Closed egibs closed 3 months ago
Thanks! YARA rules are both fun and frustrating to write :)
I see that this PR is trying to do the right thing within YARA limitations. It's good, but I wanted to share a case where I think we can improve it. If a file contains /dev/null and /dev/stdin, this rule returns nothing:
echo "/dev/null /dev/shm/x /dev/stdin" > /tmp/test
yara -s -w rules/ref/path/dev.yara /tmp/test
I don't know the best way to handle this case in yara: where you want to exclude a single result, but still allow other matches within a file. Looking at https://github.com/VirusTotal/yara/issues/1452 I'm not sure there is a native way to do this correctly in YARA.
My two suggestions:
$path and #path > 1 or (not dev_null and not dev_shm)
I'm kind of siding toward the first option, but I think the second is an eventuality. Here's an example of a simplified version of your rule that I think delivers what you might be trying to achieve:
rule dev_path : notable {
meta:
description = "path reference within /dev"
strings:
$path = /\/dev\/[a-z\.\-\/]+/
$not_null = "/dev/null"
$not_shm = "/dev/shm/"
condition:
$path and #path > 1 or (none of ($not*))
}
What do you think?
One last tip: for performance reasons, try to avoid + in regexps when possible, and use alternatives that contain limits, for example {1,16}
is probably good in this case. This was something I learned from https://github.com/Neo23x0/YARA-Performance-Guidelines
My two suggestions:
* Leave this rule, but update the condition to matches if >1 /dev file is found: ` $path and #path > 1 or (not dev_null and not dev_shm)` * Add support to bincapz for a metadata field that lists results to exclude, for instance, "exclude_1 = "/dev/null"
... What do you think?
I agree with option one for now; though, I do think that option two will make it easier to exclude more nuanced paths in the future. I'll work on implementing your suggestions!
@tstromberg -- addressed your comment(s) in c55036f
(#148) and 0adaaaf
(#148).
I used $path and none of ($ignore*)
instead of including #path > 1
. I also updated the /dev/null
expression match either one or two Ls in null
because I saw an interesting output where /dev/nul
was showing up which makes it seem like the trailing character was getting trimmed.
Here's the output prior to me updating the ignore_null
expression:
/var/folders/3g/88131l9j11x995ppjbxsvhbh0000gn/T/bincapz-python221071327/usr/bin/find [MEDIUM]
MED ref/path/dev path reference within /dev /dev/nul
/dev/stderr
/dev/stdout
I tried to reproduce this output inside of a container and /dev/nul
didn't show up when directly evaluating the YARA rule:
root@712d475f8f6f:~/bincapz# cat rules/ref/path/dev.yara
rule dev_path : notable {
meta:
description = "path reference within /dev"
strings:
$path = /\/dev\/[a-z\.\-\/]{1,16}/
$ignore_null = "/dev/null"
$ignore_shm = "/dev/shm/"
condition:
$path and none of ($ignore*)
}
root@712d475f8f6f:~/bincapz# yara -s -w rules/ref/path/dev.yara /usr/bin/find
Maybe some unintended behavior to investigate further?
