Skip to content

Commit

Permalink
Merge pull request #26 from tstromberg/main
Browse files Browse the repository at this point in the history 
Omit empty fields from JSON/YAML output
  • Loading branch information
@tstromberg
tstromberg committed Mar 3, 2024
2 parents b97c1af + b195a51 commit 83f08df
Show file tree
Hide file tree
Showing 16 changed files with 1,761 additions and 489 deletions.
28 changes: 14 additions & 14 deletions pkg/bincapz/report.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,29 +22,29 @@ var riskLevels = map[int]string{
}

type Behavior struct {
Description string `json:",omitempty" yaml:",omitempty"`
Strings []string
Description string `json:",omitempty" yaml:",omitempty"`
Strings []string `json:",omitempty" yaml:",omitempty"`
RiskScore int
RiskLevel string
RuleAuthor string
RuleLicense string
RiskLevel string `json:",omitempty" yaml:",omitempty"`
RuleAuthor string `json:",omitempty" yaml:",omitempty"`
RuleLicense string `json:",omitempty" yaml:",omitempty"`
}

type FileReport struct {
// compiler -> x
Error string
Skipped string
Meta map[string]string
Syscalls []string
Pledge []string
Capabilities []string
Behaviors map[string]Behavior
FilteredBehaviors int `json:",omitempty" yaml:",omitempty"`
Error string `json:",omitempty" yaml:",omitempty"`
Skipped string `json:",omitempty" yaml:",omitempty"`
Meta map[string]string `json:",omitempty" yaml:",omitempty"`
Syscalls []string `json:",omitempty" yaml:",omitempty"`
Pledge []string `json:",omitempty" yaml:",omitempty"`
Capabilities []string `json:",omitempty" yaml:",omitempty"`
Behaviors map[string]Behavior `json:",omitempty" yaml:",omitempty"`
FilteredBehaviors int `json:",omitempty" yaml:",omitempty"`
}

type Report struct {
Files map[string]FileReport
Filter string
Filter string `json:",omitempty" yaml:",omitempty"`
}

