Address yara-x compile findings (chainguard-dev#640)

* Address yara-x compile findings Signed-off-by: egibs <[email protected]> * Add CI Job to ensure rules compile cleanly Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
egibs · Nov 18, 2024 · 16cfd8b · 16cfd8b
1 parent 0209157
commit 16cfd8b
Show file tree

Hide file tree

Showing 139 changed files with 451 additions and 376 deletions.
diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml
@@ -15,6 +15,34 @@ on:
       - "main"
 
 jobs:
+  yrcompile:
+    name: check yr compile
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - name: Check out code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install yara-x
+        run: |
+          wget https://github.com/VirusTotal/yara-x/releases/download/v0.10.0/yara-x-v0.10.0-x86_64-unknown-linux-gnu.gzip -O yara-x.gzip
+          tar -xzvf yara-x.gzip && mv yr /usr/local/bin/ && rm yara-x.gzip
+      - name: Verify yr installation
+        run: |
+          yr --version
+      - name: Run yr compile
+        run: |
+          yr compile rules/
+          ret=$?
+          if [[ $ret -ne 0 ]]; then
+            echo "Rule compilation failed; address findings and commit the changes"
+            exit 1
+          fi
+
   yrfmt:
     name: check yr fmt
     runs-on: ubuntu-latest
@@ -117,22 +145,3 @@ jobs:
           version: v1.62.0
           args: --timeout=5m
 
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
-      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Set up Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
-        with:
-          go-version-file: go.mod
-          check-latest: true
-
diff --git a/Makefile b/Makefile
@@ -71,6 +71,9 @@ LINTERS += yara-x-fmt
 yara-x-fmt: $(YARA_X_BIN)
 	find rules -type f -name "*.yara" -execdir "$(YARA_X_BIN)" fmt {} \;
 
+yara-x-compile: $(YARA_X_BIN)
+	"$(YARA_X_BIN)" compile ./rules/
+
 .PHONY: _lint $(LINTERS)
 _lint: $(LINTERS)
 

diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
@@ -266,17 +266,29 @@
                     "ID": "data/compression/bzip2",
                     "RuleName": "bzip2"
                 },
+                {
+                    "Description": "works with gzip files",
+                    "MatchStrings": [
+                        "gzip"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip",
+                    "ReferenceURL": "https://www.gnu.org/software/gzip/",
+                    "ID": "data/compression/gzip",
+                    "RuleName": "gzip"
+                },
                 {
                     "Description": "works with lzma files",
                     "MatchStrings": [
                         "lzma"
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma",
                     "ReferenceURL": "https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm",
                     "ID": "data/compression/lzma",
-                    "RuleName": "gzip"
+                    "RuleName": "lzma"
                 },
                 {
                     "Description": "Zstandard: fast real-time compression algorithm",
@@ -2118,9 +2130,9 @@
                     ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#listen_tcp",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp",
                     "ID": "net/tcp/connect",
-                    "RuleName": "listen_tcp"
+                    "RuleName": "connect_tcp"
                 },
                 {
                     "Description": "Uses crypto/ssh to connect to the SSH (secure shell) service",
@@ -2336,6 +2348,18 @@
                     "ID": "os/signal/handle",
                     "RuleName": "libc"
                 },
+                {
+                    "Description": "Listen for SIGALRM (timeout) events",
+                    "MatchStrings": [
+                        "ALRM",
+                        "sigaction"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-ALRM.yara#sigaction_ALRM",
+                    "ID": "os/signal/handle_ALRM",
+                    "RuleName": "sigaction_ALRM"
+                },
                 {
                     "Description": "Listen for SIGHUP (hangup) events",
                     "MatchStrings": [
@@ -2380,9 +2404,9 @@
                     ],
                     "RiskScore": 0,
                     "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-WINCH.yara#sigaction_SIGALRM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-WINCH.yara#sigaction_WINCH",
                     "ID": "os/signal/handle_WINCH",
-                    "RuleName": "sigaction_SIGALRM"
+                    "RuleName": "sigaction_WINCH"
                 },
                 {
                     "Description": "sigprocmask",

diff --git a/rules/anti-behavior/random_behavior.yara b/rules/anti-behavior/random_behavior.yara
@@ -1,6 +1,6 @@
 import "math"
 
