Address yara-x compile findings #640
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: egibs <[email protected]>
egibs
commented
Nov 17, 2024
| @@ -44,34 +44,3 @@ rule linux_kernel_module_hide_self: critical linux { | |||
| condition: | |||
| filesize < 1MB and $register_kprobe and any of ($hide*) | |||
| } | |||
|
|
|||
| rule funky_high_signal_killer: high { | |||
There was a problem hiding this comment.
This was a line-for-line duplicate.
| filesize < 10MB and any of them | ||
| } | ||
|
|
||
| rule linux_rootkit_terms: critical linux { |
There was a problem hiding this comment.
This was a line-for-line duplicate.
| @@ -29,15 +29,3 @@ rule fetch_run_sleep_delete: critical { | |||
| condition: | |||
| filesize < 1KB and $url and $sleep and $rm and any of ($path*) and any of ($run*) | |||
| } | |||
|
|
|||
| rule self_delete: high { | |||
There was a problem hiding this comment.
This was a line-for-line duplicate.
egibs
commented
Nov 17, 2024
| @@ -117,22 +141,3 @@ jobs: | |||
| version: v1.62.0 | |||
| args: --timeout=5m | |||
|
|
|||
| lint: | |||
There was a problem hiding this comment.
This was doing nothing and we're already covering what it would handle via the other Jobs.
egibs
force-pushed
the
fix-yara-x-compile-issues
branch
3 times, most recently
from
921f93a to
ef8d963
Compare
Signed-off-by: egibs <[email protected]>
egibs
force-pushed
the
fix-yara-x-compile-issues
branch
from
ef8d963 to
3c80132
Compare
tstromberg
approved these changes
Nov 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses: #638
Running
yr compile rules/returned ~73 errors which were mostly duplicate rule names. Some of these rules were direct duplicates of each other; others were just needed a more appropriate (if longer) name.In cases where
(elf or macho)was used, the private rules needed to be renamed because the compiler thought we were referencing the import name (with astructtype).Otherwise, I fixed a few strings and regenerated all of the test data to account for the updated rules.
To catch future rule warnings or errors, I added another CI check that will run
yr compileon the entire rules directory which barely takes a second. If any findings exist, the Job will fail.