Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add /dev/ rule #148

Merged
merged 9 commits into from
Apr 23, 2024
Merged

Add /dev/ rule #148

merged 9 commits into from
Apr 23, 2024

Conversation

egibs
Copy link
Member

@egibs egibs commented Apr 18, 2024
edited
Loading

Closes: #147

I wanted to try my hand at writing some YARA rules -- this PR adds a detection for /dev/ paths while excluding /dev/null and /dev/shm/... since there are already detections for these two paths.

I tested this with $ go run . --oci python -- for example:

/var/folders/3g/88131l9j11x995ppjbxsvhbh0000gn/T/bincapz-python1263427931/usr/bin/clear [MEDIUM]
-----------------------------------------------------------------------------------
RISK  KEY              DESCRIPTION                            EVIDENCE             
-----------------------------------------------------------------------------------
LOW   env/TERM         Look up or override terminal settings  TERM                 
LOW   ref/path/hidden  possible hidden file path              /usr/lib/debug/.dwz  
MED   ref/path/dev     path reference within /dev             /dev/tty             
-----------------------------------------------------------------------------------

There were a total of 139 matches for this rule in python.

@egibs egibs force-pushed the add-dev-detection branch from c2bde4d to 4ec9d46 Compare April 18, 2024 21:08
@egibs egibs mentioned this pull request Apr 19, 2024
Merged
@tstromberg
Copy link
Collaborator

Thanks! YARA rules are both fun and frustrating to write :)

I see that this PR is trying to do the right thing within YARA limitations. It's good, but I wanted to share a case where I think we can improve it. If a file contains /dev/null and /dev/stdin, this rule returns nothing:

echo "/dev/null /dev/shm/x /dev/stdin" > /tmp/test
yara -s -w rules/ref/path/dev.yara /tmp/test

I don't know the best way to handle this case in yara: where you want to exclude a single result, but still allow other matches within a file. Looking at VirusTotal/yara#1452 I'm not sure there is a native way to do this correctly in YARA.

My two suggestions:

  • Leave this rule, but update the condition to matches if >1 /dev file is found: $path and #path > 1 or (not dev_null and not dev_shm)
  • Add support to bincapz for a metadata field that lists results to exclude, for instance, "exclude_1 = "/dev/null"

I'm kind of siding toward the first option, but I think the second is an eventuality. Here's an example of a simplified version of your rule that I think delivers what you might be trying to achieve:

rule dev_path : notable {
    meta:
        description = "path reference within /dev"
    strings:
        $path = /\/dev\/[a-z\.\-\/]+/
        $not_null = "/dev/null"
        $not_shm = "/dev/shm/"
    condition:
        $path and #path > 1 or (none of ($not*))
}

What do you think?

@tstromberg
Copy link
Collaborator

tstromberg commented Apr 20, 2024
edited
Loading

One last tip: for performance reasons, try to avoid + in regexps when possible, and use alternatives that contain limits, for example {1,16} is probably good in this case. This was something I learned from https://github.com/Neo23x0/YARA-Performance-Guidelines

@egibs
Copy link
Member Author

egibs commented Apr 20, 2024
edited
Loading

My two suggestions:

* Leave this rule, but update the condition to matches if >1 /dev file is found: `        $path and #path > 1 or (not dev_null and not dev_shm)`

* Add support to bincapz for a metadata field that lists results to exclude, for instance, "exclude_1 = "/dev/null"

...
What do you think?

I agree with option one for now; though, I do think that option two will make it easier to exclude more nuanced paths in the future. I'll work on implementing your suggestions!

@egibs
Copy link
Member Author

egibs commented Apr 20, 2024
edited
Loading

@tstromberg -- addressed your comment(s) in c55036f (#148) and 0adaaaf (#148).

I used $path and none of ($ignore*) instead of including #path > 1. I also updated the /dev/null expression match either one or two Ls in null because I saw an interesting output where /dev/nul was showing up which makes it seem like the trailing character was getting trimmed.

