Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve datadog-agent kworker false positives #300

Merged
merged 13 commits into from
Jul 1, 2024
Merged

Resolve datadog-agent kworker false positives #300

merged 13 commits into from
Jul 1, 2024

Conversation

egibs
Copy link
Member

@egibs egibs commented Jun 29, 2024
edited
Loading

Closes: #288

"kworker" fullword was likely matching these strings in process-agent:

  • is_kworker
  • checkworker

This PR tweaks the $kworker2 string to match either kworker or Kworker between word boundaries which will avoid matching against strings like those mentioned above and also adds explicit ignores for is_kworker and checkworker.

Discovery:

$ docker run --rm -it --platform=linux/amd64 --entrypoint sh cgr.dev/chainguard/datadog-agent:latest-dev
...
/ # apk update; apk add vim
/ # xxd -c 64 -g 2 -b /usr/bin/process-agent | grep -i kworker

These strings were also present:

  • MarkWorker
  • IsKworker
  • IsNotKworker
  • NotKworker

The new rule should ignore these as well.

@egibs egibs requested a review from tstromberg June 29, 2024 14:45
@egibs
Resolve datadog-agent kworker false positives
a1b5c67 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs egibs force-pushed the resolve-dd-agent-kworker-false-positive branch from a9f4e78 to a1b5c67 Compare June 29, 2024 14:53
@egibs egibs added the rules Adds or modifies YARA Rules label Jun 30, 2024
@egibs
Better handling of ignore_ref
577c4b0 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
egibs added 2 commits July 1, 2024 10:14
tstromberg
tstromberg requested changes Jul 1, 2024
View reviewed changes
rules/evasion/fake-process-name.yara Outdated Show resolved Hide resolved
rules/evasion/fake-process-name.yara Outdated Show resolved Hide resolved
@egibs
Update rules/evasion/fake-process-name.yara
54c35ea 
Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
@egibs egibs requested a review from tstromberg July 1, 2024 16:21
egibs added 5 commits July 1, 2024 11:23
@egibs
Merge branch 'main' into resolve-dd-agent-kworker-false-positive
9c6e27a
@egibs
Merge branch 'main' into resolve-dd-agent-kworker-false-positive
5360cf3
@egibs
Add more precise DataDog process-agent kworker references
bc04d85 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
More specificity
6e1ab28 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
Consolidate ignores
e00d4a8 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
tstromberg
tstromberg requested changes Jul 1, 2024
View reviewed changes
Copy link
Collaborator

@tstromberg tstromberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ignore_refs look more complicated than we usually have, so I just wanted to see if they could be made into non-regex form.

Also related: #306

It'd be nice if we had at least one sample to validate that we aren't breaking this query, but we can save that for another PR too.

rules/evasion/fake-process-name.yara Outdated
@@ -7,10 +6,14 @@ rule fake_kworker_val : critical {
hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f"
strings:
$kworker = /\[{0,1}kworker\/[\d:\]]{1,5}/
$kworker2 = "kworker" fullword
$kworker2 = /\bkworker\b/
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just for my own education, what's the difference between \b and fullword?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the purposes I was using it for, probably not. It would definitely provide more control in a larger expression but I can change this back to "kworker" fullword.

rules/evasion/fake-process-name.yara Outdated
$kworker3 = "[kworker"
// datadog process-agent
$ignore_ref = /(data->|[!\*\.])?is_kworker(\.\w{0,32})?/
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can these expressions be simplified? Is there a reason why a single string (non-regex) isn't sufficient to exclude datadog?

Copy link
Member Author

@egibs egibs Jul 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point -- I was way overthinking this. I'll just ignore DataDog and datadog.

Copy link
Member Author

@egibs egibs Jul 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both DataDog and datadog were present so I used a small expression to cover both cases in ca4eff3 (#300).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

/bincapz # yara rules/evasion/fake-process-name.yara /usr/bin/process-agent -s
/bincapz # yara rules/evasion/fake-process-name.yara /usr/bin/process-agent -c
0

@egibs
Ignore DataDog strings
d34ecb7 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@tstromberg tstromberg enabled auto-merge (squash) July 1, 2024 20:16
@egibs
Use an expression to cover both
f30bdef 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@tstromberg tstromberg merged commit 761e964 into chainguard-dev:main Jul 1, 2024
6 checks passed
@egibs egibs deleted the resolve-dd-agent-kworker-false-positive branch July 19, 2024 13:20
@egibs egibs mentioned this pull request Jul 29, 2024
Closed
9 tasks
egibs added a commit to egibs/malcontent that referenced this pull request Aug 5, 2024
@egibs @tstromberg
Resolve datadog-agent kworker false positives (chainguard-dev#300)
c7cd2c7 
* Resolve datadog-agent kworker false positives

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Better handling of ignore_ref

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update rules/evasion/fake-process-name.yara

Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

* Update rules/evasion/fake-process-name.yara

Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

* Add more precise DataDog process-agent kworker references

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* More specificity

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Consolidate ignores

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Ignore DataDog strings

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Thomas Strömberg <t+github@chainguard.dev>
egibs added a commit to egibs/malcontent that referenced this pull request Sep 25, 2024
@egibs @tstromberg
Resolve datadog-agent kworker false positives (chainguard-dev#300)
cc6eb0b 
* Resolve datadog-agent kworker false positives

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Better handling of ignore_ref

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update rules/evasion/fake-process-name.yara

Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

* Update rules/evasion/fake-process-name.yara

Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

* Add more precise DataDog process-agent kworker references

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* More specificity

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Consolidate ignores

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Ignore DataDog strings

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Thomas Strömberg <t+github@chainguard.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tstromberg tstromberg tstromberg approved these changes

Assignees
No one assigned
Labels
rules Adds or modifies YARA Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

probable false: evasion/fake/process/name in datadog-agent-7.54
2 participants
@egibs @tstromberg