical {
  |      ^^^^^^^^^^^^^ duplicate declaration of `stealthworker`
  |
 ::: rules/malware/family/skuld.yara:1:6
  |
1 | rule stealthworker: critical {
  |      ------------- note: `stealthworker` declared here for the first time
  |
error[E012]: duplicate rule `gafgyt`
 --> rules/malware/family/fontonlake.yara:1:6
  |
1 | rule gafgyt: critical linux {
  |      ^^^^^^ duplicate declaration of `gafgyt`
  |
 ::: rules/malware/family/gafgyt.yara:1:6
  |
1 | rule gafgyt: critical linux {
  |      ------ note: `gafgyt` declared here for the first time
  |
error[E012]: duplicate rule `lol_miner`
 --> rules/malware/family/lolminer.yara:1:6
  |
1 | rule lol_miner: critical {
  |      ^^^^^^^^^ duplicate declaration of `lol_miner`
  |
 ::: rules/malware/family/lockscreen.yara:1:6
  |
1 | rule lol_miner: critical {
  |      --------- note: `lol_miner` declared here for the first time
  |
error[E012]: duplicate rule `medusa`
 --> rules/malware/family/messagetap.yara:1:6
  |
1 | rule medusa: critical linux {
  |      ^^^^^^ duplicate declaration of `medusa`
  |
 ::: rules/malware/family/medusa.yara:1:6
  |
1 | rule medusa: critical linux {
  |      ------ note: `medusa` declared here for the first time
  |
error[E012]: duplicate rule `macho`
  --> rules/malware/family/clapzok.yara:1:14
   |
 1 | private rule macho {
   |              ^^^^^ duplicate declaration of `macho`
   |
  ::: rules/net/download/fetch.yara:35:14
   |
35 | private rule macho {
   |              ----- note: `macho` declared here for the first time
   |
error[E012]: duplicate rule `macho`
  --> rules/malware/family/amos.yara:3:14
   |
 3 | private rule macho {
   |              ^^^^^ duplicate declaration of `macho`
   |
  ::: rules/net/download/fetch.yara:35:14
   |
35 | private rule macho {
   |              ----- note: `macho` declared here for the first time
   |
error[E012]: duplicate rule `amos_base32`
  --> rules/malware/family/amos.yara:33:6
   |
33 | rule amos_base32: critical macos {
   |      ^^^^^^^^^^^ duplicate declaration of `amos_base32`
   |
  ::: rules/malware/family/applejeus.yara:1:6
   |
 1 | rule amos_base32: critical macos {
   |      ----------- note: `amos_base32` declared here for the first time
   |
error[E012]: duplicate rule `amos_base32`
 --> rules/malware/family/leet_hozer.yara:1:6
  |
1 | rule amos_base32: critical macos {
  |      ^^^^^^^^^^^ duplicate declaration of `amos_base32`
  |
 ::: rules/malware/family/applejeus.yara:1:6
  |
1 | rule amos_base32: critical macos {
  |      ----------- note: `amos_base32` declared here for the first time
  |
error[E012]: duplicate rule `macho`
  --> rules/malware/family/poseidon_stealer.yara:3:14
   |
 3 | private rule macho {
   |              ^^^^^ duplicate declaration of `macho`
   |
  ::: rules/net/download/fetch.yara:35:14
   |
35 | private rule macho {
   |              ----- note: `macho` declared here for the first time
   |
error[E012]: duplicate rule `implant`
 --> rules/impact/remote_access/implant.yara:1:6
  |
1 | rule implant: medium {
  |      ^^^^^^^ duplicate declaration of `implant`
  |
 ::: rules/net/proxy/reverse_proxy.yara:1:6
  |
1 | rule implant: medium {
  |      ------- note: `implant` declared here for the first time
  |
error[E012]: duplicate rule `curl_easy_sysinfo`
  --> rules/impact/remote_access/curl_easy.yara:1:6
   |
 1 | rule curl_easy_sysinfo: high {
   |      ^^^^^^^^^^^^^^^^^ duplicate declaration of `curl_easy_sysinfo`
   |
  ::: rules/exfil/upload_sysinfo.yara:13:6
   |
13 | rule curl_easy_sysinfo: high {
   |      ----------------- note: `curl_easy_sysinfo` declared here for the first time
   |
error[E012]: duplicate rule `pythonSetup`
  --> rules/impact/remote_access/py_setuptools.yara:3:14