Here's the output prior to me updating the ignore_null expression:

/var/folders/3g/88131l9j11x995ppjbxsvhbh0000gn/T/bincapz-python221071327/usr/bin/find [MEDIUM]
MED   ref/path/dev                     path reference within /dev                    /dev/nul                                        
                                                                                     /dev/stderr                                     
                                                                                     /dev/stdout

I tried to reproduce this output inside of a container and /dev/nul didn't show up when directly evaluating the YARA rule:

root@712d475f8f6f:~/bincapz# cat rules/ref/path/dev.yara
rule dev_path : notable {
    meta:
        description = "path reference within /dev"
    strings:
        $path = /\/dev\/[a-z\.\-\/]{1,16}/
        $ignore_null = "/dev/null"
        $ignore_shm = "/dev/shm/"
    condition:
        $path and none of ($ignore*)
}
root@712d475f8f6f:~/bincapz# yara -s -w rules/ref/path/dev.yara /usr/bin/find

Maybe some unintended behavior to investigate further?

tstromberg
tstromberg reviewed Apr 23, 2024
View reviewed changes
rules/ref/path/dev.yara Outdated
description = "path reference within /dev"
strings:
$path = /\/dev\/[a-z\.\-\/]{1,16}/
$ignore_null = /\/dev\/nu[l]{1,2}/
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why match /dev/nul?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's necessary outside of what I noted in this comment.

I'll tweak the rule and check the output again.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, reverting to /dev/null results in this:

MED   ref/path/dev                     path reference within /dev                    /dev/nul                                        
                                                                                     /dev/stderr                                     
                                                                                     /dev/stdout

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also saw this when tweaking the rule:

MED   ref/path/dev          path reference within /dev                  /dev/null.

Copy link
Member Author

@egibs egibs Apr 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted to /dev/null in 011f205 (#148).

After a bit of experimentation, the original rule was matching /dev/nul1 which is still odd.

I spent a couple of hours last night comparing the output of docker run -d debian; docker container export <ID> and go run . --oci debian and the former never showed any rule matches like that.

It could be due to how crane exports the layers of the image resulting in artifacts like this but that's pure conjecture on my part. I did make sure that the actual Bincapz code wasn't modifying the match strings, though.

@egibs egibs requested a review from tstromberg April 23, 2024 13:35
tstromberg
tstromberg approved these changes Apr 23, 2024
View reviewed changes
Copy link
Collaborator

@tstromberg tstromberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@egibs
Copy link
Member Author

egibs commented Apr 23, 2024

@tstromberg -- I fixed the tests, by the way;

❯ go clean -testcache && make test
go test ./... -v
?   	github.com/chainguard-dev/bincapz	[no test files]
?   	github.com/chainguard-dev/bincapz/pkg/bincapz	[no test files]
?   	github.com/chainguard-dev/bincapz/pkg/render	[no test files]
?   	github.com/chainguard-dev/bincapz/pkg/report	[no test files]
?   	github.com/chainguard-dev/bincapz/pkg/rules	[no test files]
?   	github.com/chainguard-dev/bincapz/rules	[no test files]
=== RUN   TestProgramKindMagic
--- PASS: TestProgramKindMagic (0.00s)
=== RUN   TestProgramStringMatch
=== RUN   TestProgramStringMatch/python
=== RUN   TestProgramStringMatch/shell
=== RUN   TestProgramStringMatch/short
=== RUN   TestProgramStringMatch/empty
=== RUN   TestProgramStringMatch/rando
=== RUN   TestProgramStringMatch/juttu
    slogtest.go:20: time=2024-04-23T09:31:13.221-05:00 level=ERROR msg=os.Open path=testdata/juttu error="open testdata/juttu: no such file or directory"

