Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address false positives seen with argocd, grafana, jupyterhub, and reflex #475

Merged
merged 5 commits into from
Oct 1, 2024
Merged

Address false positives seen with argocd, grafana, jupyterhub, and reflex #475

merged 5 commits into from
Oct 1, 2024

Conversation

egibs
Copy link
Member

@egibs egibs commented Oct 1, 2024

This PR addresses the [critical] false positives seen in these PRs:

The difficult exclusion was with the PrintDeps.exe file, so I opted to exclude this string:

Usage:
  PrintDeps FILE...     Version: r  %p  eE  pP

Depends on chainguard-dev/malcontent-samples#8

@egibs egibs requested a review from tstromberg October 1, 2024 13:39
@egibs
Address false positives seen with jupyterhub and reflex
a3d417f 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs egibs force-pushed the 20241001-false-positive-fixes branch from 5dac973 to a3d417f Compare October 1, 2024 13:42
egibs added 2 commits October 1, 2024 08:43
@egibs
Merge branch 'main' into 20241001-false-positive-fixes
a60582c 
Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
@egibs
Fix typo
7cb0342 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs egibs mentioned this pull request Oct 1, 2024
Closed
@egibs
Address false positives with argocd and grafana
bd8a2d8 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
Copy link
Member Author

egibs commented Oct 1, 2024

The changes in bd8a2d8 (#475) are based on eight different .js files which would be tedious to maintain as samples. The third-party rule was the argocd finding.

tstromberg
tstromberg requested changes Oct 1, 2024
View reviewed changes
rules/obfuscation/js/char_codes.yara
$a_const = "const "
$a_function = "function("
$a_return = "{return"

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also mark this as a "high"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we move these to high, I can remove the exclusions. That would be a lot cleaner.

Copy link
Collaborator

@tstromberg tstromberg Oct 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works for me. In my mind, "CRITICAL" rules should never be broad enough for false positives to easily happen.

rules/combo/degrader/edr_killer.yara Outdated
@@ -28,8 +30,10 @@ rule win_kill_proc : critical {
$debug_uhf = "UnhandledExceptionFilter"
$kill_gmh = "GetModuleHandle"
$kill_tp = "TerminateProcess"

$not_printdeps_exe = {55 73 61 67 65 3A 0A 20 20 50 72 69 6E 74 44 65 70 73 20 46 49 4C 45 2E 2E 2E 00 00 00 00 00 56 65 72 73 69 6F 6E 3A 20 72 00 00 25 70 00 00 65 45 00 00 70 50}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also change criticality to high

rules/combo/stealer/browser.yara Outdated
@@ -60,6 +60,8 @@ rule multiple_browser_refs : critical {
$not_ff_js = "Firefox can even throw an error"
$not_generated_comment = "// This file is generated"
$not_generated_file = "/utils/generate_types/index.js"
$not_microsoft = "Copyright (c) Microsoft Corporation."
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also change criticality to high

rules/combo/stealer/crypto.yara Outdated
condition:
filesize < 50KB and $url and $POST and any of ($pk*)
filesize < 50KB and $url and $POST and any of ($pk*) and none of ($not_*)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also change criticality to high

rules/obfuscation/js/function_spam.yara Outdated
condition:
filesize < 256KB and #const > 32 and #function > 48 and #return > 64
filesize < 256KB and #const > 32 and #function > 48 and #return > 64 and none of ($not_*)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change criticality to medium

rules/obfuscation/js/parseInt.yara Outdated
condition:
filesize < 256KB and #const > 16 and #function > 32 and #parseInt > 8 and #return > 32
filesize < 256KB and #const > 16 and #function > 32 and #parseInt > 8 and #return > 32 and none of ($not_*)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change criticality to high

@egibs
Tweak problematic rules to non-critical; remove samples
40df779 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs egibs changed the title Address false positives seen with jupyterhub and reflex Address false positives seen with argocd, grafana, jupyterhub, and reflex Oct 1, 2024
@egibs egibs requested a review from tstromberg October 1, 2024 21:06
@egibs egibs merged commit 6d1cc3b into chainguard-dev:main Oct 1, 2024
6 checks passed
@egibs egibs deleted the 20241001-false-positive-fixes branch October 1, 2024 22:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tstromberg tstromberg tstromberg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egibs @tstromberg