   |
 3 | private rule pythonSetup {
   |              ^^^^^^^^^^^ duplicate declaration of `pythonSetup`
   |
  ::: rules/c2/tool_transfer/python.yara:85:14
   |
85 | private rule pythonSetup {
   |              ----------- note: `pythonSetup` declared here for the first time
   |
error[E014]: invalid regular expression
  --> rules/impact/degrade/firewall.yara:10:37
   |
10 |     $f_iptables       = /iptables[ -\w]{0,32}/
   |                                     ^^ invalid range boundary, must be a literal
   |
error[E012]: duplicate rule `elf_or_macho`
 --> rules/impact/wipe/crypto.yara:1:14
  |
1 | private rule elf_or_macho {
  |              ^^^^^^^^^^^^ duplicate declaration of `elf_or_macho`
  |
 ::: rules/c2/addr/url.yara:1:14
  |
1 | private rule elf_or_macho {
  |              ------------ note: `elf_or_macho` declared here for the first time
  |
error[E012]: duplicate rule `macho`
  --> rules/sus/entitlement.yara:1:14
   |
 1 | private rule macho {
   |              ^^^^^ duplicate declaration of `macho`
   |
  ::: rules/net/download/fetch.yara:35:14
   |
35 | private rule macho {
   |              ----- note: `macho` declared here for the first time
   |
error[E012]: duplicate rule `executable_calls_archive_tool`
  --> rules/collect/archives/tar-command.yara:25:6
   |
25 | rule executable_calls_archive_tool: high {
   |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ duplicate declaration of `executable_calls_archive_tool`
   |
  ::: rules/exfil/stealer/tools.yara:1:6
   |
 1 | rule executable_calls_archive_tool: medium {
   |      ----------------------------- note: `executable_calls_archive_tool` declared here for the first time
   |
error[E014]: invalid regular expression
 --> rules/fs/file/file-delete-forcibly.yara:6:29
  |
6 |     $ref = /rm [\-\w ]{0,4}-[f[ \$\w\/\.]{0,32}/
  |                             ^ unclosed character class
  |
error[E012]: duplicate rule `remove_xattr`
 --> rules/fs/attributes/set.yara:1:6
  |
1 | rule remove_xattr: medium {
  |      ^^^^^^^^^^^^ duplicate declaration of `remove_xattr`
  |
 ::: rules/fs/attributes/remove.yara:1:6
  |
1 | rule remove_xattr: medium {
  |      ------------ note: `remove_xattr` declared here for the first time
  |
error[E012]: duplicate rule `home_path`
 --> rules/fs/path/home.yara:1:6
  |
1 | rule home_path: low {
  |      ^^^^^^^^^ duplicate declaration of `home_path`
  |
 ::: rules/fs/path/users.yara:1:6
  |
1 | rule home_path: medium {
  |      --------- note: `home_path` declared here for the first time
  |
error[E012]: duplicate rule `macho`
  --> rules/fs/path/applications.yara:12:14
   |
12 | private rule macho {
   |              ^^^^^ duplicate declaration of `macho`
   |
  ::: rules/net/download/fetch.yara:35:14
   |
35 | private rule macho {
   |              ----- note: `macho` declared here for the first time
   |
error[E014]: invalid regular expression
 --> rules/hw/hardware-enumeration.yara:6:25
  |
6 |     $ref = /dmidecode[ -\w]{0,32}/
  |                         ^^ invalid range boundary, must be a literal
  |
error[E002]: wrong type
  --> rules/data/builtin/multiple.yara:14:46
   |
14 |     filesize > 1024 and filesize < 150MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and any of them
   |                                              ^^^ expression should be `struct`, but it is `boolean`
   |
error[E002]: wrong type
  --> rules/data/builtin/multiple.yara:27:45
   |
27 |     filesize > 1024 and filesize < 25MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and all of them
   |                                             ^^^ expression should be `struct`, but it is `boolean`
   |
error[E009]: unknown identifier `_bundled_openssl`