--- PASS: TestProgramStringMatch (0.00s)
    --- PASS: TestProgramStringMatch/python (0.00s)
    --- PASS: TestProgramStringMatch/shell (0.00s)
    --- PASS: TestProgramStringMatch/short (0.00s)
    --- PASS: TestProgramStringMatch/empty (0.00s)
    --- PASS: TestProgramStringMatch/rando (0.00s)
    --- PASS: TestProgramStringMatch/juttu (0.00s)
=== RUN   TestProgramKindExtensions
=== RUN   TestProgramKindExtensions/applescript.scpt
=== RUN   TestProgramKindExtensions/applescript.scptd
=== RUN   TestProgramKindExtensions/shell.sh
=== RUN   TestProgramKindExtensions/ruby.rb
=== RUN   TestProgramKindExtensions/python.py
=== RUN   TestProgramKindExtensions/perl.pl
=== RUN   TestProgramKindExtensions/yara.yara
=== RUN   TestProgramKindExtensions/expect.expect
=== RUN   TestProgramKindExtensions/php.php
=== RUN   TestProgramKindExtensions/html.html
=== RUN   TestProgramKindExtensions/javascript.js
=== RUN   TestProgramKindExtensions/typescript.ts
=== RUN   TestProgramKindExtensions/7z.7z
=== RUN   TestProgramKindExtensions/json.json
=== RUN   TestProgramKindExtensions/yaml.yml
=== RUN   TestProgramKindExtensions/yaml.yaml
=== RUN   TestProgramKindExtensions/java.java
=== RUN   TestProgramKindExtensions/java.jar
=== RUN   TestProgramKindExtensions/asm.asm
=== RUN   TestProgramKindExtensions/systemd.service
=== RUN   TestProgramKindExtensions/crontab.cron
=== RUN   TestProgramKindExtensions/crontab.crontab
=== RUN   TestProgramKindExtensions/c.c
=== RUN   TestProgramKindExtensions/juttu.juttu
--- PASS: TestProgramKindExtensions (0.00s)
    --- PASS: TestProgramKindExtensions/applescript.scpt (0.00s)
    --- PASS: TestProgramKindExtensions/applescript.scptd (0.00s)
    --- PASS: TestProgramKindExtensions/shell.sh (0.00s)
    --- PASS: TestProgramKindExtensions/ruby.rb (0.00s)
    --- PASS: TestProgramKindExtensions/python.py (0.00s)
    --- PASS: TestProgramKindExtensions/perl.pl (0.00s)
    --- PASS: TestProgramKindExtensions/yara.yara (0.00s)
    --- PASS: TestProgramKindExtensions/expect.expect (0.00s)
    --- PASS: TestProgramKindExtensions/php.php (0.00s)
    --- PASS: TestProgramKindExtensions/html.html (0.00s)
    --- PASS: TestProgramKindExtensions/javascript.js (0.00s)
    --- PASS: TestProgramKindExtensions/typescript.ts (0.00s)
    --- PASS: TestProgramKindExtensions/7z.7z (0.00s)
    --- PASS: TestProgramKindExtensions/json.json (0.00s)
    --- PASS: TestProgramKindExtensions/yaml.yml (0.00s)
    --- PASS: TestProgramKindExtensions/yaml.yaml (0.00s)
    --- PASS: TestProgramKindExtensions/java.java (0.00s)
    --- PASS: TestProgramKindExtensions/java.jar (0.00s)
    --- PASS: TestProgramKindExtensions/asm.asm (0.00s)
    --- PASS: TestProgramKindExtensions/systemd.service (0.00s)
    --- PASS: TestProgramKindExtensions/crontab.cron (0.00s)
    --- PASS: TestProgramKindExtensions/crontab.crontab (0.00s)
    --- PASS: TestProgramKindExtensions/c.c (0.00s)
    --- PASS: TestProgramKindExtensions/juttu.juttu (0.00s)
=== RUN   TestGetExt
=== RUN   TestGetExt/testdata/file.apk
=== RUN   TestGetExt/testdata/file.jar
=== RUN   TestGetExt/testdata/file.tar
=== RUN   TestGetExt/testdata/file.tgz
=== RUN   TestGetExt/testdata/file.tar.gz
=== RUN   TestGetExt/testdata/file.tar.xz
=== RUN   TestGetExt/testdata/file.zip
=== RUN   TestGetExt/testdata/file_1.0.0
=== RUN   TestGetExt/testdata/file_1.0.0.apk
=== RUN   TestGetExt/testdata/file_1.0.0.jar
=== RUN   TestGetExt/testdata/file_1.0.0.tar
=== RUN   TestGetExt/testdata/file_1.0.0.tgz
=== RUN   TestGetExt/testdata/file_1.0.0.tar.gz
=== RUN   TestGetExt/testdata/file_1.0.0.tar.xz
=== RUN   TestGetExt/testdata/file_1.0.0.zip
=== RUN   TestGetExt/testdata/file.a.b.c.tar.gz
=== RUN   TestGetExt/testdata/file_a.b.c.tar.xz
=== RUN   TestGetExt/testdata/file_a.b.0.tar
=== RUN   TestGetExt/testdata/file_no_ext
--- PASS: TestGetExt (0.00s)
    --- PASS: TestGetExt/testdata/file.apk (0.00s)
    --- PASS: TestGetExt/testdata/file.jar (0.00s)
    --- PASS: TestGetExt/testdata/file.tar (0.00s)
    --- PASS: TestGetExt/testdata/file.tgz (0.00s)
    --- PASS: TestGetExt/testdata/file.tar.gz (0.00s)
    --- PASS: TestGetExt/testdata/file.tar.xz (0.00s)
    --- PASS: TestGetExt/testdata/file.zip (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0 (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.apk (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.jar (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.tar (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.tgz (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.tar.gz (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.tar.xz (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.zip (0.00s)
    --- PASS: TestGetExt/testdata/file.a.b.c.tar.gz (0.00s)
    --- PASS: TestGetExt/testdata/file_a.b.c.tar.xz (0.00s)
    --- PASS: TestGetExt/testdata/file_a.b.0.tar (0.00s)
    --- PASS: TestGetExt/testdata/file_no_ext (0.00s)
PASS
ok  	github.com/chainguard-dev/bincapz/pkg/action	0.186s
?   	github.com/chainguard-dev/bincapz/samples/does-nothing	[no test files]
=== RUN   TestJSON
    slogtest.go:20: time=2024-04-23T09:31:13.728-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party

