Rule tuning to decrease false-positives on Fedora (#598)

* Reduce Fedora false-positives

* Reduce Fedora false-positives

* update tests

* update testdata

* split the dev_* rules

rules/c2/addr/ip.yara

@@ -6,38 +6,40 @@ rule hardcoded_ip: medium {
     hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151"
 
   strings:
-    $ipv4          = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}/ fullword
-    $not_localhost = "127.0.0.1"
-    $not_broadcast = "255.255.255.255"
-    $not_upnp      = "239.255.255.250"
-    $not_weirdo    = "635.100.12.38"
-    $not_incr      = "10.11.12.13"
-    $not_169       = "169.254.169.254"
-    $not_spyder    = "/search/spider"
-    $not_ruby      = "210.251.121.214"
+    // strict: excludes 255.* and *.0.* *.1.*
+    $sus_ipv4           = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword
+    $not_version        = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])[\.\-]/
+    $not_incr           = "10.11.12.13"
+    $not_169            = "169.254.169.254"
+    $not_spyder         = "/search/spider"
+    $not_ruby           = "210.251.121.214"
+    $not_1_2_3_4        = "1.2.3.4"
+    $not_root_servers_h = "128.63.2.53"
+    $not_root_servers_i = "192.36.148.17"
 
   condition:
-    1 of ($ip*) and none of ($not*)
+    filesize < 200MB and 1 of ($sus_ip*) and none of ($not*)
 }
 
 rule elf_hardcoded_ip: high {
   meta:
-    description              = "hardcoded IP address"
+    description              = "ELF with hardcoded IP address"
     hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
     hash_2024_Downloads_0fa8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38"
     hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151"
 
   strings:
-    $ipv4          = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}/ fullword
-    $not_localhost = "127.0.0.1"
-    $not_broadcast = "255.255.255.255"
-    $not_upnp      = "239.255.255.250"
-    $not_weirdo    = "635.100.12.38"
-    $not_incr      = "10.11.12.13"
-    $not_169       = "169.254.169.254"
-    $not_spyder    = "/search/spider"
-    $not_ruby      = "210.251.121.214"
+    // stricter version of what's above: excludes 255.* and *.0.* *.1.*
+    $sus_ipv4           = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword
+    $not_version        = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])[\.\-]/
+    $not_incr           = "10.11.12.13"
+    $not_169            = "169.254.169.254"
+    $not_spyder         = "/search/spider"
+    $not_ruby           = "210.251.121.214"
+    $not_1_2_3_4        = "1.2.3.4"
+    $not_root_servers_h = "128.63.2.53"
+    $not_root_servers_i = "192.36.148.17"
 
   condition:
-    filesize < 4MB and uint32(0) == 1179403647 and 1 of ($ip*) and none of ($not*)
+    filesize < 12MB and uint32(0) == 1179403647 and 1 of ($sus_ip*) and none of ($not*)
 }

rules/c2/addr/url-unusual.yara

@@ -19,6 +19,7 @@ rule exotic_tld: high {
     $not_nips        = "nips.cc"
     $not_gov_bd      = ".gov.bd"
     $not_eol         = "endoflife.date"
+    $not_whois       = "bdia.btcl.com.bd"
 
   condition:
     filesize < 10MB and any of ($http*) and none of ($not_*)

rules/discover/ip/public_ip.yara

@@ -20,6 +20,17 @@ rule iplookup_website: high {
     $ipinfo      = "ipinfo.io"
     $check_ip    = "checkip.amazonaws.com"
 
+  condition:
+    filesize < 250MB and any of them
+}
+
+rule v6_ipinfo_website: override {
+  meta:
+    iplookup_website = "medium"
+
+  strings:
+    $v6 = "v6.ipinfo.io"
+
   condition:
     any of them
 }

rules/evasion/covert-location/dev-mqueue.yara

@@ -0,0 +1,11 @@
+rule dev_mqueue: medium {
+  meta:
+    description = "path reference within /dev/mqueue (world writeable)"
+
+  strings:
+    $mqueue = /\/dev\/mqueue[%\w\.\-\/]{0,64}/
+
+  condition:
+    any of them
+}
+

rules/evasion/hidden_paths/dev-shm.yara → rules/evasion/covert-location/dev-shm.yara

