Split up the ddos_refs rule for improved accuracy (#316)

* Split up the ddos rule for better accuracy * Split up the ddos rule for better accuracy * Add testdata * remove hashes that will no longer match * simplify condition * spaces, not tabs * Update rules/net/ddos.yara Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Signed-off-by: Thomas Strömberg <t@chainguard.dev> --------- Signed-off-by: Thomas Strömberg <t@chainguard.dev> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
chainguard-dev · Jul 2, 2024 · a495a1b · a495a1b
1 parent 8a4d35d
commit a495a1b
Show file tree

Hide file tree

Showing 6 changed files with 77 additions and 7 deletions.
diff --git a/rules/net/ddos.yara b/rules/net/ddos.yara
@@ -1,15 +1,26 @@
-rule ddos_refs : critical {
+rule tsource_engine_query : critical {
   meta:
     description = "Performs DDoS (distributed denial of service) attacks"
     hash_2023_Unix_Malware_Agent_6fbb = "6fbbbd21cd5895553e7caf2d8d77e96e5dfe88095f970a8704ce472eb1eb219b"
     hash_2023_Unix_Trojan_Gafgyt_28e1 = "28e1a958b781f23cdea4e7ec1a1a7458c75004daaf2847362335f9d07358cf4f"
     hash_2023_Unix_Trojan_Gafgyt_5636 = "5636cddb43765a7e9228c88bd9f5c4cef443da2add0f7b7a9b77cead9387f5db"
   strings:
-    $ref = "TSource Engine Query"
-    $ref2 = "ackflood" fullword
-    $ref3 = "synflood" fullword
-    // datadog-agent tracer-fentry-debug.o
-    $ignore_ref = "synflood_warned"
+    $tsource = "TSource Engine Query"
   condition:
-    any of ($ref*) and not $ignore_ref
+    $tsource
+}
+
+rule tcp_flood_refs : high {
+  meta:
+    description = "May perform DDoS (distributed denial of service) attacks"
+  strings:
+    $ack2 = "ack flood" fullword
+    $ack3 = "ACK flood" fullword
+    $ack = "ackflood" fullword
+
+    $syn2 = "syn flood" fullword
+    $syn3 = "SYN flood" fullword
+    $syn = "synflood" fullword
+  condition:
+    any of ($ack*) and any of ($syn*)
 }
diff --git a/rules/ref/words/ackflood.yara b/rules/ref/words/ackflood.yara
@@ -0,0 +1,8 @@
+rule ackflood : medium {
+  meta:
+    description = "References ACK flooding"
+  strings:
+    $ref = "ackflood" fullword
+  condition:
+    any of them
+}
diff --git a/rules/ref/words/synflood.yara b/rules/ref/words/synflood.yara
@@ -0,0 +1,8 @@
+rule synflood : medium {
+  meta:
+    description = "References SYN flooding"
+  strings:
+    $ref = "synflood" fullword
+  condition:
+    any of them
+}
diff --git a/samples/Linux/2023.Gafgyt/5636cddb43.elf.x86 b/samples/Linux/2023.Gafgyt/5636cddb43.elf.x86
diff --git a/samples/Linux/2023.Gafgyt/5636cddb43.elf.x86.simple b/samples/Linux/2023.Gafgyt/5636cddb43.elf.x86.simple
@@ -0,0 +1,27 @@
+# Linux/2023.Gafgyt/5636cddb43.elf.x86
+3P/elastic/gafgyt
+combo/net/raw_flooder
+combo/recon/upload_netinfo
+evasion/fake/user/agent
+exec/program/background
+net/ddos
+net/hostname/resolve
+net/ip/parse
+net/ip/string
+net/mac/address
+net/raw_sockets
+net/socket/local/address
+net/socket/receive
+net/socket/send
+procfs/net_route
+random/insecure
+ref/ip
+ref/ip/dns_resolver
+ref/ip_port
+ref/path/etc
+ref/path/etc/hosts
+ref/path/etc/resolv.conf
+ref/path/usr/bin
+ref/path/usr/sbin
+ref/path/usr/sbin/telnetd
+ref/program/ancient_gcc
diff --git a/samples/Linux/clean/tracer.o.aarch64.simple b/samples/Linux/clean/tracer.o.aarch64.simple
@@ -0,0 +1,16 @@
+# Linux/clean/tracer.o.aarch64
+combo/recon/system_network
+databases/mysql
+kernel/acct
+net/bpf
+net/http/post
+net/ip/multicast/send
+net/socket/listen
+net/socket/receive
+net/socket/send
+net/stat
+net/syncookie
+ref/ip_port
+ref/words/heartbeat
+ref/words/synflood
+security_controls/linux/iptables