  --> rules/data/builtin/multiple.yara:35:5
   |
35 |     _bundled_openssl and _bundled_glibc
   |     ^^^^^^^^^^^^^^^^ this identifier has not been declared
   |
error[E002]: wrong type
  --> rules/data/builtin/glibc.yara:13:45
   |
13 |     filesize > 1024 and filesize < 25MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and all of them
   |                                             ^^^ expression should be `struct`, but it is `boolean`
   |
error[E002]: wrong type
  --> rules/data/builtin/openssl.yara:14:46
   |
14 |     filesize > 1024 and filesize < 150MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and any of them
   |                                              ^^^ expression should be `struct`, but it is `boolean`
   |
error[E012]: duplicate rule `rand`
  --> rules/data/random/insecure.yara:14:6
   |
14 | rule rand {
   |      ^^^^ duplicate declaration of `rand`
   |
  ::: rules/data/random/bytes.yara:1:6
   |
 1 | rule rand {
   |      ---- note: `rand` declared here for the first time
   |
error[E012]: duplicate rule `gzip`
 --> rules/data/compression/lzma.yara:1:6
  |
1 | rule gzip {
  |      ^^^^ duplicate declaration of `gzip`
  |
 ::: rules/data/compression/gzip.yara:1:6
  |
1 | rule gzip {
  |      ---- note: `gzip` declared here for the first time
  |
error[E012]: duplicate rule `begin_cert`
 --> rules/data/embedded/embedded-pgp-key.yara:1:6
  |
1 | rule begin_cert {
  |      ^^^^^^^^^^ duplicate declaration of `begin_cert`
  |
 ::: rules/data/embedded/embedded-pem-certificate.yara:1:6
  |
1 | rule begin_cert {
  |      ---------- note: `begin_cert` declared here for the first time
  |
error[E012]: duplicate rule `small_macho`
  --> rules/exec/program/opaque.yara:1:14
   |
 1 | private rule small_macho {
   |              ^^^^^^^^^^^ duplicate declaration of `small_macho`
   |
  ::: rules/impact/remote_access/backdoor.yara:92:14
   |
92 | private rule small_macho {
   |              ----------- note: `small_macho` declared here for the first time
   |
error[E012]: duplicate rule `ethereum`
 --> rules/crypto/ethereum.yara:1:6
  |
1 | rule ethereum: medium {
  |      ^^^^^^^^ duplicate declaration of `ethereum`
  |
 ::: rules/crypto/fastrand.yara:1:6
  |
1 | rule ethereum: medium {
  |      -------- note: `ethereum` declared here for the first time
  |
error[E012]: duplicate rule `login_records`
 --> rules/evasion/logging/current_logins.yara:1:6
  |
1 | rule login_records: medium {
  |      ^^^^^^^^^^^^^ duplicate declaration of `login_records`
  |
 ::: rules/evasion/logging/historical_logins.yara:1:6
  |
1 | rule login_records: medium {
  |      ------------- note: `login_records` declared here for the first time
  |
error[E012]: duplicate rule `self_delete`
  --> rules/evasion/self_deletion/remove_self.yara:1:6
   |
 1 | rule self_delete: high {
   |      ^^^^^^^^^^^ duplicate declaration of `self_delete`
   |
  ::: rules/evasion/self_deletion/run_sleep_delete.yara:33:6
   |
33 | rule self_delete: high {
   |      ----------- note: `self_delete` declared here for the first time
   |
error[E012]: duplicate rule `macho`
  --> rules/evasion/net/hide_ports.yara:1:14
   |
 1 | private rule macho {
   |              ^^^^^ duplicate declaration of `macho`
   |
  ::: rules/net/download/fetch.yara:35:14
   |
35 | private rule macho {
   |              ----- note: `macho` declared here for the first time
   |
error[E012]: duplicate rule `elf`
  --> rules/evasion/net/hide_ports.yara:6:14
   |
 6 | private rule elf {
   |              ^^^ duplicate declaration of `elf`
   |
  ::: rules/net/download/fetch.yara:40:14
   |
40 | private rule elf {
   |              --- note: `elf` declared here for the first time
   |
error[E012]: duplicate rule `iptables_disable`
