Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Blacklist and remove bunch of YARA rules 1/2
* `ft_*` are quite useless
* `mbedded_win_api` triggers on a whole bunch of header files in /usr/include
* `shell_functions` triggers on mysql.h, phpcomplete.vim & others
* `shell_names` trigger on chkrootkit :)
* "r57shell.php"
* Also youtube-dl
* `DarkComet_Keylogs_Memory` triggers on bunch of header files
* `PM_Dyre_Delivery1` trigger on header files
* `web_log_review` trigger on header files
* `Mozi_Obfuscation_Technique` FPs on /usr/bin/php and other parts of legit PHP
* Cerberus FPs on a whole bunch of stuff
* `CrowdStrike_CVE_2014_4113` FPs on bunch of `LC_COLLATE` files
* `dbgdetect_files` FPs on a whole bunch of legit files
* N3utrino FPs on libmariadbd.so.19, mariadbd, libclamav.so.12.0.1 & a whole bunch of others :D
* `LinuxDDOS_Agent` FPs against youtube-dl
* Actually it looks like youtube-dl is quite good candidate for goodware corpus :)
* `shellshock_generic` FPs on /usr/lib64/gcc/x86_64-slackware-linux/11.2.0/include/d/std/algorithm/iteration.d (gcc-gdc package)
* `memory_shylock` is too generic. E.g. "$b = /id=[A-F0-9]{32}/"
* etc. etc.- Loading branch information
8e6456fThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#84