Better handling of overrides after all fr.Behaviors are added

[egibs]

Closes #486

We hit the edge case where an override rule was being evaluated before the original rule, so we never found it in the slice of behaviors.

This PR handles overrides as a post-processing step, rather than during the mrs loop.

This PR also introduces our first Critical -> High override for a third-party (!) rule:

HIGH  override/plugx                  detect PlugX in memory, [malware_PlugX_config], by   $v2b                                                                                                                     
                                      JPCERT/CC Incident Response Group                    $v2f                                                                                                                     
                                                                                           $v2g                                                                                                                     
                                                                                           $v2h                                                                                                                     
                                                                                           �DDDD                                                                                                                    
                                                                                           �DDDD                                                                                                                    
                                                                                           �3333                                                                                                                    
                                                                                           �DDDD  

Because of this rule, I was able to see that the original override logic was insufficient. The new approach is more resilient and we should successfully apply all overrides now.

[egibs]

I was getting incorrect results if I did b = original, so I was more prescriptive with the fields here. I think it adds helpful context anyway.

[tstromberg]

I think this should be reversed: preserve the original rule, but apply the necessary override (priority) to it: otherwise we're going to just keep on adding fields to this code as new ones come up.

One thing I just realized is that we probably shouldn't modify the rules description directly: otherwise it gets messy if multiple overrides apply to a rule. Instead we can add the rule name to a list of overrides that apply to the behavior (for example: Behavior.Overrides), and modify the description at the presentation layer.

[egibs]

Flipped the logic in a4c70f4 (#487).

[egibs]

Currently working through a discrepancy between analyze and scan. The former works, but the latter seems to ignore the override completely (i.e., validOverrides isn't even populated).

[tstromberg]

Could you make it so that overridden rules use the original name rather than the override name?

[egibs]

@tstromberg -- can you think of a less redundant way to handle this?

This is a new override rule for another third-party false positive we saw with Pulumi, but it feels gross to duplicate the strings/conditions. Using something less restrictive will allow other override rules to match, though (e.g., condition: true).

[tstromberg]

We should invert how this override functions: it should simply detect the appropriate Pulumi binary rather than repeat the logic of the offending rule.

Here's what I would do in your shoes:

• Rename this file to "pulumi.yara"
• Rename the rule to the binary you are overriding, like pulumictl (if it's not obviously pulumi, maybe "pulumi_".
• Add 1-2 long strings you expect to show up in the binary, such as "PULUMI_HOME" or "How did Pulumi come up with such a weird name?"
• Ditch the rest of the rules: we're only trying to detect that this binary is probably pulumi, not the rules it is overriding.

[egibs]

Makes sense. Your Bash example comes to mind and that's a good way to go about it.

[egibs]

Could you make it so that overridden rules use the original name rather than the override name?

Updated in 01ddf7d (#487).

[tstromberg]

We should invert how this override functions: it should simply detect the appropriate Pulumi binary rather than repeat the logic of the offending rule.

Here's what I would do in your shoes:

• Rename this file to "pulumi.yara"
• Rename the rule to the binary you are overriding, like pulumictl (if it's not obviously pulumi, maybe "pulumi_".
• Add 1-2 long strings you expect to show up in the binary, such as "PULUMI_HOME" or "How did Pulumi come up with such a weird name?"
• Ditch the rest of the rules: we're only trying to detect that this binary is probably pulumi, not the rules it is overriding.

[tstromberg]

Ideal: instead of a generic overrides/ folder within rules, maybe a known_good/ folder specifically geared toward addressing false positives?

I figure that overrides that add severity should probably live elsewhere?

[tstromberg]

Can some of the override handling code move to a new function? This one is getting overly large and complicated.

[egibs]

Moved to a new function in 660024a (#487).

[tstromberg]

Instead of deleting overrides from Behaviors, would the logic be simpler if overrides were stored elsewhere instead? For example, fr.Overrides or a different variable altogether.

By the time fr.Behaviors is populated, we already know if the rule has an override tag.

[egibs]

Added two new fields for overrides in 660024a (#487).

[tstromberg]

Can this use a const of some sort? I don't remember if "3" is "HIGH" or "CRITICAL". I'm not sure why either needs to be hardcoded here to be honest, but I think it'd improve readability.

[egibs]

Updated in 660024a (#487).

[tstromberg]

I don't think the nested switches are helping readability. Maybe something like:

if newRisk != overallRiskScore {
			overallRiskScore = newRisk
}

if c.Scan && newRisk < HIGH:
  return malcontent.FileReport{}, nil
}

Is this just checking if the command is "scan" vs "analyze"? If so, I don't think this function should need to know: all scan should need to do in main is set a default minRisk of "HIGH" and everything else should just work out.

[egibs]

Cleaned this up in 660024a (#487).

[egibs]

I tested this out with a critical false positive and it works.

Test override rule:

rule pulumi_shellcode : override {
  meta:
    malware_shellcode_hash = "low"
    description = "Ignore shellcode findings in the pulumi binary"
  strings:
    $pulumi = { 50 75 6C 75 6D 69 }
    $pulumi2 = { 70 75 6C 75 6D 69 }
  condition:
    any of ($pulumi*)
}

Result:

[egibs]

There were two go_dns_refs rules and there was a chance one would clobber the other and result in different report results:

• malcontent/rules/net/dns.yara

  Lines 1 to 11 in 0acb2e0

  	rule go_dns_refs {
  	meta:
  	description = "Uses DNS (Domain Name Service)"
  	strings:
  	$dnsmessage = "dnsmessage"
  	$edns = "SetEDNS0"
  	$cname = "CNAMEResource"
  	$nodejs = /require\(['"]dns['"]\)/
  	condition:
  	any of them
  	}

• malcontent/rules/net/dns-servers.yara

  Lines 1 to 10 in 0acb2e0

  	rule go_dns_refs {
  	meta:
  	description = "Examines local DNS servers"
  	strings:
  	$resolv = "resolv.conf" fullword
  	$dns_getservers = "dns.getServers"
  	$cname = "CNAMEResource"
  	condition:
  	any of them
  	}