Address critical false positives for systemd, redpanda, various Python packages, and yarn

Makefile

@@ -3,7 +3,7 @@
 
 
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= 2bd3bff19c0253821b3886db65a5059587cac893
+SAMPLES_COMMIT ?= f948cfd0f9d2a35a2452fe43ea4d094979652103
 
 # BEGIN: lint-install ../malcontent
 # http://github.com/tinkerbell/lint-install

rules/anti-behavior/blocklist/user.yara

@@ -37,6 +37,9 @@ rule common_username_block_list: critical {
     $ = "test" fullword
     $ = "w0fjuOVmCcP5A" fullword
 
+    $not_redpanda  = "redpanda"
+    $not_wireshark = "wireshark.org"
+
   condition:
-    8 of them
+    8 of them and none of ($not*)
 }

rules/anti-static/obfuscation/python.yara

@@ -349,8 +349,11 @@ rule rename_base64: critical {
   strings:
     $ref = /import base64 as \w{0,64}/
 
+    $not_open_clip1 = "class ResampledShards2(IterableDataset)"
+    $not_open_clip2 = "class SyntheticDataset(Dataset)"
+
   condition:
-    filesize < 10MB and all of them
+    filesize < 10MB and all of them and none of ($not*)
 }
 
 rule rename_zlib: high {

rules/c2/tool_transfer/python.yara

@@ -129,6 +129,9 @@ private rule tool_transfer_pythonSetup {
     $not_distutils     = "from distutils.errors import"
     $not_dir           = "dist-packages/setuptools"
     $not_fetch         = "fetch_distribution"
+    $not_hopper1       = "PACKAGE_NAME = \"flashattn-hopper\""
+    $not_hopper2       = "check_if_cuda_home_none(\"--fahopper\")"
+    $not_hopper3       = "name=\"flashattn_hopper_cuda\","
 
   condition:
     filesize < 128KB and $setup and any of ($i*) and none of ($not*)
@@ -146,8 +149,13 @@ rule setuptools_fetch_run: critical {
   meta:
     description = "setuptools script that fetches and executes"
 
+  strings:
+    $not_hopper1 = "PACKAGE_NAME = \"flashattn-hopper\""
+    $not_hopper2 = "check_if_cuda_home_none(\"--fahopper\")"
+    $not_hopper3 = "name=\"flashattn_hopper_cuda\","
+
   condition:
-    setuptools_fetcher and py_runner
+    setuptools_fetcher and py_runner and none of ($not*)
 }
 
 rule setuptools_dropper: critical {

rules/evasion/file/location/dev-shm.yara

@@ -25,13 +25,21 @@ rule dev_shm_file: high linux {
     description = "reference file within /dev/shm (world writeable)"
 
   strings:
-    $ref           = /\/dev\/shm\/[\w\.\-\/]{2,64}/ fullword
-    $not_c         = "/dev/shm/%s"
-    $not_shmem     = "shmem" fullword
-    $not_shm_pages = "shm_pages"
-    $not_wasm      = "FS.mkdir(\"/dev/shm/tmp\")"
-    $not_auxfs     = "/dev/shm/aufs"
-    $not_journal   = "/dev/shm/journal"
+    $ref               = /\/dev\/shm\/[\w\.\-\/]{2,64}/ fullword
+    $not_c             = "/dev/shm/%s"
+    $not_shmem         = "shmem" fullword
+    $not_shm_pages     = "shm_pages"
+    $not_wasm          = "FS.mkdir(\"/dev/shm/tmp\")"
+    $not_auxfs         = "/dev/shm/aufs"
+    $not_journal       = "/dev/shm/journal"
+    $not_systemd_test1 = "# Let's try to play games, and link up a privileged PID file"
+    $not_systemd_test2 = "ln -s ../mainpidsh/pid /run/mainpidsh3/pid"
+    $not_systemd_test3 = "/dev/shm/test-mainpid3.sh"
+    $not_yarn1         = "If the package is not specified, Yarn will default to the current workspace."
+    $not_yarn2         = "yarn npm"
+    $not_yarn3         = "@yarnpkg"
+    $not_yarn4         = "YARN_"
+    $not_yarn5         = "b.mkdir(\"/dev/shm/tmp\")"
 
   condition:
     $ref and none of ($not*) and not dev_shm_mkstemp
@@ -44,7 +52,11 @@ rule dev_shm_sh: critical linux {
   strings:
     $ref = /\/dev\/shm\/[\%\w\.\-\/]{0,64}\.sh/
 
+    $not_systemd       = "systemd-run"
+    $not_systemd_test1 = "chmod 755 /dev/shm/test-mainpid3.sh"
+    $not_systemd_test2 = "# This has to fail, as we shouldn't accept the dangerous PID file, and then"
+    $not_systemd_test3 = "# inotify-wait on it to be corrected which we never do."
+
   condition:
-    any of them
+    any of them and none of ($not*)
 }
-

rules/false_positives/wireshark.yara

@@ -0,0 +1,10 @@
+rule wireshark: override {
+  meta:
+    BlackTech_Hipid_str = "low"
+
+  strings:
+    $wireshark = "wireshark"
+
+  condition:
+    filesize < 200MB and #wireshark > 25
+}

rules/false_positives/xdg-open.yara

@@ -0,0 +1,16 @@
+rule xdg_open: override {
+  meta:
+    description                                    = "open"
+    SECUINFRA_SUSP_Powershell_Download_Temp_Rundll = "low"
+
+  strings:
+    $comment = "Utility script to open a URL in the registered default application."
+    $else    = "rundll32.exe url.dll,FileProtocolHandler \"$1\""
+    $local   = "local win_path"
+    $open    = "xdg-open"
+    $wsl     = "open_wsl()"
+
+  condition:
+    // Unfortunately, the redpanda console is about 900MB in size
+    filesize < 1024MB and all of them
+}

rules/impact/remote_access/py_setuptools.yara

@@ -13,6 +13,10 @@ private rule remote_access_pythonSetup {
     $not_setup_quoted  = "\"setup(name="
     $not_distutils     = "from distutils.errors import"
 
