{YARA}blackhole_basic seems a bit too broad

Question

{YARA}blackhole_basic seems a bit too broad

danci1973 opened this issue 4 years ago · 2 comments

danci1973 commented 4 years ago

Latest signature update introduced a new rule 'blackhole_basic' which flags URLs in comment - like this one (if I remove this line, the files passes as clean, otherwise it's marked as a hit):

// http://wiki.ecmascript.org/doku.php?id=strawman:concurrency&rev=1308776521#allfulfilled

It also flags a bunch of cache files generated by Magento eCommerce platfform (https://magento.com/) in the var/cache directory. I checked about 50 of these files and all seem to be false-positives. These files seem to be 'minified' with few, but very long lines and they do include URLs with .php and ?, & characters.

The rule is relatively simple, but probably too broad:

rule blackhole_basic :  EK
{
    strings:
        $a = /\.php\?.*?\:[a-zA-Z0-9\:]{6,}?\&.*?\&/
    condition:
        $a
}

I tried using some online regex testers, but interestingly, none of them found a match in the above example line, unless I added another & behind the first one.

Unfortunately, this is where my regex knowledge ends and my (temporary?) solution is to add the rule to the ignore_sigs file.

Answer 1 · 2020-08-16T17:37:33.000Z

We're having the same issue. Maldetect shows false positives in Joomla 3.9.20 cache files. We checked the files, nothing fishy all are legit Joomla cache files. Seems this rule is to blame.

Any fix on this?

Answer 2 · 2020-08-17T13:12:18.000Z

@cre8gr @danci1973 Thank you for the feedback. I've pulled the rule from the yara rule set and new signature files are pushing up now. You should be able to run 'maldet -u' in a couple of minutes or wait for daily cron to pull down updates.

Thank you