Address false positives for SQLPad and Lerna (#375)

* Address false positives for SQLPad and Lerna Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Add samples for Lerna and SQLPad Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
chainguard-dev · Jul 22, 2024 · 64243dd · 64243dd
1 parent a038cc6
commit 64243dd
Show file tree

Hide file tree

Showing 6 changed files with 14,292 additions and 19 deletions.
diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go
@@ -25,6 +25,7 @@ var badRules = map[string]bool{
 	"MALPEDIA_Win_Unidentified_107_Auto":          true,
 	"SIGNATURE_BASE_SUSP_PS1_JAB_Pattern_Jun22_1": true,
 	"ELCEEF_HTML_Smuggling_A":                     true,
+	"DELIVRTO_SUSP_HTML_WASM_Smuggling":           true,
 	// ThreatHunting Keywords (some duplicates)
 	"Adobe_XMP_Identifier":                       true,
 	"Antivirus_Signature_signature_keyword":      true,

diff --git a/rules/evasion/base64-python.yara b/rules/evasion/base64-python.yara
@@ -6,24 +6,29 @@ rule base64_python_functions : critical {
     hash_2023_0xShell_wesobase = "17a1219bf38d953ed22bbddd5aaf1811b9380ad0535089e6721d755a00bddbd0"
     hash_2024_static_demonizedshell_static = "b4e65c01ab90442cb5deda26660a3f81bd400c205e12605536483f979023aa15"
   strings:
-    $exec = "exec(" base64
-    $eval = "eval(" base64
-    $import_os = "import os" base64
-    $import = "__import__" base64
-    $importlib = "importlib" base64
-    $import_module = "import_module" base64
-    $urllib = "urllib.request" base64
-    $requests_get = "requests.get" base64
-    $urlopen = "urlopen" base64
-    $read = "read()" base64
-    $decode = "decode()" base64
-    $b64decode = "base64.b64decode" base64
-    $exc = "except Exception as" base64
-	$os_system = "os.system" base64
-	$os_popen = "os.popen" base64
-    $thread = "threading.Thread" base64
-	$os_environ = "os.environ" base64
-	$with_open = "with open(" base64
+    $f_exec = "exec(" base64
+    $f_eval = "eval(" base64
+    $f_import_os = "import os" base64
+    $f_import = "__import__" base64
+    $f_importlib = "importlib" base64
+    $f_import_module = "import_module" base64
+    $f_urllib = "urllib.request" base64
+    $f_requests_get = "requests.get" base64
+    $f_urlopen = "urlopen" base64
+    $f_read = "read()" base64
+    $f_decode = "decode()" base64
+    $f_b64decode = "base64.b64decode" base64
+    $f_exc = "except Exception as" base64
+    $f_os_system = "os.system" base64
+    $f_os_popen = "os.popen" base64
+      $f_thread = "threading.Thread" base64
+    $f_os_environ = "os.environ" base64
+    $f_with_open = "with open(" base64
+    $not_js = " ?? " base64
+    $not_js2 = " === " base64
+    $not_js3 = "const" base64
+    $not_js4 = "this." base64
+    $not_js5 = "throw" base64
   condition:
-    2 of them
+    2 of ($f*) and none of ($not*)
 }