  --> rules/evasion/bypass_security/linux/iptables.yara:25:6
   |
25 | rule iptables_disable: critical {
   |      ^^^^^^^^^^^^^^^^ duplicate declaration of `iptables_disable`
   |
  ::: rules/impact/degrade/firewall.yara:49:6
   |
49 | rule iptables_disable: high {
   |      ---------------- note: `iptables_disable` declared here for the first time
   |
error[E012]: duplicate rule `iptables_delete`
  --> rules/evasion/bypass_security/linux/iptables.yara:50:6
   |
50 | rule iptables_delete: medium {
   |      ^^^^^^^^^^^^^^^ duplicate declaration of `iptables_delete`
   |
  ::: rules/evasion/bypass_security/linux/iptables_delete.yara:1:6
   |
 1 | rule iptables_delete: medium {
   |      --------------- note: `iptables_delete` declared here for the first time
   |
error[E012]: duplicate rule `var_root_path`
 --> rules/evasion/file/location/var-root.yara:1:6
  |
1 | rule var_root_path: high macos {
  |      ^^^^^^^^^^^^^ duplicate declaration of `var_root_path`
  |
 ::: rules/fs/path/var-containers.yara:1:6
  |
1 | rule var_root_path: high macos {
  |      ------------- note: `var_root_path` declared here for the first time
  |
error[E012]: duplicate rule `hidden_short_path`
  --> rules/evasion/file/prefix/prefix.yara:37:6
   |
37 | rule hidden_short_path: high {
   |      ^^^^^^^^^^^^^^^^^ duplicate declaration of `hidden_short_path`
   |
  ::: rules/evasion/file/prefix/tmp.yara:1:6
   |
 1 | rule hidden_short_path: high {
   |      ----------------- note: `hidden_short_path` declared here for the first time
   |
error[E012]: duplicate rule `linux_rootkit_terms`
  --> rules/evasion/rootkit/userspace.yara:87:6
   |
87 | rule linux_rootkit_terms: critical linux {
   |      ^^^^^^^^^^^^^^^^^^^ duplicate declaration of `linux_rootkit_terms`
   |
  ::: rules/impact/rootkit/rootkit.yara:60:6
   |
60 | rule linux_rootkit_terms: critical linux {
   |      ------------------- note: `linux_rootkit_terms` declared here for the first time
   |
error[E012]: duplicate rule `linux_kernel_module_getdents64`
 --> rules/evasion/rootkit/kernel.yara:1:6
  |
1 | rule linux_kernel_module_getdents64: critical linux {
  |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ duplicate declaration of `linux_kernel_module_getdents64`
  |
 ::: rules/impact/rootkit/rootkit.yara:1:6
  |
1 | rule linux_kernel_module_getdents64: critical linux {
  |      ------------------------------ note: `linux_kernel_module_getdents64` declared here for the first time
  |
error[E012]: duplicate rule `funky_high_signal_killer`
  --> rules/evasion/rootkit/kernel.yara:16:6
   |
16 | rule funky_high_signal_killer: high {
   |      ^^^^^^^^^^^^^^^^^^^^^^^^ duplicate declaration of `funky_high_signal_killer`
   |
  ::: rules/impact/rootkit/rootkit.yara:48:6
   |
48 | rule funky_high_signal_killer: high {
   |      ------------------------ note: `funky_high_signal_killer` declared here for the first time
   |
error[E012]: duplicate rule `pythonSetup`
  --> rules/evasion/indicator_blocking/mask_exceptions.yara:3:14
   |
 3 | private rule pythonSetup {
   |              ^^^^^^^^^^^ duplicate declaration of `pythonSetup`
   |
  ::: rules/c2/tool_transfer/python.yara:85:14
   |
85 | private rule pythonSetup {
   |              ----------- note: `pythonSetup` declared here for the first time
   |
error[E012]: duplicate rule `pythonSetup`
  --> rules/evasion/indicator_blocking/hidden_window.yara:13:14
   |
13 | private rule pythonSetup {
   |              ^^^^^^^^^^^ duplicate declaration of `pythonSetup`
   |
  ::: rules/c2/tool_transfer/python.yara:85:14
   |
85 | private rule pythonSetup {
   |              ----------- note: `pythonSetup` declared here for the first time
   |
error[E012]: duplicate rule `usr_bin_execstop`