    slogtest.go:20: time=2024-04-23T09:31:13.728-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/README.md

    slogtest.go:20: time=2024-04-23T09:31:13.728-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/yara-rules-full.yar

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"

--- PASS: TestJSON (0.09s)
=== RUN   TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.802-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party

    slogtest.go:20: time=2024-04-23T09:31:13.802-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/README.md

    slogtest.go:20: time=2024-04-23T09:31:13.802-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/yara-rules-full.yar

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"

=== RUN   TestSimple/Linux/2022.bpfdoor/bpfdoor_1
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.849-05:00 level=INFO msg="1039 rules loaded" test=Linux/2022.bpfdoor/bpfdoor_1

    slogtest.go:20: time=2024-04-23T09:31:13.849-05:00 level=INFO msg="finding files in Linux/2022.bpfdoor/bpfdoor_1 ..." test=Linux/2022.bpfdoor/bpfdoor_1

    slogtest.go:20: time=2024-04-23T09:31:13.849-05:00 level=INFO msg=scanning test=Linux/2022.bpfdoor/bpfdoor_1 path=Linux/2022.bpfdoor/bpfdoor_1 kind="Executable and Linkable Format"

=== RUN   TestSimple/Linux/2022.bpfdoor/bpfdoor_2
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.851-05:00 level=INFO msg="1039 rules loaded" test=Linux/2022.bpfdoor/bpfdoor_2

    slogtest.go:20: time=2024-04-23T09:31:13.851-05:00 level=INFO msg="finding files in Linux/2022.bpfdoor/bpfdoor_2 ..." test=Linux/2022.bpfdoor/bpfdoor_2

    slogtest.go:20: time=2024-04-23T09:31:13.851-05:00 level=INFO msg=scanning test=Linux/2022.bpfdoor/bpfdoor_2 path=Linux/2022.bpfdoor/bpfdoor_2 kind="Executable and Linkable Format"

=== RUN   TestSimple/Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.853-05:00 level=INFO msg="1039 rules loaded" test=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py

    slogtest.go:20: time=2024-04-23T09:31:13.853-05:00 level=INFO msg="finding files in Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py ..." test=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py

    slogtest.go:20: time=2024-04-23T09:31:13.853-05:00 level=INFO msg=scanning test=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py path=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py kind="Python script"

=== RUN   TestSimple/Python/2023.JokerSpy/shared.dat
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.854-05:00 level=INFO msg="1039 rules loaded" test=Python/2023.JokerSpy/shared.dat

    slogtest.go:20: time=2024-04-23T09:31:13.854-05:00 level=INFO msg="finding files in Python/2023.JokerSpy/shared.dat ..." test=Python/2023.JokerSpy/shared.dat

    slogtest.go:20: time=2024-04-23T09:31:13.854-05:00 level=INFO msg=scanning test=Python/2023.JokerSpy/shared.dat path=Python/2023.JokerSpy/shared.dat kind="Python script"

