Fix slow query warnings, update testdata

Makefile

@@ -3,7 +3,7 @@
 
 
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= 1520fe9007fb9c84f42da7d7fbaf9ae924c50b65
+SAMPLES_COMMIT ?= dd5e3099092d965b83ac31f803769ab04bc18d7d
 
 # BEGIN: lint-install ../malcontent
 # http://github.com/tinkerbell/lint-install

pkg/compile/compile.go

@@ -108,6 +108,8 @@ var rulesWithWarnings = map[string]bool{
 	"long_str":                              true,
 	"macho_backdoor_libc_signature":         true,
 	"http_accept":                           true,
+	"hardcoded_host_port":                   true,
+	"hardcoded_host_port_over_10k":          true,
 }
 
 func Recursive(ctx context.Context, fss []fs.FS) (*yara.Rules, error) {

tests/linux/2021.XMR-Stak/1b1a56.elf.simple

@@ -77,7 +77,7 @@ net/http/cookies: medium
 net/http/form_upload: medium
 net/http/post: medium
 net/http/request: low
-net/ip/host_port: medium
+net/ip/host_port: high
 net/ip/icmp: medium
 net/ip/parse: medium
 net/ip/string: medium

tests/linux/2024.Gelsemium/dbus.simple

@@ -0,0 +1,38 @@
+# linux/2024.Gelsemium/dbus: critical
+crypto/decrypt: low
+crypto/encrypt: medium
+data/hash/md5: medium
+data/random/insecure: low
+discover/network/netstat: medium
+discover/system/platform: medium
+discover/system/sysinfo: medium
+discover/user/name_get: medium
+evasion/file/prefix: high
+exec/shell/arbitrary_command_dev_null: medium
+fs/directory/create: low
+fs/directory/remove: low
+fs/file/delete_forcibly: medium
+fs/file/make_executable: high
+fs/file/times_set: medium
+fs/link_read: low
+fs/path/etc: low
+fs/path/etc_initd: high
+fs/path/lib_dynamic: medium
+fs/permission/modify: medium
+fs/proc/cpuinfo: medium
+fs/proc/self_exe: medium
+impact/remote_access/kill_rm: medium
+lateral/scan/tool: medium
+net/ip/string: medium
+net/resolve/hostname: low
+net/socket/local_addr: low
+net/socket/receive: low
+net/socket/send: low
+persist/daemon: medium
+persist/kernel_module/insert: medium
+persist/pid_file: medium
+persist/shell/bash: medium
+privesc/setuid: low
+process/groupid_set: low
+process/multithreaded: low
+sus/compiler: medium

tests/linux/2024.Gelsemium/kde.simple

@@ -0,0 +1,22 @@
+# linux/2024.Gelsemium/kde: critical
+crypto/rc4: low
+discover/process/name: medium
+evasion/file/location/dev_shm: high
+evasion/file/prefix: high
+evasion/hijack_execution/etc_ld.so.preload: high
+exec/program: medium
+exec/program/background: low
+exec/shell/arbitrary_command_dev_null: medium
+fs/directory/create: low
+fs/directory/remove: low
+fs/file/delete: medium
+fs/file/delete_forcibly: low
+fs/file/times_set: medium
+fs/link_read: low
+fs/path/etc: low
+fs/path/usr_bin: low
+fs/proc/self_exe: medium
+persist/shell/bash: medium
+privesc/setuid: low
+process/groupid_set: low
+sus/compiler: high

tests/linux/2024.Gelsemium/libselinux.so.simple

@@ -0,0 +1,11 @@
+# linux/2024.Gelsemium/libselinux.so: high
+anti-static/xor/commands: high
+exec/dylib/symbol_address: medium
+exec/program: medium
+exec/tty/open: medium
+fs/directory/remove: low
+fs/file/delete: low
+fs/link_read: low
+fs/proc/arbitrary_pid: medium
+fs/proc/pid_fd: medium
+os/fd/multiplex: low

tests/linux/2024.Gelsemium/udevd.simple

@@ -0,0 +1,68 @@
+# linux/2024.Gelsemium/udevd: high
+c2/addr/ip: medium
+c2/addr/url: low
+c2/client: medium
+c2/tool_transfer/arch: low
+credential/password: low
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/decrypt: low
+crypto/gost89: low
+crypto/openssl: medium
+crypto/public_key: low
+crypto/rc4: low
+data/builtin/openssl: medium
+data/compression/zlib: low
+data/encoding/base64: low
+data/hash/md5: low
+data/hash/sha1: low
+data/hash/sha256: low
+data/random/insecure: low
+discover/system/platform: low
+evasion/file/location/dev_shm: medium
+evasion/file/prefix: high
+evasion/hijack_execution/etc_ld.so.preload: high
+exec/dylib/address_check: low
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/shell/arbitrary_command_dev_null: medium
+exec/shell/exec: medium
+exec/system_controls/systemd: medium
+fs/directory/create: low
+fs/directory/remove: low
+fs/file/copy: medium
+fs/file/delete: low
+fs/file/times_set: medium
+fs/link_read: low
+fs/path/etc: low
+fs/path/etc_initd: medium
+fs/path/root: medium
+fs/path/usr_bin: low
+fs/path/var: low
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/pid_fd: medium
+fs/proc/self_exe: medium
+impact/remote_access/heartbeat: medium
+impact/remote_access/reverse_shell: medium
+lateral/scan/tool: medium
+net/dns/txt: low
+net/http/post: medium
+net/http/request: low
+net/ip/addr: medium
+net/ip/host_port: medium
+net/ip/parse: medium
+net/ip/string: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/url/embedded: low
+privesc/setuid: low
+process/groupid_set: low
+process/multithreaded: low
+sus/compiler: high

