chore: fix or suppress rule warnings (#1260)

egibs · web-flow · commit a24e32369e52 · 2025-12-10T12:54:10.000-08:00
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/rules/anti-static/elf/header.yara b/rules/anti-static/elf/header.yara
@@ -10,7 +10,7 @@ rule single_load_rwe: critical {
     author = "Tenable"
 
   condition:
-    elf.number_of_segments == 1 and elf.segments[0].type == elf.PT_LOAD and elf.segments[0].flags == elf.PF_R | elf.PF_W | elf.PF_X
+    elf.number_of_segments == 1 and elf.segments[0].type == elf.PT_LOAD and elf.segments[0].flags == elf.PF_R | elf.PF_W | elf.PF_X  // suppress: deprecated_field
 }
 
 rule fake_section_headers_conflicting_entry_point_address: critical {
@@ -22,7 +22,7 @@ rule fake_section_headers_conflicting_entry_point_address: critical {
     author = "Tenable"
 
   condition:
-    elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_segments > 0 and elf.number_of_sections > 0 and not (for any i in (0..elf.number_of_segments): ((elf.segments[i].offset <= elf.entry_point) and ((elf.segments[i].offset + elf.segments[i].file_size) >= elf.entry_point) and for any j in (0..elf.number_of_sections): (elf.sections[j].offset <= elf.entry_point and ((elf.sections[j].offset + elf.sections[j].size) >= elf.entry_point) and (elf.segments[i].virtual_address + (elf.entry_point - elf.segments[i].offset)) == (elf.sections[j].address + (elf.entry_point - elf.sections[j].offset)))))
+    elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_segments > 0 and elf.number_of_sections > 0 and not (for any i in (0..elf.number_of_segments): ((elf.segments[i].offset <= elf.entry_point) and ((elf.segments[i].offset + elf.segments[i].file_size) >= elf.entry_point) and for any j in (0..elf.number_of_sections): (elf.sections[j].offset <= elf.entry_point and ((elf.sections[j].offset + elf.sections[j].size) >= elf.entry_point) and (elf.segments[i].virtual_address + (elf.entry_point - elf.segments[i].offset)) == (elf.sections[j].address + (elf.entry_point - elf.sections[j].offset)))))  // suppress: deprecated_field
 }
 
 rule fake_dynamic_symbols: critical {
@@ -33,7 +33,7 @@ rule fake_dynamic_symbols: critical {
     author      = "Tenable"
 
   condition:
-    elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and for any i in (0..elf.dynamic_section_entries): (elf.dynamic[i].type == elf.DT_SYMTAB and not (for any j in (0..elf.number_of_sections): (elf.sections[j].type == elf.SHT_DYNSYM and for any k in (0..elf.number_of_segments): ((elf.segments[k].virtual_address <= elf.dynamic[i].val) and ((elf.segments[k].virtual_address + elf.segments[k].file_size) >= elf.dynamic[i].val) and (elf.segments[k].offset + (elf.dynamic[i].val - elf.segments[k].virtual_address)) == elf.sections[j].offset))))
+    elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and for any i in (0..elf.dynamic_section_entries): (elf.dynamic[i].type == elf.DT_SYMTAB and not (for any j in (0..elf.number_of_sections): (elf.sections[j].type == elf.SHT_DYNSYM and for any k in (0..elf.number_of_segments): ((elf.segments[k].virtual_address <= elf.dynamic[i].val) and ((elf.segments[k].virtual_address + elf.segments[k].file_size) >= elf.dynamic[i].val) and (elf.segments[k].offset + (elf.dynamic[i].val - elf.segments[k].virtual_address)) == elf.sections[j].offset))))  // suppress: deprecated_field
 }
 
 rule high_entropy_header: high {
diff --git a/rules/anti-static/obfuscation/math.yara b/rules/anti-static/obfuscation/math.yara
@@ -56,14 +56,18 @@ rule sketchy_math_conversions: medium {
     $xor1 = /\d{2,16}\^\w{1,8}/
     $xor2 = /\w{1,8}\^\d{2,16}/
 