-private rule pythonSetup {
+private rule random_behavior_pythonSetup {
   strings:
     $if_distutils  = /from distutils.core import .{0,32}setup/
     $if_setuptools = /from setuptools import .{0,32}setup/
@@ -26,5 +26,5 @@ rule setuptools_random: critical {
     $not_easy_install = "pid = random.randint(0, sys.maxsize)"
 
   condition:
-    pythonSetup and $ref and none of ($not*)
+    random_behavior_pythonSetup and $ref and none of ($not*)
 }
diff --git a/rules/anti-static/base64/obfuscated_caller.yara b/rules/anti-static/base64/obfuscated_caller.yara
@@ -1,15 +1,18 @@
-rule base64_str_replace: critical {
+rule obfuscated_caller_base64_str_replace: critical {
   meta:
     description = "creatively hidden forms of the term 'base64'"
 
   strings:
     $a = /\wba\ws\we64/
-    $b = /\wb\wa\ws\we\w6\w4/
-    $c = /\wb\wa\wse\w6\w4/
-    $d = "'bas'.'e'.'6'.'4"
-    $e = "'ba'.'se'.'6'.'4"
-    $f = "'b'.'ase'.'6'.'4"
+    $b = /\wb\wa\wse\w6\w4/
+    $c = /\wba\ws\we\w6\w4/
+    $d = /\wb\was\we\w6\w4/
+    $e = /\wb\wa\ws\we6\w4/
+    $f = /\wb\wa\ws\we\w64/
     $g = "'bas'.'e'.'6'.'4"
+    $h = "'ba'.'se'.'6'.'4"
+    $i = "'b'.'ase'.'6'.'4"
+    $j = "'bas'.'e'.'6'.'4"
 
   condition:
     any of them

diff --git a/rules/anti-static/macho/footer.yara b/rules/anti-static/macho/footer.yara
@@ -1,6 +1,6 @@
 import "math"
 
-private rule macho {
+private rule anti_static_macho {
   condition:
     (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178)
 }
@@ -14,6 +14,6 @@ rule high_entropy_trailer: high {
     $page_zero = "_PAGEZERO"
 
   condition:
-    filesize < 10MB and macho and $page_zero and math.entropy(filesize - 1024, filesize - 1) >= 4
+    filesize < 10MB and anti_static_macho and $page_zero and math.entropy(filesize - 1024, filesize - 1) >= 4
 }
 
diff --git a/rules/anti-static/obfuscation/hex.yara b/rules/anti-static/obfuscation/hex.yara
@@ -23,7 +23,7 @@ rule hex_parse: medium {
     any of them
 }
 
-rule hex_parse_base64: medium {
+rule hex_convert_from_base64: medium {
   meta:
     description = "converts base64 hex data to ASCII"
 

diff --git a/rules/anti-static/obfuscation/js.yara b/rules/anti-static/obfuscation/js.yara
@@ -96,7 +96,7 @@ rule ebe_generic: high {
     $ref3 = /\>\w{1,3}\(\d{1,3}\)\);\w\[\w{1,3}\(\d{1,3}\)\]\=/
 
   condition:
-    filesize < 5MB and #function and $charCodeAt and (#ref > 5 or #ref2 > 5 or #ref3 > 5)
+    filesize < 5MB and #function > 0 and $charCodeAt and (#ref > 5 or #ref2 > 5 or #ref3 > 5)
 }
 
 rule exec_console_log: critical {
@@ -221,8 +221,8 @@ rule string_prototype_function: high {
     description = "obfuscates function calls via string prototypes"
 
   strings:
-    $ref  = /String\["prototype"\].{1,32} = function\(\) { eval\(this\.toString\(\)\)\;/
-    $ref2 = /String\["prototype"\]\[".{4,64}"\] = function\(\w{1,2}, \w{1,2}\) {/
+    $ref  = /String\["prototype"\].{1,32} = function\(\) \{ eval\(this\.toString\(\)\)\;/
+    $ref2 = /String\["prototype"\]\[".{4,64}"\] = function\(\w{1,2}, \w{1,2}\) \{/
 
