chore(yara): Log rule loading and check view section size

rabbitstack · rabbitstack · commit ce454a3f8c31 · 2024-11-19T21:41:53.000+01:00
Log the loading of the YARA rule and check the size of
the view of section. Small sections should not be
candidates for scanning.
diff --git a/pkg/yara/scanner.go b/pkg/yara/scanner.go
@@ -103,6 +103,7 @@ func NewScanner(psnap ps.Snapshotter, config config.Config) (Scanner, error) {
 				return nil
 			}
 			rulesInCompiler.Add(1)
+			log.Infof("loading yara rule(s) from %s", filepath.Join(path, fi.Name()))
 
 			return nil
 		})
@@ -277,7 +278,8 @@ func (s scanner) Scan(e *kevent.Kevent) (bool, error) {
 		// scan process mapping a suspicious RX/RWX section view
 		pid := e.Kparams.MustGetPid()
 		prot := e.Kparams.MustGetUint32(kparams.MemProtect)
-		if e.PID != 4 && ((prot&kevent.SectionRX) != 0 && (prot&kevent.SectionRWX) != 0) {
+		size := e.Kparams.MustGetUint64(kparams.FileViewSize)
+		if e.PID != 4 && size >= 4096 && ((prot&kevent.SectionRX) != 0 && (prot&kevent.SectionRWX) != 0) {
 			filename := e.GetParamAsString(kparams.FileName)
 			// skip mappings of signed images
 			addr := e.Kparams.MustGetUint64(kparams.FileViewBase)
diff --git a/pkg/yara/scanner_test.go b/pkg/yara/scanner_test.go
@@ -725,6 +725,7 @@ func TestScan(t *testing.T) {
 					Kparams: kevent.Kparams{
 						kparams.ProcessID:    {Name: kparams.ProcessID, Type: kparams.PID, Value: pid},
 						kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7ffe0000)},
+						kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)},
 						kparams.MemProtect:   {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(kevent.SectionRX), Flags: kevent.ViewProtectionFlags},
 					},
 					Metadata: make(map[kevent.MetadataKey]any),
@@ -780,6 +781,7 @@ func TestScan(t *testing.T) {
 					Kparams: kevent.Kparams{
 						kparams.ProcessID:    {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1123)},
 						kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7f3e1000)},
+						kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)},
 						kparams.MemProtect:   {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(kevent.SectionRX), Flags: kevent.ViewProtectionFlags},
 					},
 					Metadata: make(map[kevent.MetadataKey]any),
@@ -828,6 +830,7 @@ func TestScan(t *testing.T) {
 					Kparams: kevent.Kparams{
 						kparams.ProcessID:    {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(321321)},
 						kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7ffe0000)},
+						kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)},
 						kparams.MemProtect:   {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(0x10000), Flags: kevent.ViewProtectionFlags},
 					},
 					Metadata: make(map[kevent.MetadataKey]any),
@@ -877,6 +880,7 @@ func TestScan(t *testing.T) {
 						kparams.ProcessID:    {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1123)},
 						kparams.FileName:     {Name: kparams.FileName, Type: kparams.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "regedit.exe")},
 						kparams.FileViewBase: {Name: kparams.FileViewBase, Type: kparams.Address, Value: uint64(0x7ffe0000)},
+						kparams.FileViewSize: {Name: kparams.FileViewSize, Type: kparams.Uint64, Value: uint64(12333)},
 						kparams.MemProtect:   {Name: kparams.MemProtect, Type: kparams.Flags, Value: uint32(kevent.SectionRWX), Flags: kevent.ViewProtectionFlags},
 					},
 					Metadata: make(map[kevent.MetadataKey]any),
