Leverage yr scan --profile to tune slowest rules (#708)

* Leverage yr scan --profile to tune slowest rules Signed-off-by: egibs <[email protected]> * Ignore compiled rules Signed-off-by: egibs <[email protected]> * Run make yara-x-fmt Signed-off-by: egibs <[email protected]> * Address PR comments Signed-off-by: egibs <[email protected]> * Merge b64decode + long_str strings Signed-off-by: egibs <[email protected]> * Run make yara-x-fmt Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
chainguard-dev · Dec 16, 2024 · 3903332 · 3903332
1 parent e7e22d4
commit 3903332
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 19 deletions.
diff --git a/.gitignore b/.gitignore
@@ -29,3 +29,6 @@ profiles/
 
 # Malcontent samples (obsolete)
 samples/
+
+# Compiled rules
+*.yarc
diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara
@@ -440,19 +440,18 @@ rule decompress_base64_entropy: high {
     description = "hidden base64-encoded compressed content"
 
   strings:
-    $k_lzma       = "lzma"
-    $k_gzip       = "gzip"
-    $k_zlib       = "zlib"
-    $b64decode    = "b64decode("
-    $f_bytes      = "bytes("
-    $f_decode     = "decode("
-    $f_decompress = "decompress("
-    $f_eval       = "eval("
-    $f_exec       = "exec("
-    $long_str     = /[\'\"][\+\w\/]{96}/
-
-  condition:
-    filesize < 10MB and any of ($k*) and $b64decode and $long_str and any of ($f*)
+    $k_lzma         = "lzma"
+    $k_gzip         = "gzip"
+    $k_zlib         = "zlib"
+    $f_bytes        = "bytes("
+    $f_decode       = "decode("
+    $f_decompress   = "decompress("
+    $f_eval         = "eval("
+    $f_exec         = "exec("
+    $b64decode_long = /b64decode\(\"[\+\=\w\/]{96}/
+
+  condition:
+    filesize < 10MB and any of ($k*) and $b64decode_long and any of ($f*)
 }
 
 rule join: low {

diff --git a/rules/c2/tool_transfer/download.yara b/rules/c2/tool_transfer/download.yara
@@ -75,7 +75,7 @@ rule http_archive_url: medium {
     description = "accesses hardcoded archive file endpoint"
 
   strings:
-    $ref         = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(zip|tar|tgz|gz|xz)/ fullword
+    $ref         = /https{0,1}:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(zip|tar|tgz|gz|xz)/ fullword
     $not_foo_bar = "http://foo/bar.tar"
 
   condition:
@@ -93,10 +93,9 @@ rule http_archive_url_higher: high {
     description = "accesses hardcoded archive file endpoint"
 
   strings:
-    $ref         = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(zip|tar|tgz|gz|xz)/ fullword
+    $ref         = /https{0,1}:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(zip|tar|tgz|gz|xz)/ fullword
     $not_foo_bar = "http://foo/bar.tar"
 
   condition:
     smallerBinary and any of ($ref*) and none of ($not*)
 }
-
diff --git a/rules/impact/degrade/app.yara b/rules/impact/degrade/app.yara
@@ -6,7 +6,7 @@ rule osascript_window_closer: medium {
     $c_osascript   = "osascript" fullword
     $c_tell        = "tell" fullword
     $c_application = "application" fullword
-    $c_app_name    = /\"\w[\.\w ]{0,24}\w\"/ fullword
+    $c_app_name    = /\"\w[\.\w]{3,24}\w\"/ fullword
     $c_to          = "to" fullword
     $c_close       = "close" fullword
     $c_window      = "window" fullword
@@ -23,11 +23,10 @@ rule osascript_quitter: medium {
     $c_osascript   = "osascript" fullword
     $c_tell        = "tell" fullword
     $c_application = "application" fullword
-    $c_app_name    = /\"\w[\.\w ]{0,24}\w\"/ fullword
+    $c_app_name    = /\"\w[\.\w]{3,24}\w\"/ fullword
     $c_to          = "to" fullword
     $c_quit        = "quit" fullword
 
   condition:
     filesize < 256KB and all of ($c*)
 }
-