 --> rules/persist/systemd/execstop-usr-bin.yara:1:6
  |
1 | rule usr_bin_execstop: medium {
  |      ^^^^^^^^^^^^^^^^ duplicate declaration of `usr_bin_execstop`
  |
 ::: rules/persist/systemd/execstop-bin-sh.yara:1:6
  |
1 | rule usr_bin_execstop: medium {
  |      ---------------- note: `usr_bin_execstop` declared here for the first time
  |
error[E012]: duplicate rule `hardcoded_bash_persist_file`
  --> rules/persist/shell/bash.yara:19:6
   |
19 | rule hardcoded_bash_persist_file: high {
   |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^ duplicate declaration of `hardcoded_bash_persist_file`
   |
  ::: rules/persist/shell/zsh.yara:16:6
   |
16 | rule hardcoded_bash_persist_file: high {
   |      --------------------------- note: `hardcoded_bash_persist_file` declared here for the first time
   |
error[E002]: wrong type
  --> rules/persist/kernel_module/module.yara:26:5
   |
26 |     elf.type == elf.ET_EXEC and all of them
   |     ^^^ expression should be `struct`, but it is `boolean`
   |
error[E012]: duplicate rule `bpf`
  --> rules/persist/kernel_module/symbol-lookup.yara:42:6
   |
42 | rule bpf: override linux {
   |      ^^^ duplicate declaration of `bpf`
   |
  ::: rules/credential/sniffer/bpf.yara:1:6
   |
 1 | rule bpf: medium {
   |      --- note: `bpf` declared here for the first time
   |
error[E012]: duplicate rule `pythonSetup`
  --> rules/anti-behavior/random_behavior.yara:3:14
   |
 3 | private rule pythonSetup {
   |              ^^^^^^^^^^^ duplicate declaration of `pythonSetup`
   |
  ::: rules/c2/tool_transfer/python.yara:85:14
   |
85 | private rule pythonSetup {
   |              ----------- note: `pythonSetup` declared here for the first time
   |
error[E012]: duplicate rule `pycloak`
 --> rules/anti-static/packer/pycloak.yara:1:6
  |
1 | rule pycloak: critical {
  |      ^^^^^^^ duplicate declaration of `pycloak`
  |
 ::: rules/anti-static/packer/py_kramer.yara:1:6
  |
1 | rule pycloak: critical {
  |      ------- note: `pycloak` declared here for the first time
  |
error[E012]: duplicate rule `py_marshal`
  --> rules/anti-static/unmarshal/marshal.yara:14:6
   |
14 | rule py_marshal: medium {
   |      ^^^^^^^^^^ duplicate declaration of `py_marshal`
   |
  ::: rules/data/encoding/marshal.yara:1:6
   |
 1 | rule py_marshal: medium {
   |      ---------- note: `py_marshal` declared here for the first time
   |
error[E012]: duplicate rule `pythonSetup`
  --> rules/anti-static/obfuscation/python_setuptools.yara:3:14
   |
 3 | private rule pythonSetup {
   |              ^^^^^^^^^^^ duplicate declaration of `pythonSetup`
   |
  ::: rules/c2/tool_transfer/python.yara:85:14
   |
85 | private rule pythonSetup {
   |              ----------- note: `pythonSetup` declared here for the first time
   |
error[E012]: duplicate rule `hex_parse_base64`
  --> rules/anti-static/obfuscation/hex.yara:26:6
   |
26 | rule hex_parse_base64: medium {
   |      ^^^^^^^^^^^^^^^^ duplicate declaration of `hex_parse_base64`
   |
  ::: rules/impact/remote_access/base64_exec.yara:1:6
   |
 1 | rule hex_parse_base64: high {
   |      ---------------- note: `hex_parse_base64` declared here for the first time
   |
error[E012]: duplicate rule `php_str_replace_obfuscation`
   --> rules/anti-static/obfuscation/php.yara:131:6
    |
131 | rule php_str_replace_obfuscation: high {
    |      ^^^^^^^^^^^^^^^^^^^^^^^^^^^ duplicate declaration of `php_str_replace_obfuscation`
    |
   ::: rules/impact/remote_access/php.yara:295:6
    |
295 | rule php_str_replace_obfuscation: critical {
    |      --------------------------- note: `php_str_replace_obfuscation` declared here for the first time
    |
error[E012]: duplicate rule `base64_str_replace`
