search

chainguard-dev / bincapz

detect malicious program behaviors
Apache License 2.0
387 stars 24 forks source link

Add /dev/ rule #148

Closed egibs closed 3 months ago

egibs commented 3 months ago

Closes: https://github.com/chainguard-dev/bincapz/issues/147

I wanted to try my hand at writing some YARA rules -- this PR adds a detection for /dev/ paths while excluding /dev/null and /dev/shm/... since there are already detections for these two paths.

I tested this with $ go run . --oci python -- for example:

/var/folders/3g/88131l9j11x995ppjbxsvhbh0000gn/T/bincapz-python1263427931/usr/bin/clear [MEDIUM]
-----------------------------------------------------------------------------------
RISK  KEY              DESCRIPTION                            EVIDENCE             
-----------------------------------------------------------------------------------
LOW   env/TERM         Look up or override terminal settings  TERM                 
LOW   ref/path/hidden  possible hidden file path              /usr/lib/debug/.dwz  
MED   ref/path/dev     path reference within /dev             /dev/tty             
-----------------------------------------------------------------------------------

There were a total of 139 matches for this rule in python.

tstromberg commented 3 months ago

Thanks! YARA rules are both fun and frustrating to write :)

I see that this PR is trying to do the right thing within YARA limitations. It's good, but I wanted to share a case where I think we can improve it. If a file contains /dev/null and /dev/stdin, this rule returns nothing:

echo "/dev/null /dev/shm/x /dev/stdin" > /tmp/test
yara -s -w rules/ref/path/dev.yara /tmp/test

I don't know the best way to handle this case in yara: where you want to exclude a single result, but still allow other matches within a file. Looking at https://github.com/VirusTotal/yara/issues/1452 I'm not sure there is a native way to do this correctly in YARA.

My two suggestions:

I'm kind of siding toward the first option, but I think the second is an eventuality. Here's an example of a simplified version of your rule that I think delivers what you might be trying to achieve:

rule dev_path : notable {
    meta:
        description = "path reference within /dev"
    strings:
        $path = /\/dev\/[a-z\.\-\/]+/
        $not_null = "/dev/null"
        $not_shm = "/dev/shm/"
    condition:
        $path and #path > 1 or (none of ($not*))
}

What do you think?

tstromberg commented 3 months ago

One last tip: for performance reasons, try to avoid + in regexps when possible, and use alternatives that contain limits, for example {1,16} is probably good in this case. This was something I learned from https://github.com/Neo23x0/YARA-Performance-Guidelines

egibs commented 3 months ago

My two suggestions:

* Leave this rule, but update the condition to matches if >1 /dev file is found: `        $path and #path > 1 or (not dev_null and not dev_shm)`

* Add support to bincapz for a metadata field that lists results to exclude, for instance, "exclude_1 = "/dev/null"

... What do you think?

I agree with option one for now; though, I do think that option two will make it easier to exclude more nuanced paths in the future. I'll work on implementing your suggestions!

egibs commented 3 months ago

@tstromberg -- addressed your comment(s) in c55036f (#148) and 0adaaaf (#148).

I used $path and none of ($ignore*) instead of including #path > 1. I also updated the /dev/null expression match either one or two Ls in null because I saw an interesting output where /dev/nul was showing up which makes it seem like the trailing character was getting trimmed.

Here's the output prior to me updating the ignore_null expression:

/var/folders/3g/88131l9j11x995ppjbxsvhbh0000gn/T/bincapz-python221071327/usr/bin/find [MEDIUM]
MED   ref/path/dev                     path reference within /dev                    /dev/nul                                        
                                                                                     /dev/stderr                                     
                                                                                     /dev/stdout

I tried to reproduce this output inside of a container and /dev/nul didn't show up when directly evaluating the YARA rule:

root@712d475f8f6f:~/bincapz# cat rules/ref/path/dev.yara
rule dev_path : notable {
    meta:
        description = "path reference within /dev"
    strings:
        $path = /\/dev\/[a-z\.\-\/]{1,16}/
        $ignore_null = "/dev/null"
        $ignore_shm = "/dev/shm/"
    condition:
        $path and none of ($ignore*)
}
root@712d475f8f6f:~/bincapz# yara -s -w rules/ref/path/dev.yara /usr/bin/find

Maybe some unintended behavior to investigate further?

egibs commented 3 months ago

@tstromberg -- I fixed the tests, by the way;