@@ -33,6 +33,8 @@ rule dev_shm_file: high linux {
     $not_shmem     = "shmem" fullword
     $not_shm_pages = "shm_pages"
     $not_wasm      = "FS.mkdir(\"/dev/shm/tmp\")"
+    $not_auxfs     = "/dev/shm/aufs"
+    $not_journal   = "/dev/shm/journal"
 
   condition:
     $ref and none of ($not*) and not dev_shm_mkstemp
@@ -52,17 +54,3 @@ rule dev_shm_sh: critical linux {
     any of them
 }
 
-rule dev_shm_hidden: critical linux {
-  meta:
-    description                          = "path reference within /dev/shm (world writeable)"
-    hash_2023_OK_ad69                    = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f"
-    hash_2023_OrBit_f161                 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8"
-    hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97"
-
-  strings:
-    $dev_shm        = /\/dev\/shm\/\.[\%\w\.\-\/]{0,64}/
-    $ignore_mkstemp = /\/dev\/shm\/[%\w\.\-\/]{0,64}X{6}/
-
-  condition:
-    $dev_shm and not $ignore_mkstemp
-}

rules/evasion/hidden_paths/dev-mqueue.yara → rules/evasion/hidden_paths/dev_mqueue.yara

@@ -1,14 +1,3 @@
-rule dev_mqueue: medium {
-  meta:
-    description = "path reference within /dev/mqueue (world writeable)"
-
-  strings:
-    $mqueue = /\/dev\/mqueue[%\w\.\-\/]{0,64}/
-
-  condition:
-    any of them
-}
-
 rule dev_mqueue_hidden: high {
   meta:
     description = "path reference within /dev/mqueue (world writeable)"

rules/evasion/hidden_paths/dev_shm.yara

@@ -0,0 +1,14 @@
+rule dev_shm_hidden: critical linux {
+  meta:
+    description                          = "hidden path reference within /dev/shm (world writeable)"
+    hash_2023_OK_ad69                    = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f"
+    hash_2023_OrBit_f161                 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8"
+    hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97"
+
+  strings:
+    $dev_shm        = /\/dev\/shm\/\.[\%\w\.\-\/]{0,64}/
+    $ignore_mkstemp = /\/dev\/shm\/[%\w\.\-\/]{0,64}X{6}/
+
+  condition:
+    $dev_shm and not $ignore_mkstemp
+}

rules/evasion/hidden_paths/x11.yara

@@ -9,3 +9,16 @@ rule hidden_x11: high linux {
   condition:
     filesize < 10MB and all of them
 }
+
+rule X11: override {
+  meta:
+    hidden_x11 = "low"
+
+  strings:
+    $usr_share = "/usr/share/X11"
+    $X11Gray   = "X11Gray"
+    $X11_space = "/etc/X11/"
+
+  condition:
+    filesize < 10MB and any of them
+}

rules/exec/shell/busybox-exec.yara

@@ -1,8 +1,6 @@
 rule busybox_runner: medium linux {
   meta:
-    hash_2023_Unix_Dropper_Mirai_0e91 = "0e91c06bb84630aba38e9c575576b46240aba40f36e6142c713c9d63a11ab4bb"
-    hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0"
-    hash_2023_Unix_Dropper_Mirai_56ca = "56ca15bdedf9751f282b24d868b426b76d3cbd7aecff5655b60449ef0d2ca5c8"
+    description = "runs busybox programs"
 
   strings:
     $ref = /\/bin\/busybox \w{2,16}[ \/\w\.]{0,64}/
@@ -13,12 +11,10 @@ rule busybox_runner: medium linux {
 
 rule busybox_runner_high: high linux {
   meta:
-    hash_2023_Unix_Dropper_Mirai_0e91 = "0e91c06bb84630aba38e9c575576b46240aba40f36e6142c713c9d63a11ab4bb"
-    hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0"
-    hash_2023_Unix_Dropper_Mirai_56ca = "56ca15bdedf9751f282b24d868b426b76d3cbd7aecff5655b60449ef0d2ca5c8"
+    description = "small program that runs atypical busybox programs"
 
   strings:
-    $ref           = /\/bin\/busybox \w{2,16}[ \/\w\.]{0,64}/
+    $ref           = /\/bin\/busybox \w{4,16}[ \/\w\.]{0,64}/
     $not_cgroup    = "cgroup" fullword
     $not_container = "container" fullword
     $not_ixr       = "busybox ixr"

rules/exfil/stealer/ssh.yara

@@ -1,6 +1,6 @@
-rule tar_ssh_net: high {
+rule tar_ssh_net: medium {
   meta:
-    description                         = "possible SSH stealer"
+    description                         = "possible tar-based SSH stealer"
     hash_2023_Downloads_6e35            = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
     hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
     hash_2023_Qubitstrike_mi            = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
@@ -14,13 +14,15 @@ rule tar_ssh_net: high {
     $z_tar    = "tar" fullword
     $z_xargs  = "xargs cat"
 
