Skip to content

Commit

Permalink
Address false positives with google-cloud-sdk (chainguard-dev#388)
Browse files Browse the repository at this point in the history 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
  • Loading branch information
@egibs
egibs authored Jul 30, 2024
1 parent ac3ac77 commit 88b45ca
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
6 changes: 6 additions & 0 deletions rules/combo/backdoor/py_setuptools.yara
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ rule setuptools_cmd_exec : suspicious {
$f_subprocess = /subprocess.\w{0,32}\([\"\'\/\w\ \-\)]{0,64}/
$not_comment = "Editable install to a prefix should be discoverable."
$not_egg_info_requires = "os.path.join(egg_info_dir, 'requires.txt')"
$not_requests = "'Documentation': 'https://requests.readthedocs.io'"
condition:
pythonSetup and any of ($f*) and none of ($not*)
}
Expand All @@ -34,7 +35,12 @@ rule setuptools_eval : critical {
strings:
$f_sys_val = /eval\([\"\'\w\ \-\)\/]{0,64}/ fullword
$f_subprocess_val = /exec\([\"\'\/\w\ \-\)]{0,64}/ fullword
$not_apache = "# Licensed under the Apache License, Version 2.0 (the \"License\")"
$not_comment = "Editable install to a prefix should be discoverable."
$not_google = /# Copyright [1-2][0-9]{3} Google Inc/
$not_idna = "A library to support the Internationalised Domain Names in Applications"
$not_idna2 = "(IDNA) protocol as specified in RFC 5890 et.al."
$not_requests = "'Documentation': 'https://requests.readthedocs.io'"
$not_test_egg_class = "class TestEggInfo"
condition:
pythonSetup and any of ($f*) and none of ($not*)
Expand Down
9 changes: 6 additions & 3 deletions rules/combo/backdoor/remote_eval.yara
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,13 @@ rule python_exec_near_get : critical {
hash_2024_xFileSyncerx_xfilesyncerx = "c68e907642a8462c6b82a50bf4fde82bbf71245ab4edace246dd341dc72e5867"
hash_2024_2024_d3duct1v_xfilesyncerx = "b87023e546bcbde77dae065ad3634e7a6bd4cc6056167a6ed348eee6f2a168ae"
strings:
$exec = "exec("
$requests = /[a-z]{1,4}.get\(/ fullword
$f_exec = "exec("
$f_requests = /[a-z]{1,4}.get\(/ fullword
$not_pyparser = "All of the heavy"
$not_pyparser2 = "lifting is handled by pyparsing (http://pyparsing.sf.net)."
$not_sparser = "sparser.py [options] filename"
condition:
all of them and math.abs(@requests - @exec) <= 32
all of ($f*) and math.abs(@f_requests - @f_exec) <= 32 and none of ($not*)
}

rule python_eval_near_get : critical {
Expand Down

0 comments on commit 88b45ca

Please sign in to comment.