@tstromberg -- I fixed the tests, by the way;
❯ go clean -testcache && make test
go test ./... -v
? github.com/chainguard-dev/bincapz [no test files]
? github.com/chainguard-dev/bincapz/pkg/bincapz [no test files]
? github.com/chainguard-dev/bincapz/pkg/render [no test files]
? github.com/chainguard-dev/bincapz/pkg/report [no test files]
? github.com/chainguard-dev/bincapz/pkg/rules [no test files]
? github.com/chainguard-dev/bincapz/rules [no test files]
=== RUN TestProgramKindMagic
--- PASS: TestProgramKindMagic (0.00s)
=== RUN TestProgramStringMatch
=== RUN TestProgramStringMatch/python
=== RUN TestProgramStringMatch/shell
=== RUN TestProgramStringMatch/short
=== RUN TestProgramStringMatch/empty
=== RUN TestProgramStringMatch/rando
=== RUN TestProgramStringMatch/juttu
slogtest.go:20: time=2024-04-23T09:31:13.221-05:00 level=ERROR msg=os.Open path=testdata/juttu error="open testdata/juttu: no such file or directory"
--- PASS: TestProgramStringMatch (0.00s)
--- PASS: TestProgramStringMatch/python (0.00s)
--- PASS: TestProgramStringMatch/shell (0.00s)
--- PASS: TestProgramStringMatch/short (0.00s)
--- PASS: TestProgramStringMatch/empty (0.00s)
--- PASS: TestProgramStringMatch/rando (0.00s)
--- PASS: TestProgramStringMatch/juttu (0.00s)
=== RUN TestProgramKindExtensions
=== RUN TestProgramKindExtensions/applescript.scpt
=== RUN TestProgramKindExtensions/applescript.scptd
=== RUN TestProgramKindExtensions/shell.sh
=== RUN TestProgramKindExtensions/ruby.rb
=== RUN TestProgramKindExtensions/python.py
=== RUN TestProgramKindExtensions/perl.pl
=== RUN TestProgramKindExtensions/yara.yara
=== RUN TestProgramKindExtensions/expect.expect
=== RUN TestProgramKindExtensions/php.php
=== RUN TestProgramKindExtensions/html.html
=== RUN TestProgramKindExtensions/javascript.js
=== RUN TestProgramKindExtensions/typescript.ts
=== RUN TestProgramKindExtensions/7z.7z
=== RUN TestProgramKindExtensions/json.json
=== RUN TestProgramKindExtensions/yaml.yml
=== RUN TestProgramKindExtensions/yaml.yaml
=== RUN TestProgramKindExtensions/java.java
=== RUN TestProgramKindExtensions/java.jar
=== RUN TestProgramKindExtensions/asm.asm
=== RUN TestProgramKindExtensions/systemd.service
=== RUN TestProgramKindExtensions/crontab.cron
=== RUN TestProgramKindExtensions/crontab.crontab
=== RUN TestProgramKindExtensions/c.c
=== RUN TestProgramKindExtensions/juttu.juttu
--- PASS: TestProgramKindExtensions (0.00s)
--- PASS: TestProgramKindExtensions/applescript.scpt (0.00s)
--- PASS: TestProgramKindExtensions/applescript.scptd (0.00s)
--- PASS: TestProgramKindExtensions/shell.sh (0.00s)
--- PASS: TestProgramKindExtensions/ruby.rb (0.00s)
--- PASS: TestProgramKindExtensions/python.py (0.00s)
--- PASS: TestProgramKindExtensions/perl.pl (0.00s)
--- PASS: TestProgramKindExtensions/yara.yara (0.00s)
--- PASS: TestProgramKindExtensions/expect.expect (0.00s)
--- PASS: TestProgramKindExtensions/php.php (0.00s)
--- PASS: TestProgramKindExtensions/html.html (0.00s)
--- PASS: TestProgramKindExtensions/javascript.js (0.00s)
--- PASS: TestProgramKindExtensions/typescript.ts (0.00s)
--- PASS: TestProgramKindExtensions/7z.7z (0.00s)
--- PASS: TestProgramKindExtensions/json.json (0.00s)
--- PASS: TestProgramKindExtensions/yaml.yml (0.00s)
--- PASS: TestProgramKindExtensions/yaml.yaml (0.00s)
--- PASS: TestProgramKindExtensions/java.java (0.00s)
--- PASS: TestProgramKindExtensions/java.jar (0.00s)
--- PASS: TestProgramKindExtensions/asm.asm (0.00s)
--- PASS: TestProgramKindExtensions/systemd.service (0.00s)
--- PASS: TestProgramKindExtensions/crontab.cron (0.00s)
