Skip to content

Commit 7b3caf3

Browse files
egibsegibs
authored
Store samples in an archived format; add Makefile targets to archive/extract (#396)
* Store samples in an archived format; add Makefile targets to archive/extract Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Add README section about samples/archive Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update version since this will be an immediate release Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Add additional docs around Git LFS Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Install git-lfs in Workflow Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Run git lfs install Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Split archive files to avoid Git LFS Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix macOS archive creation Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove ._ files from archives Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove - from extraction flags Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Extract archives before as part of make test Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
1 parent 8725856 commit 7b3caf3

File tree

245 files changed

+28
-135363
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

245 files changed

+28
-135363
lines changed

.github/workflows/go-tests.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,10 @@ jobs:
4444
sudo add-apt-repository -n -y "deb http://security.ubuntu.com/ubuntu mantic-security main restricted universe multiverse"
4545
4646
sudo apt update && sudo apt install libyara-dev -y
47+
48+
- name: Extract Samples
49+
run : |
50+
make extract-samples
4751
4852
- name: Test
4953
run: |

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,3 +26,6 @@ profiles/
2626

2727
# Jetbrains
2828
.idea/
29+
30+
# Uncompressed samples
31+
samples/

Makefile

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ fix: $(FIXERS)
4848
# END: lint-install ../bincapz
4949

5050
.PHONY: test
51-
test:
51+
test: extract-samples
5252
go test ./...
5353

5454
.PHONY: bench
@@ -113,3 +113,15 @@ update-third-party:
113113
.PHONY: refresh-sample-testdata out/bincapz
114114
refresh-sample-testdata: out/bincapz
115115
./samples/refresh-testdata.sh ./out/bincapz
116+
117+
.PHONY: archive-samples
118+
archive-samples:
119+
ifeq ($(LINT_OS),Darwin)
120+
tar czvf - --no-xattrs --exclude="._*" --disable-copyfile samples | split -b 50m - samples.tar.gz.
121+
else
122+
tar czvf - --exclude="._*" samples | split -b 50m - samples.tar.gz.
123+
endif
124+
125+
.PHONY: extract-samples
126+
extract-samples:
127+
cat samples.tar.gz.* | tar xzvf -

README.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@ Here is a result using the 3CX compromise as a test case. Each of the lines that
103103
| +CRITICAL | **[3P/signature_base/3cxdesktopapp/backdoor](https://github.com/Neo23x0/signature-base/blob/1b9069ac3d8d5b6dd2b61d3c934bf19b70323011/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X\_\_Junior (Nextron Systems) | $op1<br>$op2<br>[%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
104104
| +CRITICAL | **[3P/signature_base/nk/3cx](https://github.com/Neo23x0/signature-base/blob/1b9069ac3d8d5b6dd2b61d3c934bf19b70323011/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | $xc1<br>$xc2<br>$xc3 |
105105
| +CRITICAL | **[3P/signature_base/susp/xored](https://github.com/Neo23x0/signature-base/blob/1b9069ac3d8d5b6dd2b61d3c934bf19b70323011/yara/gen_xor_hunting.yar#L2-L20)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](<https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()>), by Florian Roth | $xo1 |
106-
| +CRITICAL | **[3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/62e031ea574efde68dac7d38dc23438466a5302b/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50)** | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by threatintel@volexity.com | $str1<br>$str2<br>$str3 |
106+
| +CRITICAL | **[3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/62e031ea574efde68dac7d38dc23438466a5302b/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50)** | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by <threatintel@volexity.com> | $str1<br>$str2<br>$str3 |
107107
| +CRITICAL | **[evasion/xor/user_agent](https://github.com/chainguard-dev/bincapz/blob/main/rules/evasion/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | $Mozilla_5_0 |
108108
| +MEDIUM | **[exec/pipe](https://github.com/chainguard-dev/bincapz/blob/main/rules/exec/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [\_pclose](https://github.com/search?q=_pclose&type=code)<br>[\_popen](https://github.com/search?q=_popen&type=code) |
109109
| +MEDIUM | **[fs/permission/modify](https://github.com/chainguard-dev/bincapz/blob/main/rules/fs/permission-modify.yara#chmod)** | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) |
@@ -144,6 +144,10 @@ bincapz --format=json <file> | jq '.Files.[].Behaviors | keys'
144144
- `--third-party`: include third-party rules, which may have licensing restrictions (default true)
145145
- `--verbose`: turn on verbose output for diagnostic/troubleshooting purposes
146146

147+
## Samples
148+
149+
All of the samples used by bincapz to test rules and functionality are stored in the `samples.tar.gz` archive. Makefile targets are provided to extract the contents of the archive as well as re-create the archive when samples are added/updated.
150+
147151
## FAQ
148152

149153
### How does it work?
@@ -185,6 +189,7 @@ In addition to contributed code, automated PRs and commits can be verified by fo
185189
#### Profiling
186190

187191
`bincapz` can be profiled by running `--profile=true`. This will generate timestamped profiles in an untracked `profiles` directory:
192+
188193
```
189194
bash-5.2$ ls -l profiles/ | grep -v "total" | awk '{ print $9 }'
190195
cpu_329605000.pprof
@@ -195,6 +200,7 @@ trace_329605000.out
195200
The traces can be inspected via `go tool pprof` and `go tool trace`.
196201

197202
For example, the memory profile can be inspected by running:
203+
198204
```
199205
go tool pprof -http=:8080 profiles/mem_<timestamp>.pprof
200206
```

pkg/version/version.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ import (
66
)
77

88
const (
9-
ID string = "v0.17.0"
9+
ID string = "v0.17.1"
1010
)
1111

1212
// Check if the build info contains a version.

0 commit comments

Comments
 (0)