 --> rules/anti-static/base64/obfuscated_caller.yara:1:6
  |
1 | rule base64_str_replace: critical {
  |      ^^^^^^^^^^^^^^^^^^ duplicate declaration of `base64_str_replace`
  |
 ::: rules/anti-static/obfuscation/php.yara:1:6
  |
1 | rule base64_str_replace: medium {
  |      ------------------ note: `base64_str_replace` declared here for the first time
  |
error[E012]: duplicate rule `macho`
  --> rules/anti-static/macho/footer.yara:3:14
   |
 3 | private rule macho {
   |              ^^^^^ duplicate declaration of `macho`
   |
  ::: rules/net/download/fetch.yara:35:14
   |
35 | private rule macho {
   |              ----- note: `macho` declared here for the first time
   |
error[E002]: wrong type
  --> rules/anti-static/elf/header.yara:13:5
   |
13 |     elf.number_of_segments == 1 and elf.segments[0].type == elf.PT_LOAD and elf.segments[0].flags == elf.PF_R | elf.PF_W | elf.PF_X
   |     ^^^ expression should be `struct`, but it is `boolean`
   |
error[E002]: wrong type
  --> rules/anti-static/elf/header.yara:25:5
   |
25 |     elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_segments > 0 and elf.number_of_sections > 0 and not (fo...
   |     ^^^ expression should be `struct`, but it is `boolean`
   |
error[E002]: wrong type
  --> rules/anti-static/elf/header.yara:36:5
   |
36 |     elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and fo...
   |     ^^^ expression should be `struct`, but it is `boolean`
   |
error[E002]: wrong type
  --> rules/anti-static/elf/header.yara:50:33
   |
50 |     uint32(0) == 1179403647 and elf.type == elf.ET_EXEC and math.entropy(1200, 4096) > 7 and none of ($not*)
   |                                 ^^^ expression should be `struct`, but it is `boolean`
   |
error[E002]: wrong type
  --> rules/anti-static/elf/content.yara:27:24
   |
27 |     filesize > 512 and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and none of them
   |                        ^^^ expression should be `struct`, but it is `boolean`
   |
error[E002]: wrong type
  --> rules/anti-static/elf/tiny.yara:11:72
   |
11 |     filesize < 8192 and filesize > 900 and uint32(0) == 1179403647 and elf.type == elf.ET_EXEC and none of ($not*)
   |                                                                        ^^^ expression should be `struct`, but it is `boolean`
   |
error[E012]: duplicate rule `pythonSetup`
  --> rules/discover/user/username-get.yara:30:14
   |
30 | private rule pythonSetup {
   |              ^^^^^^^^^^^ duplicate declaration of `pythonSetup`
   |
  ::: rules/c2/tool_transfer/python.yara:85:14
   |
85 | private rule pythonSetup {
   |              ----------- note: `pythonSetup` declared here for the first time
   |
error[E002]: wrong type
  --> rules/discover/process/runtime_deps.yara:26:26
   |
26 |     filesize < 500KB and elf.type == elf.ET_DYN and $val and none of ($not*) and math.entropy(1, filesize) >= 6
   |                          ^^^ expression should be `struct`, but it is `boolean`
   |
error[E012]: duplicate rule `obfuscate`
  --> rules/discover/multiple.yara:31:14
   |
31 | private rule obfuscate {
   |              ^^^^^^^^^ duplicate declaration of `obfuscate`
   |
  ::: rules/anti-static/obfuscation/obfuscate.yara:1:6
   |
 1 | rule obfuscate {
   |      --------- note: `obfuscate` declared here for the first time
   |
error[E012]: duplicate rule `exfil`
  --> rules/discover/multiple.yara:47:14
   |
47 | private rule exfil {
   |              ^^^^^ duplicate declaration of `exfil`
   |
  ::: rules/exfil/exfil.yara:1:6
   |
 1 | rule exfil: medium {
   |      ----- note: `exfil` declared here for the first time
   |
error[E012]: duplicate rule `sshd`
 --> rules/false_positives/ssh.yara:1:6
  |
1 | rule sshd: override {