❯ go clean -testcache && make test
go test ./... -v
?       github.com/chainguard-dev/bincapz   [no test files]
?       github.com/chainguard-dev/bincapz/pkg/bincapz   [no test files]
?       github.com/chainguard-dev/bincapz/pkg/render    [no test files]
?       github.com/chainguard-dev/bincapz/pkg/report    [no test files]
?       github.com/chainguard-dev/bincapz/pkg/rules [no test files]
?       github.com/chainguard-dev/bincapz/rules [no test files]
=== RUN   TestProgramKindMagic
--- PASS: TestProgramKindMagic (0.00s)
=== RUN   TestProgramStringMatch
=== RUN   TestProgramStringMatch/python
=== RUN   TestProgramStringMatch/shell
=== RUN   TestProgramStringMatch/short
=== RUN   TestProgramStringMatch/empty
=== RUN   TestProgramStringMatch/rando
=== RUN   TestProgramStringMatch/juttu
    slogtest.go:20: time=2024-04-23T09:31:13.221-05:00 level=ERROR msg=os.Open path=testdata/juttu error="open testdata/juttu: no such file or directory"

--- PASS: TestProgramStringMatch (0.00s)
    --- PASS: TestProgramStringMatch/python (0.00s)
    --- PASS: TestProgramStringMatch/shell (0.00s)
    --- PASS: TestProgramStringMatch/short (0.00s)
    --- PASS: TestProgramStringMatch/empty (0.00s)
    --- PASS: TestProgramStringMatch/rando (0.00s)
    --- PASS: TestProgramStringMatch/juttu (0.00s)
=== RUN   TestProgramKindExtensions
=== RUN   TestProgramKindExtensions/applescript.scpt
=== RUN   TestProgramKindExtensions/applescript.scptd
=== RUN   TestProgramKindExtensions/shell.sh
=== RUN   TestProgramKindExtensions/ruby.rb
=== RUN   TestProgramKindExtensions/python.py
=== RUN   TestProgramKindExtensions/perl.pl
=== RUN   TestProgramKindExtensions/yara.yara
=== RUN   TestProgramKindExtensions/expect.expect
=== RUN   TestProgramKindExtensions/php.php
=== RUN   TestProgramKindExtensions/html.html
=== RUN   TestProgramKindExtensions/javascript.js
=== RUN   TestProgramKindExtensions/typescript.ts
=== RUN   TestProgramKindExtensions/7z.7z
=== RUN   TestProgramKindExtensions/json.json
=== RUN   TestProgramKindExtensions/yaml.yml
=== RUN   TestProgramKindExtensions/yaml.yaml
=== RUN   TestProgramKindExtensions/java.java
=== RUN   TestProgramKindExtensions/java.jar
=== RUN   TestProgramKindExtensions/asm.asm
=== RUN   TestProgramKindExtensions/systemd.service
=== RUN   TestProgramKindExtensions/crontab.cron
=== RUN   TestProgramKindExtensions/crontab.crontab
=== RUN   TestProgramKindExtensions/c.c
=== RUN   TestProgramKindExtensions/juttu.juttu
--- PASS: TestProgramKindExtensions (0.00s)
    --- PASS: TestProgramKindExtensions/applescript.scpt (0.00s)
    --- PASS: TestProgramKindExtensions/applescript.scptd (0.00s)
    --- PASS: TestProgramKindExtensions/shell.sh (0.00s)
    --- PASS: TestProgramKindExtensions/ruby.rb (0.00s)
    --- PASS: TestProgramKindExtensions/python.py (0.00s)
    --- PASS: TestProgramKindExtensions/perl.pl (0.00s)
    --- PASS: TestProgramKindExtensions/yara.yara (0.00s)
    --- PASS: TestProgramKindExtensions/expect.expect (0.00s)
    --- PASS: TestProgramKindExtensions/php.php (0.00s)