-    $complex_math = /[\(\[][\w\d\s\+\-\*\/\^]{10,50}[\)\]]/
+    $complex_math_add = /[\(\[][\w\d\s\+\-\*\/\^]+\+[\w\d\s\+\-\*\/\^]+[\)\]]/
+    $complex_math_sub = /[\(\[][\w\d\s\+\-\*\/\^]+\-[\w\d\s\+\-\*\/\^]+[\)\]]/
+    $complex_math_mul = /[\(\[][\w\d\s\+\-\*\/\^]+\*[\w\d\s\+\-\*\/\^]+[\)\]]/
+    $complex_math_div = /[\(\[][\w\d\s\+\-\*\/\^]+\/[\w\d\s\+\-\*\/\^]+[\)\]]/
+    $complex_math_pow = /[\(\[][\w\d\s\+\-\*\/\^]+\^[\w\d\s\+\-\*\/\^]+[\)\]]/
 
   condition:
     filesize < 1MB and
     ($f_parseInt or $f_fromCharCode) and
     (
       (#math1 + #math2 > 5) or
       (#xor1 + #xor2 > 2) or
-      #complex_math > 3
+      any of ($complex_math*)
     )
 }
diff --git a/rules/anti-static/obfuscation/reverse.yara b/rules/anti-static/obfuscation/reverse.yara
@@ -17,7 +17,7 @@ rule js_function_reversal: high {
 
   strings:
     $function_rev1 = "noitcnuf"
-    $function_rev2 = { 6E 6F 69 74 63 6E 75 66 }
+    $function_rev2 = { 6E 6F 69 74 63 6E 75 66 }  // suppress: text_as_hex
 
     $function_dots = /no\.?i\.?t\.?c\.?n\.?u\.?f/
     $return_rev    = "nruter"
diff --git a/rules/malware/family/rustdoor.yara b/rules/malware/family/rustdoor.yara
@@ -6,10 +6,10 @@ rule rustdoor: critical macos {
     hash        = "20b986b24d86d9a06746bdb0c25e21a24cb477acb36e7427a8c465c08d51c1e4"
 
   strings:
-    $botkill      = { 62 6F 74 6B 69 6C 6C }
-    $dialog       = { 7A 69 70 74 61 73 6B }
-    $upload       = { 75 70 6C 6F 61 64 5F 66 69 6C 65 73 72 63 }
-    $launchagents = { 4C 61 75 6E 63 68 41 67 65 6E 74 73 2E 70 6C 69 73 74 }
+    $botkill      = { 62 6F 74 6B 69 6C 6C }  // suppress: text_as_hex
+    $dialog       = { 7A 69 70 74 61 73 6B }  // suppress: text_as_hex
+    $upload       = { 75 70 6C 6F 61 64 5F 66 69 6C 65 73 72 63 }  // suppress: text_as_hex
+    $launchagents = { 4C 61 75 6E 63 68 41 67 65 6E 74 73 2E 70 6C 69 73 74 }  // suppress: text_as_hex
 
   condition:
     filesize > 1MB and filesize < 10MB and all of them
@@ -22,12 +22,12 @@ rule rustdoor_v2: critical macos {
     filetypes   = "macho"
 