  |      ^^^^ duplicate declaration of `sshd`
  |
 ::: rules/credential/ssh/sshd.yara:1:6
  |
1 | rule sshd: medium {
  |      ---- note: `sshd` declared here for the first time
  |
error[E012]: duplicate rule `sudo`
 --> rules/privesc/sudo.yara:1:6
  |
1 | rule sudo: medium {
  |      ^^^^ duplicate declaration of `sudo`
  |
 ::: rules/false_positives/sudo.yara:1:6
  |
1 | rule sudo: override linux {
  |      ---- note: `sudo` declared here for the first time
  |
warning[text_as_hex]: hex pattern could be written as text literal
 --> rules/credential/keychain/keychain.yara:8:5
  |
8 |     $not_elastic_author  = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
  |     --------------------------------------------------------------------------------------------------------------- this pattern can be written as a text literal
  |     --------------------------------------------------------------------------------------------------------------- help: replace with "\"author\": [\n    \"Elastic\"\n  ]"
  |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/credential/keychain/keychain.yara:21:5
   |
21 |     $not_elastic_author  = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
   |     --------------------------------------------------------------------------------------------------------------- this pattern can be written as a text literal
   |     --------------------------------------------------------------------------------------------------------------- help: replace with "\"author\": [\n    \"Elastic\"\n  ]"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/credential/keychain/keychain.yara:35:5
   |
35 |     $not_elastic_author  = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
   |     --------------------------------------------------------------------------------------------------------------- this pattern can be written as a text literal
   |     --------------------------------------------------------------------------------------------------------------- help: replace with "\"author\": [\n    \"Elastic\"\n  ]"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/credential/keychain/keychain.yara:49:5
   |
49 |     $not_elastic_author  = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
   |     --------------------------------------------------------------------------------------------------------------- this pattern can be written as a text literal
   |     --------------------------------------------------------------------------------------------------------------- help: replace with "\"author\": [\n    \"Elastic\"\n  ]"
   |
warning[text_as_hex]: hex pattern could be written as text literal
 --> rules/credential/keychain/keychain-dump.yara:8:5
  |
8 |     $not_elastic_author  = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
  |     --------------------------------------------------------------------------------------------------------------- this pattern can be written as a text literal
  |     --------------------------------------------------------------------------------------------------------------- help: replace with "\"author\": [\n    \"Elastic\"\n  ]"
  |
warning[duplicate_import]: duplicate import statement
  --> rules/impact/degrade/firewall.yara:23:1
   |
 1 | import "math"
   | ------------- note: `math` imported here for the first time
 2 | 
...
23 | 
24 | import "math"
   | ------------- duplicate import
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/lateral/scan/passwords.yara:15:5
   |
15 |     $not_frequency_list2 = { 76 61 72 20 66 72 65 71 75 65 6E 63 79 5F 6C 69 73 74 73 3B 0A 0A 66 72 65 71 75 65 6E 63 79 5F 6C 69 73 74 73 20 3D 20 7B 0A 20 20 70 61 73 73 77 6F 72 64 73 3A 2...