=== RUN   TestSimple/Windows/2024.GitHub.Clipper/main.exe
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.856-05:00 level=INFO msg="1039 rules loaded" test=Windows/2024.GitHub.Clipper/main.exe

    slogtest.go:20: time=2024-04-23T09:31:13.856-05:00 level=INFO msg="finding files in Windows/2024.GitHub.Clipper/main.exe ..." test=Windows/2024.GitHub.Clipper/main.exe

    slogtest.go:20: time=2024-04-23T09:31:13.856-05:00 level=INFO msg=scanning test=Windows/2024.GitHub.Clipper/main.exe path=Windows/2024.GitHub.Clipper/main.exe kind="DOS MZ executable file format and its descendants (including NE and PE)"

=== RUN   TestSimple/Windows/2024.GitHub.Clipper/raw.py
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.959-05:00 level=INFO msg="1039 rules loaded" test=Windows/2024.GitHub.Clipper/raw.py

    slogtest.go:20: time=2024-04-23T09:31:13.959-05:00 level=INFO msg="finding files in Windows/2024.GitHub.Clipper/raw.py ..." test=Windows/2024.GitHub.Clipper/raw.py

    slogtest.go:20: time=2024-04-23T09:31:13.960-05:00 level=INFO msg=scanning test=Windows/2024.GitHub.Clipper/raw.py path=Windows/2024.GitHub.Clipper/raw.py kind="Python script"

=== RUN   TestSimple/does-nothing/does-nothing
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.960-05:00 level=INFO msg="1039 rules loaded" test=does-nothing/does-nothing

    slogtest.go:20: time=2024-04-23T09:31:13.961-05:00 level=INFO msg="finding files in does-nothing/does-nothing ..." test=does-nothing/does-nothing

    slogtest.go:20: time=2024-04-23T09:31:13.961-05:00 level=INFO msg=scanning test=does-nothing/does-nothing path=does-nothing/does-nothing kind="Executable and Linkable Format"

--- PASS: TestSimple (0.22s)
    --- PASS: TestSimple/Linux/2022.bpfdoor/bpfdoor_1 (0.00s)
    --- PASS: TestSimple/Linux/2022.bpfdoor/bpfdoor_2 (0.00s)
    --- PASS: TestSimple/Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py (0.00s)
    --- PASS: TestSimple/Python/2023.JokerSpy/shared.dat (0.00s)
    --- PASS: TestSimple/Windows/2024.GitHub.Clipper/main.exe (0.10s)
    --- PASS: TestSimple/Windows/2024.GitHub.Clipper/raw.py (0.00s)
    --- PASS: TestSimple/does-nothing/does-nothing (0.04s)
=== RUN   TestDiff
2024/04/23 09:31:14 WARN warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"
=== RUN   TestDiff/Linux/2023.FreeDownloadManager/freedownloadmanager.sdiff
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO finding files in Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst ... src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO scanning src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst path=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst kind="Shell script"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO finding files in Linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst ... src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO scanning src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst path=Linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst kind="Shell script"
=== RUN   TestDiff/macOS/clean/ls.mdiff.level_2
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in Linux/clean/ls.x86_64 ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=Linux/clean/ls.x86_64 kind="Executable and Linkable Format"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in macOS/clean/ls ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=macOS/clean/ls kind="Java class file, Mach-O Fat Binary"
=== RUN   TestDiff/macOS/clean/ls.mdiff.trigger_2
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in Linux/clean/ls.x86_64 ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=Linux/clean/ls.x86_64 kind="Executable and Linkable Format"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in macOS/clean/ls ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=macOS/clean/ls kind="Java class file, Mach-O Fat Binary"
=== RUN   TestDiff/macOS/clean/ls.mdiff.trigger_3
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in Linux/clean/ls.x86_64 ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=Linux/clean/ls.x86_64 kind="Executable and Linkable Format"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in macOS/clean/ls ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=macOS/clean/ls kind="Java class file, Mach-O Fat Binary"
2024/04/23 09:31:15 INFO diff does not meet min trigger level src=Linux/clean/ls.x86_64 path=macOS/clean/ls
2024/04/23 09:31:15 INFO diff does not meet min trigger level src=Linux/clean/ls.x86_64 path=macOS/clean/ls
=== RUN   TestDiff/macOS/2023.3CX/libffmpeg.dirty.mdiff
2024/04/23 09:31:15 INFO 12572 rules loaded src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:15 INFO finding files in macOS/2023.3CX/libffmpeg.dylib ... src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:15 INFO scanning src=macOS/2023.3CX/libffmpeg.dylib path=macOS/2023.3CX/libffmpeg.dylib kind="Java class file, Mach-O Fat Binary"
2024/04/23 09:31:16 INFO 12572 rules loaded src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:16 INFO finding files in macOS/2023.3CX/libffmpeg.dirty.dylib ... src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:16 INFO scanning src=macOS/2023.3CX/libffmpeg.dylib path=macOS/2023.3CX/libffmpeg.dirty.dylib kind="Java class file, Mach-O Fat Binary"
=== RUN   TestDiff/Linux/2024.sbcl.market/sbcl.sdiff
2024/04/23 09:31:16 INFO 12572 rules loaded src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO finding files in Linux/2024.sbcl.market/sbcl.clean ... src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO scanning src=Linux/2024.sbcl.market/sbcl.clean path=Linux/2024.sbcl.market/sbcl.clean kind="Executable and Linkable Format"
2024/04/23 09:31:16 INFO 12572 rules loaded src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO finding files in Linux/2024.sbcl.market/sbcl.dirty ... src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO scanning src=Linux/2024.sbcl.market/sbcl.clean path=Linux/2024.sbcl.market/sbcl.dirty kind="Executable and Linkable Format"
--- PASS: TestDiff (2.36s)
    --- PASS: TestDiff/Linux/2023.FreeDownloadManager/freedownloadmanager.sdiff (0.01s)
    --- PASS: TestDiff/macOS/clean/ls.mdiff.level_2 (0.01s)
    --- PASS: TestDiff/macOS/clean/ls.mdiff.trigger_2 (0.01s)
    --- PASS: TestDiff/macOS/clean/ls.mdiff.trigger_3 (0.01s)
    --- PASS: TestDiff/macOS/2023.3CX/libffmpeg.dirty.mdiff (0.20s)
    --- PASS: TestDiff/Linux/2024.sbcl.market/sbcl.sdiff (0.21s)
=== RUN   TestMarkdown
    slogtest.go:20: time=2024-04-23T09:31:16.384-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party

