Resolve datadog-agent kworker false positives (chainguard-dev#300)

* Resolve datadog-agent kworker false positives Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Better handling of ignore_ref Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update rules/evasion/fake-process-name.yara Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> * Update rules/evasion/fake-process-name.yara Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> * Add more precise DataDog process-agent kworker references Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * More specificity Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Consolidate ignores Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Ignore DataDog strings Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Thomas Strömberg <t+github@chainguard.dev>
egibs · Jul 1, 2024 · c7cd2c7 · c7cd2c7
1 parent 4598d16
commit c7cd2c7
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/rules/evasion/fake-process-name.yara b/rules/evasion/fake-process-name.yara
@@ -1,4 +1,3 @@
-
 rule fake_kworker_val : critical {
   meta:
     description = "Pretends to be a kworker kernel thread"
@@ -9,8 +8,10 @@ rule fake_kworker_val : critical {
     $kworker = /\[{0,1}kworker\/[\d:\]]{1,5}/
     $kworker2 = "kworker" fullword
     $kworker3 = "[kworker"
+    // datadog process-agent
+    $ignore_datadog = /[Dd]ata[Dd]og/
   condition:
-    any of them
+    any of ($kworker*) and not $ignore_datadog
 }
 
 rule fake_syslogd : critical {