    --- PASS: TestProgramKindExtensions/html.html (0.00s)
    --- PASS: TestProgramKindExtensions/javascript.js (0.00s)
    --- PASS: TestProgramKindExtensions/typescript.ts (0.00s)
    --- PASS: TestProgramKindExtensions/7z.7z (0.00s)
    --- PASS: TestProgramKindExtensions/json.json (0.00s)
    --- PASS: TestProgramKindExtensions/yaml.yml (0.00s)
    --- PASS: TestProgramKindExtensions/yaml.yaml (0.00s)
    --- PASS: TestProgramKindExtensions/java.java (0.00s)
    --- PASS: TestProgramKindExtensions/java.jar (0.00s)
    --- PASS: TestProgramKindExtensions/asm.asm (0.00s)
    --- PASS: TestProgramKindExtensions/systemd.service (0.00s)
    --- PASS: TestProgramKindExtensions/crontab.cron (0.00s)
    --- PASS: TestProgramKindExtensions/crontab.crontab (0.00s)
    --- PASS: TestProgramKindExtensions/c.c (0.00s)
    --- PASS: TestProgramKindExtensions/juttu.juttu (0.00s)
=== RUN   TestGetExt
=== RUN   TestGetExt/testdata/file.apk
=== RUN   TestGetExt/testdata/file.jar
=== RUN   TestGetExt/testdata/file.tar
=== RUN   TestGetExt/testdata/file.tgz
=== RUN   TestGetExt/testdata/file.tar.gz
=== RUN   TestGetExt/testdata/file.tar.xz
=== RUN   TestGetExt/testdata/file.zip
=== RUN   TestGetExt/testdata/file_1.0.0
=== RUN   TestGetExt/testdata/file_1.0.0.apk
=== RUN   TestGetExt/testdata/file_1.0.0.jar
=== RUN   TestGetExt/testdata/file_1.0.0.tar
=== RUN   TestGetExt/testdata/file_1.0.0.tgz
=== RUN   TestGetExt/testdata/file_1.0.0.tar.gz
=== RUN   TestGetExt/testdata/file_1.0.0.tar.xz
=== RUN   TestGetExt/testdata/file_1.0.0.zip
=== RUN   TestGetExt/testdata/file.a.b.c.tar.gz
=== RUN   TestGetExt/testdata/file_a.b.c.tar.xz
=== RUN   TestGetExt/testdata/file_a.b.0.tar
=== RUN   TestGetExt/testdata/file_no_ext
--- PASS: TestGetExt (0.00s)
    --- PASS: TestGetExt/testdata/file.apk (0.00s)
    --- PASS: TestGetExt/testdata/file.jar (0.00s)
    --- PASS: TestGetExt/testdata/file.tar (0.00s)
    --- PASS: TestGetExt/testdata/file.tgz (0.00s)
    --- PASS: TestGetExt/testdata/file.tar.gz (0.00s)
    --- PASS: TestGetExt/testdata/file.tar.xz (0.00s)
    --- PASS: TestGetExt/testdata/file.zip (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0 (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.apk (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.jar (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.tar (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.tgz (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.tar.gz (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.tar.xz (0.00s)
    --- PASS: TestGetExt/testdata/file_1.0.0.zip (0.00s)
    --- PASS: TestGetExt/testdata/file.a.b.c.tar.gz (0.00s)
    --- PASS: TestGetExt/testdata/file_a.b.c.tar.xz (0.00s)
    --- PASS: TestGetExt/testdata/file_a.b.0.tar (0.00s)
    --- PASS: TestGetExt/testdata/file_no_ext (0.00s)
PASS
ok      github.com/chainguard-dev/bincapz/pkg/action    0.186s
?       github.com/chainguard-dev/bincapz/samples/does-nothing  [no test files]
=== RUN   TestJSON
    slogtest.go:20: time=2024-04-23T09:31:13.728-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party

