From b05715932c8ceaa9b1a4d8750606844e8dff6390 Mon Sep 17 00:00:00 2001
From: Evan Gibler <20933572+egibs@users.noreply.github.com>
Date: Fri, 19 Jul 2024 13:31:04 -0500
Subject: [PATCH] More /dev/tcp rule tweaks for GitLab healthcheck script
 (#372)

* More /dev/tcp rule tweaks for GitLab healthcheck script

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Refresh test data

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/shell/bash_dev_tcp.yara | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/shell/bash_dev_tcp.yara b/rules/shell/bash_dev_tcp.yara
index 4aa023bf8..31f0b6368 100644
--- a/rules/shell/bash_dev_tcp.yara
+++ b/rules/shell/bash_dev_tcp.yara
@@ -8,8 +8,11 @@ rule bash_dev_tcp : high exfil {
   strings:
     $ref = "/dev/tcp"
     $posixly_correct = "POSIXLY_CORRECT"
+    $not_comment = "# Check that both our processes are running on their tcp port"
+    $not_get = /GET \/ HTTP\/1.1\n{1,2} >/
+    $not_localhost_8080 = "/dev/tcp/127.0.0.1/8080"
   condition:
-    $ref and not $posixly_correct
+    $ref and not $posixly_correct and none of ($not*)
 }
 
 
@@ -19,8 +22,8 @@ rule bash_dev_tcp_hardcoded_ip : critical {
   strings:
     $dev_tcp = /\/dev\/tcp\/[\w\.]{8,16}\/\d{1,6}/
     $not_comment = "# Check that both our processes are running on their tcp port"
-    $not_get = "GET / HTTP/1.1 >"
+    $not_get = /GET \/ HTTP\/1.1\n{1,2} >/
     $not_localhost_8080 = "/dev/tcp/127.0.0.1/8080"
   condition:
-	  $dev_tcp and none of ($not_*)
+	  $dev_tcp and none of ($not*)
 }