+    $not_auth_keys = ".ssh/authorized_keys"
+
   condition:
-    filesize < 10MB and $h and any of ($s*) and any of ($z*)
+    filesize < 10MB and $h and any of ($s*) and any of ($z*) and none of ($not*)
 }
 
 rule curl_https_ssh: high {
   meta:
-    description = "possible SSH stealer"
+    description = "possible curl-based SSH stealer"
 
   strings:
     $curl   = "curl" fullword

rules/false_positives/flatpak.yara

@@ -0,0 +1,11 @@
+rule flatpak: override {
+  meta:
+    description = "flatpak"
+    lvt_locker  = "medium"
+
+  strings:
+    $flatpak = "FLATPAK_BINARY" fullword
+
+  condition:
+    filesize < 3MB and any of them
+}

rules/false_positives/virtualbox.yara

@@ -0,0 +1,11 @@
+rule virtualbox_override: override {
+  meta:
+    description   = "VirtualBox"
+    backdoor_caps = "low"
+
+  strings:
+    $ref = "GROUP_DEV_VMM_BACKDOOR"
+
+  condition:
+    filesize < 1MB and any of them
+}

rules/fs/permission/permission-modify-dangerous.yara

@@ -21,6 +21,7 @@ rule chmod_dangerous_exec: high exfil {
     $not_chmod_1777  = "chmod 1777"
     $not_chmod_01777 = "chmod 01777"
     $not_chromium    = "CHROMIUM_TIMESTAMP"
+    $not_var_tmp     = "chmod 0777 /var/tmp" fullword
 
   condition:
     filesize < 50MB and $ref and none of ($not*)

rules/fs/proc/pid-exe.yara

@@ -13,3 +13,14 @@ rule proc_exe: high {
   condition:
     any of them
 }
+
+rule legit_proc_exec: override {
+  meta:
+    proc_exe = "medium"
+
+  strings:
+    $string = "Fastfetch" fullword
+
+  condition:
+    filesize < 3MB and any of them
+}

rules/hw/dev/mem.yara

@@ -1,4 +1,4 @@
-rule dev_mem: high linux {
+rule dev_mem: medium linux {
   meta:
     capability                           = "CAP_SYS_RAWIO"
     description                          = "access raw system memory"
@@ -13,7 +13,7 @@ rule dev_mem: high linux {
     $not_no     = "no /dev/mem" fullword
 
   condition:
-    uint32(0) == 1179403647 and $val and none of ($not*)
+    filesize < 10MB and uint32(0) == 1179403647 and $val and none of ($not*)
 }
 
 rule comsvcs_minidump: high windows {

rules/impact/cryptojacking/generic.yara

@@ -27,7 +27,6 @@ rule danger_crypto_miner: high {
     $miner_url       = "miner_url"
     $cryptonight     = "Cryptonight"
     $minergate       = "minergate"
-    $_miner_         = "_miner_"
 
   condition:
     filesize < 10485760 and 1 of them

rules/impact/degrade/linux_paths.yara

@@ -22,7 +22,7 @@ rule linux_critical_system_paths: medium {
     $proc_self_cgroup  = "/proc/self/cgroup"
     $p_lib             = "/usr/lib/x86_64-linux-gnu/"
     $p_lib_ld          = "/lib64/ld-linux-x86-64.so.2"
-    $p_sys             = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/
+    $p_dev_sys         = /\/sys\/devices\/system\/(cpu|node)\/[\w\/\.\-]{0,32}/
     $p_sysctl          = /sysctl[ -a-z]{0,32}/
     $p_dev_watchdog    = "/dev/watchdog"
     $p_ps              = "/usr/bin/ps"
@@ -31,7 +31,7 @@ rule linux_critical_system_paths: medium {
     $p_dev_shm         = "/dev/shm"
 