--- PASS: TestProgramKindExtensions/crontab.crontab (0.00s)
--- PASS: TestProgramKindExtensions/c.c (0.00s)
--- PASS: TestProgramKindExtensions/juttu.juttu (0.00s)
=== RUN TestGetExt
=== RUN TestGetExt/testdata/file.apk
=== RUN TestGetExt/testdata/file.jar
=== RUN TestGetExt/testdata/file.tar
=== RUN TestGetExt/testdata/file.tgz
=== RUN TestGetExt/testdata/file.tar.gz
=== RUN TestGetExt/testdata/file.tar.xz
=== RUN TestGetExt/testdata/file.zip
=== RUN TestGetExt/testdata/file_1.0.0
=== RUN TestGetExt/testdata/file_1.0.0.apk
=== RUN TestGetExt/testdata/file_1.0.0.jar
=== RUN TestGetExt/testdata/file_1.0.0.tar
=== RUN TestGetExt/testdata/file_1.0.0.tgz
=== RUN TestGetExt/testdata/file_1.0.0.tar.gz
=== RUN TestGetExt/testdata/file_1.0.0.tar.xz
=== RUN TestGetExt/testdata/file_1.0.0.zip
=== RUN TestGetExt/testdata/file.a.b.c.tar.gz
=== RUN TestGetExt/testdata/file_a.b.c.tar.xz
=== RUN TestGetExt/testdata/file_a.b.0.tar
=== RUN TestGetExt/testdata/file_no_ext
--- PASS: TestGetExt (0.00s)
--- PASS: TestGetExt/testdata/file.apk (0.00s)
--- PASS: TestGetExt/testdata/file.jar (0.00s)
--- PASS: TestGetExt/testdata/file.tar (0.00s)
--- PASS: TestGetExt/testdata/file.tgz (0.00s)
--- PASS: TestGetExt/testdata/file.tar.gz (0.00s)
--- PASS: TestGetExt/testdata/file.tar.xz (0.00s)
--- PASS: TestGetExt/testdata/file.zip (0.00s)
--- PASS: TestGetExt/testdata/file_1.0.0 (0.00s)
--- PASS: TestGetExt/testdata/file_1.0.0.apk (0.00s)
--- PASS: TestGetExt/testdata/file_1.0.0.jar (0.00s)
--- PASS: TestGetExt/testdata/file_1.0.0.tar (0.00s)
--- PASS: TestGetExt/testdata/file_1.0.0.tgz (0.00s)
--- PASS: TestGetExt/testdata/file_1.0.0.tar.gz (0.00s)
--- PASS: TestGetExt/testdata/file_1.0.0.tar.xz (0.00s)
--- PASS: TestGetExt/testdata/file_1.0.0.zip (0.00s)
--- PASS: TestGetExt/testdata/file.a.b.c.tar.gz (0.00s)
--- PASS: TestGetExt/testdata/file_a.b.c.tar.xz (0.00s)
--- PASS: TestGetExt/testdata/file_a.b.0.tar (0.00s)
--- PASS: TestGetExt/testdata/file_no_ext (0.00s)
PASS
ok github.com/chainguard-dev/bincapz/pkg/action 0.186s
? github.com/chainguard-dev/bincapz/samples/does-nothing [no test files]
=== RUN TestJSON
slogtest.go:20: time=2024-04-23T09:31:13.728-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party
slogtest.go:20: time=2024-04-23T09:31:13.728-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/README.md
slogtest.go:20: time=2024-04-23T09:31:13.728-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/yara-rules-full.yar
slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.730-05:00 level=WARN msg=warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"
--- PASS: TestJSON (0.09s)
=== RUN TestSimple
slogtest.go:20: time=2024-04-23T09:31:13.802-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party
slogtest.go:20: time=2024-04-23T09:31:13.802-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/README.md
slogtest.go:20: time=2024-04-23T09:31:13.802-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/yara-rules-full.yar
slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:13.803-05:00 level=WARN msg=warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"
=== RUN TestSimple/Linux/2022.bpfdoor/bpfdoor_1
=== NAME TestSimple
slogtest.go:20: time=2024-04-23T09:31:13.849-05:00 level=INFO msg="1039 rules loaded" test=Linux/2022.bpfdoor/bpfdoor_1
slogtest.go:20: time=2024-04-23T09:31:13.849-05:00 level=INFO msg="finding files in Linux/2022.bpfdoor/bpfdoor_1 ..." test=Linux/2022.bpfdoor/bpfdoor_1
slogtest.go:20: time=2024-04-23T09:31:13.849-05:00 level=INFO msg=scanning test=Linux/2022.bpfdoor/bpfdoor_1 path=Linux/2022.bpfdoor/bpfdoor_1 kind="Executable and Linkable Format"