// yaraForge has some very very long rule names
Expand Down
169 changes: 135 additions & 34 deletions testdata/Linux/bpfdoor_2022.x86_64.json
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,15 @@
{
"Files": {
"bpfdoor_2022.x86_64": {
"Meta": {
"compiler": "gcc"
},
"./Linux/bpfdoor_2022.x86_64": {
"Syscalls": [
"accept",
"chroot",
"connect",
"execve",
"getpid",
"getuid",
"ioctl",
"prctl",
"fork",
"select",
"sendmsg",
"sendto",
"setsid",
"setsockopt",
"unlink",
"utimes",
"vhangup"
Expand All @@ -24,41 +18,134 @@
"exec",
"fattr",
"inet",
"proc",
"rpath",
"stdio",
"wpath"
],
"Capabilities": [],
"Behaviors": {
"3P/elastic/linux/bpfdoor": {
"Description": "Detects Linux Trojan Bpfdoor (Linux.Trojan.BPFDoor)",
"Strings": [
"$a1"
],
"RiskScore": 4,
"RiskLevel": "CRIT",
"RuleAuthor": "Elastic Security",
"RuleLicense": "https://github.com/elastic/protections-artifacts//blob/6d54ae289b290b1d42a7717569483f6ce907200a/LICENSE.txt"
},
"3P/signature_base/redmenshen/bpfdoor": {
"Description": "Detects BPFDoor implants used by Chinese actor Red Menshen",
"Strings": [
"$op1",
"$op2",
"$op3",
"$op4"
],
"RiskScore": 4,
"RiskLevel": "CRIT",
"RuleAuthor": "Florian Roth (Nextron Systems)",
"RuleLicense": "https://github.com/Neo23x0/signature-base/blob/cd7651d2ccf4158a35a8d1cc0441928f7d92818f/LICENSE"
},
"combo/backdoor/linux/listen_terminal_exec": {
"Description": "Listens, provides a terminal, runs program",
"Strings": [
"/dev/ptmx",
"execve",
"grantpt",
"listen"
],
"RiskScore": 3,
"RiskLevel": "HIGH"
},
"combo/backdoor/linux/multiple_sys_commands": {
"Description": "multiple sys commands",
"Strings": [
"auditd",
"systemd/systemd"
],
"RiskScore": 3,
"RiskLevel": "HIGH"
},
"device/pseudo_terminal": {
"Description": "pseudo-terminal access functions",
"Strings": [
"grantpt",
"ptsname",
"unlockpt"
],
"Risk": 1
"RiskScore": 2,
"RiskLevel": "MED"
},
"exec/program": {
"Description": "calls other programs",
"Description": "executes another program",
"Strings": [
"execve"
],
"Risk": 1
"RiskScore": 2,
"RiskLevel": "MED"
},
"exec/program/background": {
"Description": "Waits for a process to exit",
"Strings": [
"waitpid"
],
"Risk": 1
"RiskScore": 1,
"RiskLevel": "LOW"
},
"exec/shell_command": {
"Description": "execute a shell command",
"Strings": [
"system"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"fd/multiplex": {
"Description": "monitor multiple file descriptors",
"Strings": [
"select"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"fs/file/delete": {
"Description": "deletes files",
"Strings": [
"unlink"
],
"Risk": 1
"RiskScore": 1,
"RiskLevel": "LOW"
},
"fs/file/times/set": {
"Description": "change file last access and modification times",
"Strings": [
"utimes"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"net/ip/byte/order": {
"Description": "convert values between host and network byte order",
"Strings": [
"htons"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"net/ip/string": {
"Description": "converts IP address from byte to string",
"Strings": [
"inet_ntoa"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"net/socket/connect": {
"Description": "initiate a connection on a socket",
"Strings": [
"connect"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"net/socket/listen": {
"Description": "listen on a socket",
Expand All @@ -67,60 +154,74 @@
"listen",
"socket"
],
"Risk": 1
"RiskScore": 1,
"RiskLevel": "LOW"
},
"net/socket/receive": {
"Description": "receive a message from a socket",
"Strings": [
"recvfrom"
],
"Risk": 1
"RiskScore": 1,
"RiskLevel": "LOW"
},
"net/socket/send": {
"Description": "send a message to a socket",
"Strings": [
"sendto"
],
"Risk": 1
"RiskScore": 1,
"RiskLevel": "LOW"
},
"process/create": {
"Description": "Create a new child process using fork",
"Strings": [
"fork"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"proc/chroot": {
"process/current/chroot": {
"Description": "change the location of root for the process",
"Strings": [
"chroot"
],
"Risk": 1
"RiskScore": 1,
"RiskLevel": "LOW"
},
"random/insecure": {
"Description": "generate random numbers insecurely",
"Strings": [
"srand"
],
"Risk": 1
"RiskScore": 1,
"RiskLevel": "LOW"
},
"ref/path/usr/sbin": {
"Description": "References paths within /usr/sbin",
"Strings": [
"/usr/sbin/console-kit-daemon"
],
"Risk": 1
"RiskScore": 1,
"RiskLevel": "LOW"
},
"service/daemon": {
"Description": "Run as a background daemon",
"ref/program/ancient_gcc": {
"Description": "built by archaic gcc version",
"Strings": [
"daemon"
"GCC: (GNU) 4.4.7"
],
"Risk": 1
"RiskScore": 3,
"RiskLevel": "HIGH"
},
"tty/vhangup": {
"Description": "virtually hangup the current terminal",
"Strings": [
"vhangup"
],
"Risk": 1
"RiskScore": 1,
"RiskLevel": "LOW"
}
},
"FilteredBehaviors": 8
}
}
},
"Filter": "harmless"
}
}
Loading

0 comments on commit 83f08df

Please sign in to comment.