Remove non-matching checksums from rules

[tstromberg]

As per https://github.com/chainguard-dev/bincapz/runs/26600819412

Non matching file Rule YARA file f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6 login_records rules/admin/logs/current_logins.yara ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237 login_records rules/admin/logs/current_logins.yara 589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0 executable_calls_archive_tool rules/archives/tar-command.yara 99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7 executable_calls_archive_tool rules/archives/tar-command.yara 016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74 crypto_stealer rules/combo/stealer/ditto.yara 384ec732200ab95c94c202f42b51e870f51735768888aaabc4e370de74e825e3 office_crypt_archive rules/combo/stealer/office.yara cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3 base64_http_val rules/evasion/base64-python.yara 6896b02503c15ffa68e17404f1c97fd53ea7b53c336a7b8b34e7767f156a9cf2 base64_http_val rules/evasion/base64-python.yara 73ed0b692fda696efd5f8e33dc05210e54b17e4e4a39183c8462bcc5a3ba06cc base64_http_val rules/evasion/base64-python.yara 4d79e1a1027e7713180102014fcfb3bf kiteshield rules/evasion/packer/kiteshield.yara a42249e86867526c09d78c79ae26191d kiteshield rules/evasion/packer/kiteshield.yara 57f7ffaa0333245f74e4ab68d708e14e kiteshield rules/evasion/packer/kiteshield.yara 7671585e770cf0c856b79855e6bdca2a kiteshield rules/evasion/packer/kiteshield.yara 5c9887c51a0f633e3d2af54f788da525 kiteshield rules/evasion/packer/kiteshield.yara 951fe6ce076aab5ca94da020a14a8e1c kiteshield rules/evasion/packer/kiteshield.yara 21ca44d382102e0ae33d02f499a5aa2a01e0749be956cbd417aae64085f28368 macos_platform_check rules/kernel/platform.yara 7faf316a313de14a734b784e6d2ab53dfdf1ffaab4adbbbc46f4b236738d7d0d stealthworker rules/malware/family/stealthworker.yara fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588 proc_self_status rules/procfs/self-mountinfo.yara 7955542df199c6ce4ca0bb3966dcf9cc71199c592fec38508dad58301a3298d0 proc_self_status rules/procfs/self-mountinfo.yara df8262a8a7208da235127a10b07fa9b87de71eb2cc9667899da60ad255a90c76 proc_self_status rules/procfs/self-mountinfo.yara 016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74 home_path rules/ref/path/home.yara 2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f var_root_path rules/ref/path/var-containers.yara ced05b1f429ade707691b04f59d7929961661963311b768d438317f4d3d82953 var_root_path rules/ref/path/var-containers.yara 0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c var_root_path rules/ref/path/var-root.yara 7c636f1c9e4d9032d66a58f263b3006788047488e00fc26997b915e9d1f174bf metasploit rules/ref/program/metasploit.yara 1ea3dc626b9ccee026502ac8e8a98643c65a055829e8d8b1750b2468254c0ab1 metasploit rules/ref/program/metasploit.yara 818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2 metasploit rules/ref/program/minecraft.yara 039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09 decryptor rules/ref/words/dropper.yara 7bc657c96c15ec0629740e00a9c7497417b599694c6b7598eeff095136cbd507 chromium_master_password rules/secrets/chromium_master_password.yara 8b84336e73c6a6d154e685d3729dfa4e08e4a3f136f0b2e7c6e5970df9145e95 iptables_delete rules/security_controls/linux/iptables.yara 8b9db0bc9152628bdacc32dab01590211bee9f27d58e0f66f6a1e26aea7552a6 iptables_delete rules/security_controls/linux/iptables.yara e100be934f676c64528b5e8a609c3fb5122b2db43b9aee3b2cf30052799a82da iptables_delete rules/security_controls/linux/iptables.yara

In most cases we should just remove the hash and move on, but if it looks like any particular rule should be matching, we should fix it. cc @egibs since his recent kiteshield rules are on here.

[tstromberg]

I believe this has been fixed, but the tests are timing out now so it's difficult to tell.

[egibs]

Looks like seven remaining false negatives: https://github.com/chainguard-dev/bincapz/runs/26653786478

[tstromberg]

Thank you for your help, @egibs !