    slogtest.go:20: time=2024-04-23T09:31:16.384-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/README.md

    slogtest.go:20: time=2024-04-23T09:31:16.384-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/yara-rules-full.yar

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"

=== RUN   TestMarkdown/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare
=== NAME  TestMarkdown
    slogtest.go:20: time=2024-04-23T09:31:16.432-05:00 level=INFO msg="1039 rules loaded" test=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare

    slogtest.go:20: time=2024-04-23T09:31:16.432-05:00 level=INFO msg="finding files in macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare ..." test=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare

    slogtest.go:20: time=2024-04-23T09:31:16.433-05:00 level=INFO msg=scanning test=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare path=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare kind="Mach-O binary (reverse byte ordering scheme, 64-bit)"

--- PASS: TestMarkdown (0.08s)
    --- PASS: TestMarkdown/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare (0.00s)
PASS
ok  	github.com/chainguard-dev/bincapz/samples	3.120s

@tstromberg tstromberg enabled auto-merge (squash) April 23, 2024 17:22
@tstromberg tstromberg merged commit 18a397d into chainguard-dev:main Apr 23, 2024
8 checks passed
@tstromberg
Copy link
Collaborator

Yay! Thanks for your PR and for sticking through all the rough edges.

@egibs egibs deleted the add-dev-detection branch May 3, 2024 00:58
egibs pushed a commit to egibs/malcontent that referenced this pull request Aug 5, 2024
Add /dev/ rule (chainguard-dev#148)
f0c0218 
* Add /dev/ rule

* Address PR comments

* Remove extra ()

* Revert to /dev/null; update path

* Fix tests
egibs pushed a commit to egibs/malcontent that referenced this pull request Sep 25, 2024
Add /dev/ rule (chainguard-dev#148)
4a205d7 
* Add /dev/ rule

* Address PR comments

* Remove extra ()

* Revert to /dev/null; update path

* Fix tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vaikas vaikas vaikas approved these changes

@tstromberg tstromberg tstromberg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

add generic /dev path detection
3 participants
@egibs @tstromberg @vaikas