   |     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- this pattern can be written as a text literal
   |     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- help: replace with "var frequency_lists;\n\nfrequency_lists = {\n  passwords: "
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:28:5
   |
28 |     $opt1  = { 07 06 05 04 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "\u{7}\u{6}\u{5}\u{4}"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:29:5
   |
29 |     $opt2  = { 0B 0A 09 08 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "\u{b}\n\t\u{8}"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:30:5
   |
30 |     $opt3  = { 0F 0E 0D 0C }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "\u{f}\u{e}\r\u{c}"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:31:5
   |
31 |     $opt4  = { 13 12 11 10 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "\u{13}\u{12}\u{11}\u{10}"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:32:5
   |
32 |     $opt5  = { 17 16 15 14 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "\u{17}\u{16}\u{15}\u{14}"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:33:5
   |
33 |     $opt6  = { 1B 1A 19 18 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "\u{1b}\u{1a}\u{19}\u{18}"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:34:5
   |
34 |     $opt7  = { 1F 1E 1D 1C }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "\u{1f}\u{1e}\u{1d}\u{1c}"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:35:5
   |
35 |     $opt8  = { 23 22 21 20 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "#\"! "
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:36:5
   |
36 |     $opt9  = { 27 26 25 24 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "\'&%$"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:37:5
   |
37 |     $opt10 = { 2B 2A 29 28 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "+*)("
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:38:5
   |
38 |     $opt11 = { 2F 2E 2D 2C }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "/.-,"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:39:5
   |
39 |     $opt12 = { 33 32 31 30 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "3210"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:40:5
   |
40 |     $opt13 = { 37 36 35 34 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "7654"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:41:5
   |
41 |     $opt14 = { 3B 3A 39 38 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with ";:98"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:42:5
   |
42 |     $opt15 = { 3F 3E 3D 3C }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "?>=<"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:43:5
   |
43 |     $opt16 = { 43 42 41 40 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "CBA@"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:44:5
   |
44 |     $opt17 = { 47 46 45 44 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "GFED"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:45:5
   |
45 |     $opt18 = { 4B 4A 49 48 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "KJIH"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:46:5
   |
46 |     $opt19 = { 4F 4E 4D 4C }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "ONML"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:47:5
   |
47 |     $opt20 = { 53 52 51 50 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "SRQP"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:48:5
   |
48 |     $opt21 = { 57 56 55 54 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "WVUT"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:49:5
   |
49 |     $opt22 = { 5B 5A 59 58 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "[ZYX"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:50:5
   |
50 |     $opt23 = { 5F 5E 5D 5C }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "_^]\\"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:51:5
   |
51 |     $opt24 = { 67 66 65 64 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "gfed"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:52:5
   |
52 |     $opt25 = { 6B 6A 69 68 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "kjih"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:53:5
   |
53 |     $opt26 = { 6F 6E 6D 6C }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "onml"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:54:5
   |
54 |     $opt27 = { 73 72 71 70 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "srqp"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:55:5
   |
55 |     $opt28 = { 77 76 75 74 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "wvut"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:56:5
   |
56 |     $opt29 = { 7B 7A 79 78 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "{zyx"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:57:5
   |
57 |     $opt30 = { 7F 7E 7D 7C }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "\u{7f}~}|"
   |
warning[text_as_hex]: hex pattern could be written as text literal
  --> rules/crypto/rc4.yara:90:5
   |
90 |     $opt63 = { 63 62 61 60 }
   |     ---------------------- this pattern can be written as a text literal
   |     ---------------------- help: replace with "cba`"
   |
warning[non_bool_expr]: non-boolean expression used as boolean
  --> rules/anti-static/obfuscation/js.yara:99:24
   |
99 |     filesize < 5MB and #function and $charCodeAt and (#ref > 5 or #ref2 > 5 or #ref3 > 5)
   |                        --------- this expression is `integer` but is being used as `bool`
   |
   = note: non-zero integers are considered `true`, while zero is `false`
error: 74 errors found
@egibs egibs added the rules Adds or modifies YARA Rules label Nov 17, 2024
@egibs
Copy link
Member Author

egibs commented Nov 17, 2024

I'll have a PR up to fix these findings shortly.

@egibs egibs mentioned this issue Nov 17, 2024
Merged
@egibs egibs closed this as completed Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
rules Adds or modifies YARA Rules
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@egibs