    slogtest.go:20: time=2024-04-23T09:31:13.728-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/README.md

    slogtest.go:20: time=2024-04-23T09:31:13.728-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/yara-rules-full.yar

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"

--- PASS: TestJSON (0.09s)
=== RUN   TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.802-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party

    slogtest.go:20: time=2024-04-23T09:31:13.802-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/README.md

    slogtest.go:20: time=2024-04-23T09:31:13.802-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/yara-rules-full.yar

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"

=== RUN   TestSimple/Linux/2022.bpfdoor/bpfdoor_1
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.849-05:00 level=INFO msg="1039 rules loaded" test=Linux/2022.bpfdoor/bpfdoor_1

    slogtest.go:20: time=2024-04-23T09:31:13.849-05:00 level=INFO msg="finding files in Linux/2022.bpfdoor/bpfdoor_1 ..." test=Linux/2022.bpfdoor/bpfdoor_1

    slogtest.go:20: time=2024-04-23T09:31:13.849-05:00 level=INFO msg=scanning test=Linux/2022.bpfdoor/bpfdoor_1 path=Linux/2022.bpfdoor/bpfdoor_1 kind="Executable and Linkable Format"

=== RUN   TestSimple/Linux/2022.bpfdoor/bpfdoor_2
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.851-05:00 level=INFO msg="1039 rules loaded" test=Linux/2022.bpfdoor/bpfdoor_2

    slogtest.go:20: time=2024-04-23T09:31:13.851-05:00 level=INFO msg="finding files in Linux/2022.bpfdoor/bpfdoor_2 ..." test=Linux/2022.bpfdoor/bpfdoor_2

    slogtest.go:20: time=2024-04-23T09:31:13.851-05:00 level=INFO msg=scanning test=Linux/2022.bpfdoor/bpfdoor_2 path=Linux/2022.bpfdoor/bpfdoor_2 kind="Executable and Linkable Format"

=== RUN   TestSimple/Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.853-05:00 level=INFO msg="1039 rules loaded" test=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py

    slogtest.go:20: time=2024-04-23T09:31:13.853-05:00 level=INFO msg="finding files in Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py ..." test=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py

    slogtest.go:20: time=2024-04-23T09:31:13.853-05:00 level=INFO msg=scanning test=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py path=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py kind="Python script"

=== RUN   TestSimple/Python/2023.JokerSpy/shared.dat
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.854-05:00 level=INFO msg="1039 rules loaded" test=Python/2023.JokerSpy/shared.dat

    slogtest.go:20: time=2024-04-23T09:31:13.854-05:00 level=INFO msg="finding files in Python/2023.JokerSpy/shared.dat ..." test=Python/2023.JokerSpy/shared.dat

    slogtest.go:20: time=2024-04-23T09:31:13.854-05:00 level=INFO msg=scanning test=Python/2023.JokerSpy/shared.dat path=Python/2023.JokerSpy/shared.dat kind="Python script"

=== RUN   TestSimple/Windows/2024.GitHub.Clipper/main.exe
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.856-05:00 level=INFO msg="1039 rules loaded" test=Windows/2024.GitHub.Clipper/main.exe

    slogtest.go:20: time=2024-04-23T09:31:13.856-05:00 level=INFO msg="finding files in Windows/2024.GitHub.Clipper/main.exe ..." test=Windows/2024.GitHub.Clipper/main.exe

    slogtest.go:20: time=2024-04-23T09:31:13.856-05:00 level=INFO msg=scanning test=Windows/2024.GitHub.Clipper/main.exe path=Windows/2024.GitHub.Clipper/main.exe kind="DOS MZ executable file format and its descendants (including NE and PE)"

=== RUN   TestSimple/Windows/2024.GitHub.Clipper/raw.py
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.959-05:00 level=INFO msg="1039 rules loaded" test=Windows/2024.GitHub.Clipper/raw.py

    slogtest.go:20: time=2024-04-23T09:31:13.959-05:00 level=INFO msg="finding files in Windows/2024.GitHub.Clipper/raw.py ..." test=Windows/2024.GitHub.Clipper/raw.py

    slogtest.go:20: time=2024-04-23T09:31:13.960-05:00 level=INFO msg=scanning test=Windows/2024.GitHub.Clipper/raw.py path=Windows/2024.GitHub.Clipper/raw.py kind="Python script"

=== RUN   TestSimple/does-nothing/does-nothing
=== NAME  TestSimple
    slogtest.go:20: time=2024-04-23T09:31:13.960-05:00 level=INFO msg="1039 rules loaded" test=does-nothing/does-nothing

    slogtest.go:20: time=2024-04-23T09:31:13.961-05:00 level=INFO msg="finding files in does-nothing/does-nothing ..." test=does-nothing/does-nothing

    slogtest.go:20: time=2024-04-23T09:31:13.961-05:00 level=INFO msg=scanning test=does-nothing/does-nothing path=does-nothing/does-nothing kind="Executable and Linkable Format"