   condition:
     any of them

diff --git a/rules/anti-static/obfuscation/php.yara b/rules/anti-static/obfuscation/php.yara
@@ -1,11 +1,18 @@
-rule base64_str_replace: medium {
+rule obfuscation_base64_str_replace: medium {
   meta:
     description = "creatively hidden forms of the term 'base64'"
 
   strings:
-    $a = /ba.s.e64/
-    $b = /b.a.s.6.4/
-    $c = /b.a.se.6.4/
+    $a = /\wba\ws\we64/
+    $b = /\wb\wa\wse\w6\w4/
+    $c = /\wba\ws\we\w6\w4/
+    $d = /\wb\was\we\w6\w4/
+    $e = /\wb\wa\ws\we6\w4/
+    $f = /\wb\wa\ws\we\w64/
+    $g = "'bas'.'e'.'6'.'4"
+    $h = "'ba'.'se'.'6'.'4"
+    $i = "'b'.'ase'.'6'.'4"
+    $j = "'bas'.'e'.'6'.'4"
 
   condition:
     any of them
@@ -54,7 +61,7 @@ rule php_obfuscation: high {
     $o_weevely3          = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/
     $o_c99_launcher      = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/
     $o_ninja             = /base64_decode[^;]+getallheaders/
-    $o_variable_variable = /\${\$[0-9a-zA-z]+}/
+    $o_variable_variable = /\$\{\$[0-9a-zA-z]+\}/
     $o_too_many_chr      = /(chr\([\d]+\)\.){8}/
     $o_var_as_func       = /\$_(GET|POST|COOKIE|REQUEST|SERVER)\s*\[[^\]]+\]\s*\(/
 
@@ -137,7 +144,7 @@ rule php_str_replace_obfuscation: high {
     $o_dynamic_single   = /\$\w {0,2}= \$\w\(/
     $o_single_concat    = /\$\w . \$\w . \$\w ./
     $o_single_set       = /\$\w = \w\(\)\;/
-    $o_recursive_single = /\$\w\( {0,2}\$\w\(/
+    $o_recursive_single = /\$[a-zA-Z_]\w*\(\$[a-zA-Z_]\w*\(/
 
   condition:
     filesize < 65535 and $str_replace and 2 of ($o*)

diff --git a/rules/anti-static/obfuscation/python_setuptools.yara b/rules/anti-static/obfuscation/python_setuptools.yara
@@ -1,6 +1,6 @@
 import "math"
 
-private rule pythonSetup {
+private rule obfuscation_pythonSetup {
   strings:
     $if_distutils  = /from distutils.core import .{0,32}setup/
     $if_setuptools = /from setuptools import .{0,32}setup/
@@ -25,5 +25,5 @@ rule setuptools_builtins: medium {
     $ref = "__builtins__" fullword
 
   condition:
-    pythonSetup and $ref
+    obfuscation_pythonSetup and $ref
 }
diff --git a/rules/anti-static/packer/py_kramer.yara b/rules/anti-static/packer/py_kramer.yara
@@ -1,4 +1,4 @@
-rule pycloak: critical {
+rule kramer: critical {
   meta:
     description = "packed with kramer"
     ref         = "https://github.com/billythegoat356/Kramer"

diff --git a/rules/anti-static/unmarshal/marshal.yara b/rules/anti-static/unmarshal/marshal.yara
@@ -11,7 +11,7 @@ private rule pySetup {
     filesize < 2097152 and $setup and any of ($i*) and none of ($not*)
 }
 
-rule py_marshal: medium {
+rule unmarshal_py_marshal: medium {
   meta:
     description = "reads python values from binary content"
 
@@ -27,5 +27,5 @@ rule setuptools_py_marshal: suspicious {
     description = "Python library installer that reads values from binary content"
 
   condition:
-    pySetup and py_marshal
+    pySetup and unmarshal_py_marshal
 }
diff --git a/rules/c2/addr/ip.yara b/rules/c2/addr/ip.yara
@@ -19,7 +19,7 @@ rule hardcoded_ip: medium {
     filesize < 200MB and 1 of ($sus_ip*) and none of ($not*)
 }
 