   condition:
-    filesize < 120MB and any of ($p_etc*) and 5 of ($p*)
+    filesize < 120MB and any of ($p_etc*) and 40 % of ($p*)
 }
 
 rule linux_critical_system_paths_small_elf: high {
@@ -49,7 +49,7 @@ rule linux_critical_system_paths_small_elf: high {
     $p_etc_selinux     = /\/etc\/selinux[\w\/\.\-]{0,32}/
     $p_etc_systemd     = /\/etc\/systemd[\w\/\.\-]{0,32}/
     $p_etc_preload     = "/etc/ld.so.preload"
-    $p_ld_so_cache     = "/etc/ld.so.cache"
+    $p_etc_ld_so_cache = "/etc/ld.so.cache"
     $p_var_run         = /\/var\/run[\w\/\.\-]{0,32}/
     $p_var_log         = /\/var\/log[\w\/\.\-]{0,32}/
     $p_usr_libexec     = /\/usr\/libexec[\w\/\.\-]{0,32}/
@@ -61,7 +61,7 @@ rule linux_critical_system_paths_small_elf: high {
     $proc_self_cgroup  = "/proc/self/cgroup"
     $p_lib             = "/usr/lib/x86_64-linux-gnu/"
     $p_lib_ld          = "/lib64/ld-linux-x86-64.so.2"
-    $p_sys             = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/
+    $p_dev_sys         = /\/sys\/devices\/system\/(cpu|node)\/[\w\/\.\-]{0,32}/
     $p_sysctl          = /sysctl[ -a-z]{0,32}/
     $p_dev_watchdog    = "/dev/watchdog"
     $p_ps              = "/usr/bin/ps"
@@ -71,9 +71,10 @@ rule linux_critical_system_paths_small_elf: high {
 
     $not_vim     = "VIMRUNTIME" fullword
     $not_systemd = "SYSTEMD_OS_RELEASE"
+    $not_vio     = "/sys/devices/vio"
 
   condition:
-    filesize < 10MB and uint32(0) == 1179403647 and any of ($p_etc*) and 5 of ($p*) and none of ($not*)
+    filesize < 2MB and uint32(0) == 1179403647 and any of ($p_etc*) and 40 % of ($p*) and none of ($not*)
 }
 
 rule linux_critical_system_paths_small_shell: high {
@@ -112,5 +113,5 @@ rule linux_critical_system_paths_small_shell: high {
     $p_dev_shm         = "/dev/shm"
 
   condition:
-    filesize < 64KB and $hash_bang in (0..2) and any of ($p_etc*) and 5 of ($p*)
+    filesize < 64KB and $hash_bang in (0..2) and any of ($p_etc*) and 40 % of ($p*)
 }

rules/impact/ransom/linux.yara

@@ -34,7 +34,6 @@ rule linux_syscalls: high {
 
   strings:
     $e_Encrypt     = "ENCRYPT"
-    $e_crypto      = "crypto"
     $e_encrypt     = "encrypt"
     $e_chacha      = "chacha20"
     $e_Processed   = "Processed:"
@@ -56,8 +55,16 @@ rule linux_syscalls: high {
     $f_rename   = "rename" fullword
     $f_atoi     = "atoi" fullword
 
+    $not_getgid     = "getgid" fullword
+    $not_strtol     = "strtol" fullword
+    $not_dlopen     = "dlopen" fullword
+    $not_setenv     = "setenv" fullword
+    $not_asctime    = "asctime" fullword
+    $not_inet_ntop  = "inet_ntop" fullword
+    $not_getifaddrs = "getifaddrs" fullword
+
   condition:
-    filesize < 1MB and uint32(0) == 1179403647 and $f_readdir and 85 % of ($f*) and any of ($e*)
+    filesize < 1MB and uint32(0) == 1179403647 and $f_readdir and 85 % of ($f*) and any of ($e*) and none of ($not*)
 }
 
 rule conti_alike: high posix {

rules/privesc/sudoers.yara

@@ -22,3 +22,14 @@ rule small_elf_sudoer: high {
   condition:
     uint32(0) == 1179403647 and filesize < 10MB and sudo_editor
 }
+
+rule sudo_parser: override {
+  meta:
+    small_elf_sudoer = "medium"
+
+  strings:
+    $parse = "sudo_parse"
+
+  condition:
+    uint32(0) == 1179403647 and filesize < 10MB and all of them
+}