--- PASS: TestSimple (0.22s)
    --- PASS: TestSimple/Linux/2022.bpfdoor/bpfdoor_1 (0.00s)
    --- PASS: TestSimple/Linux/2022.bpfdoor/bpfdoor_2 (0.00s)
    --- PASS: TestSimple/Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py (0.00s)
    --- PASS: TestSimple/Python/2023.JokerSpy/shared.dat (0.00s)
    --- PASS: TestSimple/Windows/2024.GitHub.Clipper/main.exe (0.10s)
    --- PASS: TestSimple/Windows/2024.GitHub.Clipper/raw.py (0.00s)
    --- PASS: TestSimple/does-nothing/does-nothing (0.04s)
=== RUN   TestDiff
2024/04/23 09:31:14 WARN warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"
=== RUN   TestDiff/Linux/2023.FreeDownloadManager/freedownloadmanager.sdiff
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO finding files in Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst ... src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO scanning src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst path=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst kind="Shell script"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO finding files in Linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst ... src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO scanning src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst path=Linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst kind="Shell script"
=== RUN   TestDiff/macOS/clean/ls.mdiff.level_2
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in Linux/clean/ls.x86_64 ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=Linux/clean/ls.x86_64 kind="Executable and Linkable Format"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in macOS/clean/ls ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=macOS/clean/ls kind="Java class file, Mach-O Fat Binary"
=== RUN   TestDiff/macOS/clean/ls.mdiff.trigger_2
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in Linux/clean/ls.x86_64 ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=Linux/clean/ls.x86_64 kind="Executable and Linkable Format"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in macOS/clean/ls ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=macOS/clean/ls kind="Java class file, Mach-O Fat Binary"
=== RUN   TestDiff/macOS/clean/ls.mdiff.trigger_3
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in Linux/clean/ls.x86_64 ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=Linux/clean/ls.x86_64 kind="Executable and Linkable Format"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in macOS/clean/ls ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=macOS/clean/ls kind="Java class file, Mach-O Fat Binary"
2024/04/23 09:31:15 INFO diff does not meet min trigger level src=Linux/clean/ls.x86_64 path=macOS/clean/ls
2024/04/23 09:31:15 INFO diff does not meet min trigger level src=Linux/clean/ls.x86_64 path=macOS/clean/ls
=== RUN   TestDiff/macOS/2023.3CX/libffmpeg.dirty.mdiff
2024/04/23 09:31:15 INFO 12572 rules loaded src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:15 INFO finding files in macOS/2023.3CX/libffmpeg.dylib ... src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:15 INFO scanning src=macOS/2023.3CX/libffmpeg.dylib path=macOS/2023.3CX/libffmpeg.dylib kind="Java class file, Mach-O Fat Binary"
2024/04/23 09:31:16 INFO 12572 rules loaded src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:16 INFO finding files in macOS/2023.3CX/libffmpeg.dirty.dylib ... src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:16 INFO scanning src=macOS/2023.3CX/libffmpeg.dylib path=macOS/2023.3CX/libffmpeg.dirty.dylib kind="Java class file, Mach-O Fat Binary"
=== RUN   TestDiff/Linux/2024.sbcl.market/sbcl.sdiff
2024/04/23 09:31:16 INFO 12572 rules loaded src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO finding files in Linux/2024.sbcl.market/sbcl.clean ... src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO scanning src=Linux/2024.sbcl.market/sbcl.clean path=Linux/2024.sbcl.market/sbcl.clean kind="Executable and Linkable Format"
2024/04/23 09:31:16 INFO 12572 rules loaded src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO finding files in Linux/2024.sbcl.market/sbcl.dirty ... src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO scanning src=Linux/2024.sbcl.market/sbcl.clean path=Linux/2024.sbcl.market/sbcl.dirty kind="Executable and Linkable Format"
--- PASS: TestDiff (2.36s)
    --- PASS: TestDiff/Linux/2023.FreeDownloadManager/freedownloadmanager.sdiff (0.01s)
    --- PASS: TestDiff/macOS/clean/ls.mdiff.level_2 (0.01s)
    --- PASS: TestDiff/macOS/clean/ls.mdiff.trigger_2 (0.01s)
    --- PASS: TestDiff/macOS/clean/ls.mdiff.trigger_3 (0.01s)
    --- PASS: TestDiff/macOS/2023.3CX/libffmpeg.dirty.mdiff (0.20s)
    --- PASS: TestDiff/Linux/2024.sbcl.market/sbcl.sdiff (0.21s)
=== RUN   TestMarkdown
    slogtest.go:20: time=2024-04-23T09:31:16.384-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party

    slogtest.go:20: time=2024-04-23T09:31:16.384-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/README.md

    slogtest.go:20: time=2024-04-23T09:31:16.384-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/yara-rules-full.yar

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"

    slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"

=== RUN   TestMarkdown/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare
=== NAME  TestMarkdown
    slogtest.go:20: time=2024-04-23T09:31:16.432-05:00 level=INFO msg="1039 rules loaded" test=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare

    slogtest.go:20: time=2024-04-23T09:31:16.432-05:00 level=INFO msg="finding files in macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare ..." test=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare

    slogtest.go:20: time=2024-04-23T09:31:16.433-05:00 level=INFO msg=scanning test=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare path=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare kind="Mach-O binary (reverse byte ordering scheme, 64-bit)"

--- PASS: TestMarkdown (0.08s)
    --- PASS: TestMarkdown/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare (0.00s)
PASS
ok      github.com/chainguard-dev/bincapz/samples   3.120s
tstromberg commented 3 months ago

Yay! Thanks for your PR and for sticking through all the rough edges.