   strings:
-    $cfg_daemonize      = { 64 61 65 6D 6F 6E 69 7A 65 }
-    $cfg_cron           = { 63 68 65 63 6B 5F 63 72 6F 6E 5F 61 73 6B 65 64 }
-    $cfg_lock_in_cron   = { 6C 6F 63 6B 5F 69 6E 5F 63 72 6F 6E }
-    $cfg_lock_in_dock   = { 6C 6F 63 6B 5F 69 6E 5F 64 6F 63 6B }
-    $cfg_lock_in_launch = { 6C 6F 63 6B 5F 69 6E 5F 6C 61 75 6E 63 68 }
-    $cfg_copy_files     = { 63 6F 70 79 5F 66 69 6C 65 73 }
+    $cfg_daemonize      = { 64 61 65 6D 6F 6E 69 7A 65 }  // suppress: text_as_hex
+    $cfg_cron           = { 63 68 65 63 6B 5F 63 72 6F 6E 5F 61 73 6B 65 64 }  // suppress: text_as_hex
+    $cfg_lock_in_cron   = { 6C 6F 63 6B 5F 69 6E 5F 63 72 6F 6E }  // suppress: text_as_hex
+    $cfg_lock_in_dock   = { 6C 6F 63 6B 5F 69 6E 5F 64 6F 63 6B }  // suppress: text_as_hex
+    $cfg_lock_in_launch = { 6C 6F 63 6B 5F 69 6E 5F 6C 61 75 6E 63 68 }  // suppress: text_as_hex
+    $cfg_copy_files     = { 63 6F 70 79 5F 66 69 6C 65 73 }  // suppress: text_as_hex
 
   condition:
     filesize > 1MB and filesize < 10MB and 4 of them
@@ -40,10 +40,10 @@ rule rustdoor_maybe: high {
     filetypes   = "macho"
 
   strings:
-    $botkill = { 62 6F 74 6B 69 6C 6C }
-    $upload  = { 75 70 6C 6F 61 64 }
-    $sleep   = { 73 6C 65 65 70 }
-    $rmdir   = { 72 6D 64 69 72 }
+    $botkill = { 62 6F 74 6B 69 6C 6C }  // suppress: text_as_hex
+    $upload  = { 75 70 6C 6F 61 64 }  // suppress: text_as_hex
+    $sleep   = { 73 6C 65 65 70 }  // suppress: text_as_hex
+    $rmdir   = { 72 6D 64 69 72 }  // suppress: text_as_hex
 
   condition:
     filesize > 1MB and filesize < 10MB and all of them
diff --git a/tests/npm/2024.nvmfix/config.js.simple b/tests/npm/2024.nvmfix/config.js.simple
@@ -1,5 +1,6 @@
 # npm/2024.nvmfix/config.js: high
 anti-static/obfuscation/hex: medium
 anti-static/obfuscation/js: high
+anti-static/obfuscation/math: medium
 data/encoding/utf16: medium
 process/create: medium