=== RUN TestSimple/Linux/2022.bpfdoor/bpfdoor_2
=== NAME TestSimple
slogtest.go:20: time=2024-04-23T09:31:13.851-05:00 level=INFO msg="1039 rules loaded" test=Linux/2022.bpfdoor/bpfdoor_2
slogtest.go:20: time=2024-04-23T09:31:13.851-05:00 level=INFO msg="finding files in Linux/2022.bpfdoor/bpfdoor_2 ..." test=Linux/2022.bpfdoor/bpfdoor_2
slogtest.go:20: time=2024-04-23T09:31:13.851-05:00 level=INFO msg=scanning test=Linux/2022.bpfdoor/bpfdoor_2 path=Linux/2022.bpfdoor/bpfdoor_2 kind="Executable and Linkable Format"
=== RUN TestSimple/Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py
=== NAME TestSimple
slogtest.go:20: time=2024-04-23T09:31:13.853-05:00 level=INFO msg="1039 rules loaded" test=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py
slogtest.go:20: time=2024-04-23T09:31:13.853-05:00 level=INFO msg="finding files in Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py ..." test=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py
slogtest.go:20: time=2024-04-23T09:31:13.853-05:00 level=INFO msg=scanning test=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py path=Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py kind="Python script"
=== RUN TestSimple/Python/2023.JokerSpy/shared.dat
=== NAME TestSimple
slogtest.go:20: time=2024-04-23T09:31:13.854-05:00 level=INFO msg="1039 rules loaded" test=Python/2023.JokerSpy/shared.dat
slogtest.go:20: time=2024-04-23T09:31:13.854-05:00 level=INFO msg="finding files in Python/2023.JokerSpy/shared.dat ..." test=Python/2023.JokerSpy/shared.dat
slogtest.go:20: time=2024-04-23T09:31:13.854-05:00 level=INFO msg=scanning test=Python/2023.JokerSpy/shared.dat path=Python/2023.JokerSpy/shared.dat kind="Python script"
=== RUN TestSimple/Windows/2024.GitHub.Clipper/main.exe
=== NAME TestSimple
slogtest.go:20: time=2024-04-23T09:31:13.856-05:00 level=INFO msg="1039 rules loaded" test=Windows/2024.GitHub.Clipper/main.exe
slogtest.go:20: time=2024-04-23T09:31:13.856-05:00 level=INFO msg="finding files in Windows/2024.GitHub.Clipper/main.exe ..." test=Windows/2024.GitHub.Clipper/main.exe
slogtest.go:20: time=2024-04-23T09:31:13.856-05:00 level=INFO msg=scanning test=Windows/2024.GitHub.Clipper/main.exe path=Windows/2024.GitHub.Clipper/main.exe kind="DOS MZ executable file format and its descendants (including NE and PE)"
=== RUN TestSimple/Windows/2024.GitHub.Clipper/raw.py
=== NAME TestSimple
slogtest.go:20: time=2024-04-23T09:31:13.959-05:00 level=INFO msg="1039 rules loaded" test=Windows/2024.GitHub.Clipper/raw.py
slogtest.go:20: time=2024-04-23T09:31:13.959-05:00 level=INFO msg="finding files in Windows/2024.GitHub.Clipper/raw.py ..." test=Windows/2024.GitHub.Clipper/raw.py
slogtest.go:20: time=2024-04-23T09:31:13.960-05:00 level=INFO msg=scanning test=Windows/2024.GitHub.Clipper/raw.py path=Windows/2024.GitHub.Clipper/raw.py kind="Python script"
=== RUN TestSimple/does-nothing/does-nothing
=== NAME TestSimple
slogtest.go:20: time=2024-04-23T09:31:13.960-05:00 level=INFO msg="1039 rules loaded" test=does-nothing/does-nothing
slogtest.go:20: time=2024-04-23T09:31:13.961-05:00 level=INFO msg="finding files in does-nothing/does-nothing ..." test=does-nothing/does-nothing
slogtest.go:20: time=2024-04-23T09:31:13.961-05:00 level=INFO msg=scanning test=does-nothing/does-nothing path=does-nothing/does-nothing kind="Executable and Linkable Format"
--- PASS: TestSimple (0.22s)
--- PASS: TestSimple/Linux/2022.bpfdoor/bpfdoor_1 (0.00s)
--- PASS: TestSimple/Linux/2022.bpfdoor/bpfdoor_2 (0.00s)