tests/linux/2024.Gelsemium/udevd_multi.simple

@@ -0,0 +1,67 @@
+# linux/2024.Gelsemium/udevd_multi: high
+c2/addr/ip: medium
+c2/addr/url: low
+c2/client: medium
+c2/tool_transfer/arch: low
+credential/password: low
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/decrypt: low
+crypto/gost89: low
+crypto/openssl: medium
+crypto/public_key: low
+crypto/rc4: low
+data/builtin/openssl: medium
+data/compression/zlib: low
+data/encoding/base64: low
+data/hash/md5: low
+data/hash/sha1: low
+data/hash/sha256: low
+data/random/insecure: low
+discover/system/platform: low
+evasion/file/location/dev_shm: medium
+evasion/file/prefix: high
+evasion/hijack_execution/etc_ld.so.preload: high
+exec/dylib/address_check: low
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/shell/arbitrary_command_dev_null: medium
+exec/shell/exec: medium
+exec/system_controls/systemd: medium
+fs/directory/create: low
+fs/directory/remove: low
+fs/file/copy: medium
+fs/file/delete: low
+fs/file/times_set: medium
+fs/link_read: low
+fs/path/etc: low
+fs/path/etc_initd: medium
+fs/path/root: medium
+fs/path/usr_bin: low
+fs/path/var: low
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/pid_fd: medium
+fs/proc/self_exe: medium
+impact/remote_access/heartbeat: medium
+impact/remote_access/reverse_shell: medium
+lateral/scan/tool: medium
+net/dns/txt: low
+net/http/post: medium
+net/http/request: low
+net/ip/addr: medium
+net/ip/host_port: medium
+net/ip/parse: medium
+net/ip/string: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/receive: low
+net/socket/send: low
+net/url/embedded: low
+privesc/setuid: low
+process/groupid_set: low
+process/multithreaded: low
+sus/compiler: high

tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple

@@ -0,0 +1,25 @@
+# npm/2024.solana_web3/v1.95.7.index.browser.esm.js: critical
+anti-static/obfuscation/hex: medium
+anti-static/obfuscation/reverse: medium
+c2/addr/url: high
+credential/ssl/key: high
+credential/ssl/private_key: low
+crypto/ed25519: low
+crypto/public_key: low
+data/encoding/base58: low
+data/encoding/base64: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+exec/shell/TERM: low
+exfil/http_headers: high
+exfil/nodejs: medium
+impact/remote_access/agent: medium
+impact/remote_access/heartbeat: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/websocket: medium
+net/ip/host_port: medium
+net/socket/send: low
+net/url/embedded: low
+os/time/clock_sleep: medium
+persist/kernel_module/symbol_lookup: low

tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple

@@ -0,0 +1,21 @@
+# npm/2024.solana_web3/v1.95.8.index.browser.esm.js: high
+anti-static/obfuscation/hex: medium
+credential/ssl/key: high
+credential/ssl/private_key: low
+crypto/ed25519: low
+crypto/public_key: low
+data/encoding/base58: low
+data/encoding/base64: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+exec/shell/TERM: low
+impact/remote_access/agent: medium
+impact/remote_access/heartbeat: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/websocket: medium
+net/ip/host_port: medium
+net/socket/send: low
+net/url/embedded: low
+os/time/clock_sleep: medium
+persist/kernel_module/symbol_lookup: low

tests/python/2024.ultralytics/v8.3.41/models/yolo/model.py.simple

@@ -0,0 +1,7 @@
+# python/2024.ultralytics/v8.3.41/models/yolo/model.py: high
+c2/tool_transfer/python: medium
+discover/system/platform: medium
+exec/imports/python: low
+exec/program/tmpdir: high
+fs/path/tmp: medium
+net/download: medium

tests/python/2024.ultralytics/v8.3.41/utils/downloads.py.simple

@@ -0,0 +1,28 @@
+# python/2024.ultralytics/v8.3.41/utils/downloads.py: critical
+anti-static/obfuscation/bitwise: low
+c2/addr/url: medium
+c2/tool_transfer/download: medium
+c2/tool_transfer/github: high
+c2/tool_transfer/os: low
+c2/tool_transfer/python: high
+collect/archives/zip: medium
+collect/code/github_api: low
+evasion/self_deletion/run_and_delete: high
+exec/imports/python: low
+exec/program: medium
+exec/shell/command: medium
+exfil/stealer/browser: medium
+exfil/upload: medium
+fs/directory/create: low
+fs/file/delete: low
+fs/file/exists: low
+fs/file/open: low
+fs/permission/modify: high
+net/download/fetch: medium
+net/ip/host_port: high
+net/url/embedded: low
+net/url/parse: low
+net/url/request: medium
+os/fd/write: low
+process/chdir: low
+process/multi: medium

tests/python/2024.ultralytics/v8.3.46/__init__.py.simple

@@ -0,0 +1,17 @@
+# python/2024.ultralytics/v8.3.46/__init__.py: critical
+3P/sig_base/pua_crypto_mining: critical
+c2/tool_transfer/os: low
+c2/tool_transfer/shell: high
+discover/system/platform: medium
+exec/imports/python: low
+exec/program: medium
+exec/shell/background_launcher: high
+exec/shell/nohup: medium
+fs/path/relative: medium
+impact/cryptojacking/generic: high
+impact/cryptojacking/xmrig: high
+net/download: medium
+net/download/fetch: medium
+net/ip/host_port: high
+net/url/embedded: low
+process/chdir: low