-private rule elf_or_macho {
+private rule ip_elf_or_macho {
   condition:
     uint32(0) == 1179403647 or (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962 or uint32(0) == 3405691583 or uint32(0) == 3216703178)
 }
@@ -45,7 +45,7 @@ rule bin_hardcoded_ip: high {
     $not_send_att          = "3.2.5.7"
 
   condition:
-    filesize < 12MB and elf_or_macho and 1 of ($sus_ip*) and none of ($not*)
+    filesize < 12MB and ip_elf_or_macho and 1 of ($sus_ip*) and none of ($not*)
 }
 
 rule http_hardcoded_ip: high exfil {

diff --git a/rules/c2/connect/bash_tcp.yara b/rules/c2/connect/bash_tcp.yara
@@ -3,7 +3,7 @@ rule bash_tcp: high {
     description = "sends data via /dev/tcp (bash)"
 
   strings:
-    $ref = /[\w \-\<]{0,32}>"{0,1}\/dev\/tcp\/[\$\{\/\:\-\w\"]{0,32}/
+    $ref = /[\w \-\\<]{0,32}>"{0,1}\/dev\/tcp\/[\$\{\/\:\-\w\"]{0,32}/
 
   condition:
     $ref

diff --git a/rules/c2/tool_transfer/macos.yara b/rules/c2/tool_transfer/macos.yara
@@ -1,4 +1,4 @@
-private rule macho {
+private rule tool_transfer_macho {
   strings:
     $not_jar   = "META-INF/"
     $not_dwarf = "_DWARF"
@@ -37,5 +37,5 @@ rule cocoa_bundle_dropper: critical {
     $platform = "isPlatformOrVariantPlatformVersionAtLeast" fullword
 
   condition:
-    macho and $shared and 5 of them
+    tool_transfer_macho and $shared and 5 of them
 }
diff --git a/rules/c2/tool_transfer/python.yara b/rules/c2/tool_transfer/python.yara
@@ -82,7 +82,7 @@ rule py_dropper_chmod: high {
     filesize < 16384 and py_fetcher and py_runner and $chmod and any of ($val*)
 }
 
-private rule pythonSetup {
+private rule tool_transfer_pythonSetup {
   strings:
     $if_distutils  = /from distutils.core import .{0,32}setup/
     $if_setuptools = /from setuptools import .{0,32}setup/
@@ -106,7 +106,7 @@ rule setuptools_fetcher: suspicious {
     description = "setuptools script that fetches content"
 
   condition:
-    pythonSetup and py_fetcher
+    tool_transfer_pythonSetup and py_fetcher
 }
 
 rule setuptools_fetch_run: critical {
@@ -122,7 +122,7 @@ rule setuptools_dropper: critical {
     description = "setuptools script that fetches, stores, and executes programs"
 
   condition:
-    pythonSetup and py_dropper
+    tool_transfer_pythonSetup and py_dropper
 }
 
 rule dropper_imports: high {

diff --git a/rules/c2/tool_transfer/shell.yara b/rules/c2/tool_transfer/shell.yara
@@ -93,7 +93,7 @@ rule sleep_rm: medium {
 
 rule nohup_bash_background: high {
   strings:
-    $ref = /nohup bash [\%\w\/\>]{0,64} &/
+    $ref = /nohup bash [\%\w\/\\>]{0,64} &/
 
   condition:
     filesize < 1MB and any of them

diff --git a/rules/collect/archives/tar-command.yara b/rules/collect/archives/tar-command.yara
@@ -22,7 +22,7 @@ rule local_tar: medium {
     any of ($a*)
 }
 
-rule executable_calls_archive_tool: high {
+rule collect_executable_calls_archive_tool: high {
   meta:
     description = "command shells out to tar"
 

diff --git a/rules/credential/browser/chromium_credit_cards.yara b/rules/credential/browser/chromium_credit_cards.yara
@@ -1,4 +1,4 @@
-rule chromium_master_password: critical {
+rule chromium_credit_cards: critical {
   meta:
     description = "Gets Chromium credit card information"