--- PASS: TestSimple/Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py (0.00s)
--- PASS: TestSimple/Python/2023.JokerSpy/shared.dat (0.00s)
--- PASS: TestSimple/Windows/2024.GitHub.Clipper/main.exe (0.10s)
--- PASS: TestSimple/Windows/2024.GitHub.Clipper/raw.py (0.00s)
--- PASS: TestSimple/does-nothing/does-nothing (0.04s)
=== RUN TestDiff
2024/04/23 09:31:14 WARN warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"
2024/04/23 09:31:14 WARN warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"
=== RUN TestDiff/Linux/2023.FreeDownloadManager/freedownloadmanager.sdiff
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO finding files in Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst ... src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO scanning src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst path=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst kind="Shell script"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO finding files in Linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst ... src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst
2024/04/23 09:31:15 INFO scanning src=Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst path=Linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst kind="Shell script"
=== RUN TestDiff/macOS/clean/ls.mdiff.level_2
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in Linux/clean/ls.x86_64 ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=Linux/clean/ls.x86_64 kind="Executable and Linkable Format"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in macOS/clean/ls ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=macOS/clean/ls kind="Java class file, Mach-O Fat Binary"
=== RUN TestDiff/macOS/clean/ls.mdiff.trigger_2
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in Linux/clean/ls.x86_64 ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=Linux/clean/ls.x86_64 kind="Executable and Linkable Format"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in macOS/clean/ls ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=macOS/clean/ls kind="Java class file, Mach-O Fat Binary"
=== RUN TestDiff/macOS/clean/ls.mdiff.trigger_3
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in Linux/clean/ls.x86_64 ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=Linux/clean/ls.x86_64 kind="Executable and Linkable Format"
2024/04/23 09:31:15 INFO 12572 rules loaded src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO finding files in macOS/clean/ls ... src=Linux/clean/ls.x86_64
2024/04/23 09:31:15 INFO scanning src=Linux/clean/ls.x86_64 path=macOS/clean/ls kind="Java class file, Mach-O Fat Binary"
2024/04/23 09:31:15 INFO diff does not meet min trigger level src=Linux/clean/ls.x86_64 path=macOS/clean/ls
2024/04/23 09:31:15 INFO diff does not meet min trigger level src=Linux/clean/ls.x86_64 path=macOS/clean/ls
=== RUN TestDiff/macOS/2023.3CX/libffmpeg.dirty.mdiff
2024/04/23 09:31:15 INFO 12572 rules loaded src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:15 INFO finding files in macOS/2023.3CX/libffmpeg.dylib ... src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:15 INFO scanning src=macOS/2023.3CX/libffmpeg.dylib path=macOS/2023.3CX/libffmpeg.dylib kind="Java class file, Mach-O Fat Binary"
2024/04/23 09:31:16 INFO 12572 rules loaded src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:16 INFO finding files in macOS/2023.3CX/libffmpeg.dirty.dylib ... src=macOS/2023.3CX/libffmpeg.dylib
2024/04/23 09:31:16 INFO scanning src=macOS/2023.3CX/libffmpeg.dylib path=macOS/2023.3CX/libffmpeg.dirty.dylib kind="Java class file, Mach-O Fat Binary"