+    $not_hopper1 = "PACKAGE_NAME = \"flashattn-hopper\""
+    $not_hopper2 = "check_if_cuda_home_none(\"--fahopper\")"
+    $not_hopper3 = "name=\"flashattn_hopper_cuda\","
+
   condition:
     filesize < 128KB and $setup and any of ($i*) in (0..1024) and none of ($not*)
 }
@@ -200,4 +204,3 @@ rule setuptools_excessive_bitwise_math: critical {
   condition:
     remote_access_pythonSetup and #x > 20
 }
-

rules/impact/remote_access/remote_eval.yara

@@ -15,8 +15,11 @@ rule remote_eval: critical {
     $eval_urllib         = /eval\(urllib\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
     $exec_urllib         = /exec\(urllib\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
 
+    $not_open_clip1 = "class ResampledShards2(IterableDataset)"
+    $not_open_clip2 = "class SyntheticDataset(Dataset)"
+
   condition:
-    filesize < 65535 and $http and any of ($e*)
+    filesize < 65535 and $http and any of ($e*) and none of ($not*)
 }
 
 rule remote_eval_close: high {
@@ -117,4 +120,3 @@ rule java_http_replacement_class: high java {
   condition:
     all of them
 }
-

rules/impact/remote_access/reverse_shell.yara

@@ -56,8 +56,13 @@ rule perl_reverse_shell: critical {
     $redir_single = "'>&"
     $sh_i         = "sh -i"
 
+    $not_yarn1 = "If the package is not specified, Yarn will default to the current workspace."
+    $not_yarn2 = "yarn npm"
+    $not_yarn3 = "@yarnpkg"
+    $not_yarn4 = "YARN_"
+
   condition:
-    $socket and $open and any of ($redir*) and $sh_i
+    $socket and $open and any of ($redir*) and $sh_i and none of ($not*)
 }
 
 rule go_reverse_shell: high {

tests/javascript/clean/yarn-3.8.7.cjs.simple

@@ -0,0 +1,73 @@
+# javascript/clean/yarn-3.8.7.cjs: medium
+anti-static/obfuscation/bitwise: medium
+anti-static/obfuscation/hex: medium
+anti-static/obfuscation/js: medium
+c2/addr/ip: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/github: medium
+c2/tool_transfer/os: medium
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/password: low
+data/compression/gzip: low
+data/compression/zlib: low
+data/embedded/base64: medium
+data/embedded/base64_terms: medium
+data/embedded/html: medium
+data/encoding/base64: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+discover/network/interface_list: medium
+discover/process/parent: low
+discover/process/working_directory: low
+discover/system/platform: medium
+discover/user/USER: low
+discover/user/USERPROFILE: low
+discover/user/name_get: medium
+evasion/file/location/dev_shm: medium
+exec/plugin: low
+exec/program: medium
+exec/shell/TERM: low
+exec/shell/exec: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/copy: medium
+fs/file/delete: low
+fs/file/delete_forcibly: medium
+fs/file/read: low
+fs/file/stat: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/node_create: low
+fs/path/home: low
+fs/path/usr_bin: low
+fs/permission/chown: low
+fs/permission/modify: medium
+fs/symlink_resolve: low
+impact/remote_access/reverse_shell: medium
+net/dns/txt: low
+net/http/accept: medium
+net/http/auth: low
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/proxy: low
+net/ip/host_port: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/send: low
+net/tcp/ssh: medium
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/env/get: low
+os/fd/read: low
+os/fd/write: low
+process/chdir: low

tests/linux/clean/TEST-07-PID1.main-PID-change.sh.simple

@@ -0,0 +1,8 @@
+# linux/clean/TEST-07-PID1.main-PID-change.sh: medium
+evasion/file/location/dev_shm: medium
+exec/system_controls/systemd: medium
+fs/file/make_executable: medium
+fs/path/tmp: medium
+fs/path/usr_bin: low
+fs/permission/modify: medium
+fs/watch: low

tests/python/clean/hopper/setup.py.simple

@@ -0,0 +1,14 @@
+# python/clean/hopper/setup.py: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+discover/system/platform: medium
+discover/user/HOME: low
+exec/imports/python: low
+exec/program: medium
+fs/directory/create: low
+fs/file/exists: low
+fs/file/open: low
+net/url/embedded: low
+net/url/parse: low
+net/url/request: medium
+os/fd/read: low

tests/python/clean/numcodecs/base64.py.simple

@@ -0,0 +1,5 @@
+# python/clean/numcodecs/base64.py: medium
+data/base64/decode: medium
+data/base64/encode: medium
+data/encoding/base64: low
+exec/imports/python: low

tests/python/clean/open_clip_train/data.py.simple

@@ -0,0 +1,9 @@
+# python/clean/open_clip_train/data.py: medium
+exec/imports/python: low
+exec/remote_commands/code_eval: medium
+fs/file/exists: low
+fs/file/read: low
+net/download: medium
+net/url/embedded: low
+os/fd/read: low
+process/multi: medium