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ rule single_load_rwe: critical {`
`10`	`10`	`author = "Tenable"`
`11`	`11`
`12`	`12`	`condition:`
`13`		`- elf.number_of_segments == 1 and elf.segments[0].type == elf.PT_LOAD and elf.segments[0].flags == elf.PF_R \| elf.PF_W \| elf.PF_X`
	`13`	`+ elf.number_of_segments == 1 and elf.segments[0].type == elf.PT_LOAD and elf.segments[0].flags == elf.PF_R \| elf.PF_W \| elf.PF_X // suppress: deprecated_field`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`rule fake_section_headers_conflicting_entry_point_address: critical {`
`@@ -22,7 +22,7 @@ rule fake_section_headers_conflicting_entry_point_address: critical {`
`22`	`22`	`author = "Tenable"`
`23`	`23`
`24`	`24`	`condition:`
`25`		- elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_segments > 0 and elf.number_of_sections > 0 and not (for any i in (0..elf.number_of_segments): ((elf.segments[i].offset <= elf.entry_point) and ((elf.segments[i].offset + elf.segments[i].file_size) >= elf.entry_point) and for any j in (0..elf.number_of_sections): (elf.sections[j].offset <= elf.entry_point and ((elf.sections[j].offset + elf.sections[j].size) >= elf.entry_point) and (elf.segments[i].virtual_address + (elf.entry_point - elf.segments[i].offset)) == (elf.sections[j].address + (elf.entry_point - elf.sections[j].offset)))))
	`25`	+ elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_segments > 0 and elf.number_of_sections > 0 and not (for any i in (0..elf.number_of_segments): ((elf.segments[i].offset <= elf.entry_point) and ((elf.segments[i].offset + elf.segments[i].file_size) >= elf.entry_point) and for any j in (0..elf.number_of_sections): (elf.sections[j].offset <= elf.entry_point and ((elf.sections[j].offset + elf.sections[j].size) >= elf.entry_point) and (elf.segments[i].virtual_address + (elf.entry_point - elf.segments[i].offset)) == (elf.sections[j].address + (elf.entry_point - elf.sections[j].offset))))) // suppress: deprecated_field
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`rule fake_dynamic_symbols: critical {`
`@@ -33,7 +33,7 @@ rule fake_dynamic_symbols: critical {`
`33`	`33`	`author = "Tenable"`
`34`	`34`
`35`	`35`	`condition:`
`36`		- elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and for any i in (0..elf.dynamic_section_entries): (elf.dynamic[i].type == elf.DT_SYMTAB and not (for any j in (0..elf.number_of_sections): (elf.sections[j].type == elf.SHT_DYNSYM and for any k in (0..elf.number_of_segments): ((elf.segments[k].virtual_address <= elf.dynamic[i].val) and ((elf.segments[k].virtual_address + elf.segments[k].file_size) >= elf.dynamic[i].val) and (elf.segments[k].offset + (elf.dynamic[i].val - elf.segments[k].virtual_address)) == elf.sections[j].offset))))
	`36`	+ elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and for any i in (0..elf.dynamic_section_entries): (elf.dynamic[i].type == elf.DT_SYMTAB and not (for any j in (0..elf.number_of_sections): (elf.sections[j].type == elf.SHT_DYNSYM and for any k in (0..elf.number_of_segments): ((elf.segments[k].virtual_address <= elf.dynamic[i].val) and ((elf.segments[k].virtual_address + elf.segments[k].file_size) >= elf.dynamic[i].val) and (elf.segments[k].offset + (elf.dynamic[i].val - elf.segments[k].virtual_address)) == elf.sections[j].offset)))) // suppress: deprecated_field
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`rule high_entropy_header: high {`
Original file line number	Diff line number	Diff line change
`@@ -56,14 +56,18 @@ rule sketchy_math_conversions: medium {`
`56`	`56`	`$xor1 = /\d{2,16}\^\w{1,8}/`
`57`	`57`	`$xor2 = /\w{1,8}\^\d{2,16}/`
`58`	`58`
`59`		`- $complex_math = /[\(\[][\w\d\s\+\-\*\/\^]{10,50}[\)\]]/`
	`59`	`+ $complex_math_add = /[\(\[][\w\d\s\+\-\\/\^]+\+[\w\d\s\+\-\\/\^]+[\)\]]/`
	`60`	`+ $complex_math_sub = /[\(\[][\w\d\s\+\-\\/\^]+\-[\w\d\s\+\-\\/\^]+[\)\]]/`
	`61`	`+ $complex_math_mul = /[\(\[][\w\d\s\+\-\\/\^]+\[\w\d\s\+\-\*\/\^]+[\)\]]/`
	`62`	`+ $complex_math_div = /[\(\[][\w\d\s\+\-\\/\^]+\/[\w\d\s\+\-\\/\^]+[\)\]]/`
	`63`	`+ $complex_math_pow = /[\(\[][\w\d\s\+\-\\/\^]+\^[\w\d\s\+\-\\/\^]+[\)\]]/`
`60`	`64`
`61`	`65`	`condition:`
`62`	`66`	`filesize < 1MB and`
`63`	`67`	`($f_parseInt or $f_fromCharCode) and`
`64`	`68`	`(`
`65`	`69`	`(#math1 + #math2 > 5) or`
`66`	`70`	`(#xor1 + #xor2 > 2) or`
`67`		`- #complex_math > 3`
	`71`	`+ any of ($complex_math*)`
`68`	`72`	`)`
`69`	`73`	`}`