Skip to content

Commit 297bd1e

Browse files
egibsegibs
committed
Use code highlighting to avoid escaping patterns
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
1 parent 62c07b6 commit 297bd1e

16 files changed

+38
-38
lines changed

pkg/render/markdown.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ func mdRisk(score int, level string) string {
3838
func matchFragmentLink(s string) string {
3939
// it's probably the name of a matched YARA field, for example, if it's xor'ed data
4040
if strings.HasPrefix(s, "$") {
41-
return fmt.Sprintf("\\%s", s)
41+
return fmt.Sprintf("`%s`", s)
4242
}
4343

4444
if strings.HasPrefix(s, "https:") || strings.HasPrefix(s, "http://") {

tests/linux/clean/code-oss.md

Lines changed: 3 additions & 3 deletions
Large diffs are not rendered by default.

tests/linux/clean/cpack.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
| RISK | KEY | DESCRIPTION | EVIDENCE |
44
|--|--|--|--|
5-
| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | \$elf_head |
5+
| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
66
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [local_ip](https://github.com/search?q=local_ip&type=code)<br>[use_port](https://github.com/search?q=use_port&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code) |
77
| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code) |
88
| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[Darwin](https://github.com/search?q=Darwin&type=code)<br>[Linux](https://github.com/search?q=Linux&type=code)<br>[macOS](https://github.com/search?q=macOS&type=code) |
@@ -11,7 +11,7 @@
1111
| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) |
1212
| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) |
1313
| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html>](https://github.com/search?q=%3Chtml%3E&type=code) |
14-
| MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | \$ref |
14+
| MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | `$ref` |
1515
| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)<br>[getifaddrs](https://github.com/search?q=getifaddrs&type=code) |
1616
| MEDIUM | [discover/processes/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/list.yara#ps_exec) | executes ps(1) for a list of processes | [ps ax](https://github.com/search?q=ps+ax&type=code)<br>[#!](https://github.com/search?q=%23%21&type=code) |
1717
| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname_a) | gets full system identification | [uname -a](https://github.com/search?q=uname+-a&type=code) |
@@ -42,7 +42,7 @@
4242
| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
4343
| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[post](https://github.com/search?q=post&type=code) |
4444
| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: application/dns](https://github.com/search?q=Content-Type%3A+application%2Fdns&type=code)<br>[Content-Type: application/x](https://github.com/search?q=Content-Type%3A+application%2Fx&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
45-
| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | \$host_port |
45+
| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | `$host_port` |
4646
| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
4747
| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) |
4848
| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
@@ -66,7 +66,7 @@
6666
| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
6767
| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
6868
| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
69-
| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)<br>\$magic_bytes<br>\$decompress<br>\$ref<br>[zstd](https://github.com/search?q=zstd&type=code) |
69+
| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)<br>`$magic_bytes`<br>`$decompress`<br>`$ref`<br>[zstd](https://github.com/search?q=zstd&type=code) |
7070
| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
7171
| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_Update](https://github.com/search?q=MD5_Update&type=code)<br>[MD5_Final](https://github.com/search?q=MD5_Final&type=code)<br>[MD5_Init](https://github.com/search?q=MD5_Init&type=code) |
7272
| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) |

tests/linux/clean/pandoc.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
| RISK | KEY | DESCRIPTION | EVIDENCE |
44
|--|--|--|--|
5-
| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | \$elf_head |
5+
| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` |
66
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [curlopt_port](https://github.com/search?q=curlopt_port&type=code)<br>[primary_port](https://github.com/search?q=primary_port&type=code)<br>[client_port](https://github.com/search?q=client_port&type=code)<br>[config_port](https://github.com/search?q=config_port&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[domain_port](https://github.com/search?q=domain_port&type=code)<br>[internal_ip](https://github.com/search?q=internal_ip&type=code)<br>[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)<br>[radius_port](https://github.com/search?q=radius_port&type=code)<br>[server_port](https://github.com/search?q=server_port&type=code)<br>[validate_ip](https://github.com/search?q=validate_ip&type=code)<br>[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)<br>[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)<br>[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)<br>[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)<br>[local_port](https://github.com/search?q=local_port&type=code)<br>[primary_ip](https://github.com/search?q=primary_ip&type=code)<br>[serverPort](https://github.com/search?q=serverPort&type=code)<br>[socketPort](https://github.com/search?q=socketPort&type=code)<br>[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[framed_ip](https://github.com/search?q=framed_ip&type=code)<br>[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[proxyPort](https://github.com/search?q=proxyPort&type=code)<br>[bindPort](https://github.com/search?q=bindPort&type=code)<br>[ftp_port](https://github.com/search?q=ftp_port&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[lat_port](https://github.com/search?q=lat_port&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[login_ip](https://github.com/search?q=login_ip&type=code)<br>[nas_port](https://github.com/search?q=nas_port&type=code)<br>[sam_port](https://github.com/search?q=sam_port&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[url_port](https://github.com/search?q=url_port&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[host_ip](https://github.com/search?q=host_ip&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[pg_port](https://github.com/search?q=pg_port&type=code)<br>[setPort](https://github.com/search?q=setPort&type=code)<br>[uriPort](https://github.com/search?q=uriPort&type=code)<br>[nas_ip](https://github.com/search?q=nas_ip&type=code)<br>[blIp](https://github.com/search?q=blIp&type=code)<br>[eIp](https://github.com/search?q=eIp&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
77
| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
88
| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) |

0 commit comments

Comments
 (0)