=== RUN TestDiff/Linux/2024.sbcl.market/sbcl.sdiff
2024/04/23 09:31:16 INFO 12572 rules loaded src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO finding files in Linux/2024.sbcl.market/sbcl.clean ... src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO scanning src=Linux/2024.sbcl.market/sbcl.clean path=Linux/2024.sbcl.market/sbcl.clean kind="Executable and Linkable Format"
2024/04/23 09:31:16 INFO 12572 rules loaded src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO finding files in Linux/2024.sbcl.market/sbcl.dirty ... src=Linux/2024.sbcl.market/sbcl.clean
2024/04/23 09:31:16 INFO scanning src=Linux/2024.sbcl.market/sbcl.clean path=Linux/2024.sbcl.market/sbcl.dirty kind="Executable and Linkable Format"
--- PASS: TestDiff (2.36s)
--- PASS: TestDiff/Linux/2023.FreeDownloadManager/freedownloadmanager.sdiff (0.01s)
--- PASS: TestDiff/macOS/clean/ls.mdiff.level_2 (0.01s)
--- PASS: TestDiff/macOS/clean/ls.mdiff.trigger_2 (0.01s)
--- PASS: TestDiff/macOS/clean/ls.mdiff.trigger_3 (0.01s)
--- PASS: TestDiff/macOS/2023.3CX/libffmpeg.dirty.mdiff (0.20s)
--- PASS: TestDiff/Linux/2024.sbcl.market/sbcl.sdiff (0.21s)
=== RUN TestMarkdown
slogtest.go:20: time=2024-04-23T09:31:16.384-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party
slogtest.go:20: time=2024-04-23T09:31:16.384-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/README.md
slogtest.go:20: time=2024-04-23T09:31:16.384-05:00 level=INFO msg="skipping (third_party disabled)" path=third_party/yara-rules-full.yar
slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=evasion/binary-opaque.yara warning="string \"$word_with_spaces\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=ref/email.yara warning="string \"$e_re\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=ref/ip.yara warning="string \"$ipv4\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=ref/ip_port.yara warning="string \"$ipv4\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=shell/background-sleep.yara warning="string \"$cmd_bg\" may slow down scanning"
slogtest.go:20: time=2024-04-23T09:31:16.386-05:00 level=WARN msg=warning namespace=systemd/no_docs_or_comments.yara warning="string \"$ex_comment\" may slow down scanning"
=== RUN TestMarkdown/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare
=== NAME TestMarkdown
slogtest.go:20: time=2024-04-23T09:31:16.432-05:00 level=INFO msg="1039 rules loaded" test=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare
slogtest.go:20: time=2024-04-23T09:31:16.432-05:00 level=INFO msg="finding files in macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare ..." test=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare
slogtest.go:20: time=2024-04-23T09:31:16.433-05:00 level=INFO msg=scanning test=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare path=macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare kind="Mach-O binary (reverse byte ordering scheme, 64-bit)"
--- PASS: TestMarkdown (0.08s)
--- PASS: TestMarkdown/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare (0.00s)
PASS
ok github.com/chainguard-dev/bincapz/samples 3.120s
Yay! Thanks for your PR and for sticking through all the rough edges.
Closes: https://github.com/chainguard-dev/bincapz/issues/147
I wanted to try my hand at writing some YARA rules -- this PR adds a detection for
/dev/
paths while excluding/dev/null
and/dev/shm/...
since there are already detections for these two paths.I tested this with
$ go run . --oci python
-- for example:There were a total of 139 matches for this rule in
python
.