Merge pull request #334 from tstromberg/fpr-nov2

Optimize YARA process queries by deduping paths
chainguard-dev · Nov 2, 2023 · 9e9da12 · 9e9da12
2 parents 6a343d0 + 5802021
commit 9e9da12
Show file tree

Hide file tree

Showing 7 changed files with 89 additions and 21 deletions.
diff --git a/detection/execution/yara-unexpected-miner-process.sql b/detection/execution/yara-unexpected-miner-process.sql
@@ -42,7 +42,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule miner {
     strings:
@@ -54,4 +64,4 @@ WHERE
     condition:
         filesize < 10MB and 1 of them
 }'
-  AND yara.count > 0
+  AND yara.count > 0
diff --git a/detection/execution/yara-unexpected-upx-process.sql b/detection/execution/yara-unexpected-upx-process.sql
@@ -39,7 +39,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule upx {
     strings:
@@ -48,4 +58,4 @@ WHERE
     condition:
         $upx_sig in (0..1024)
     }'
-  AND yara.count > 0
+  AND yara.count > 0
diff --git a/detection/exfil/yara-exec-connect-process-linux.sql b/detection/exfil/yara-exec-connect-process-linux.sql
@@ -42,9 +42,18 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
-  AND
-  yara.sigrule = '    
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
+  AND yara.sigrule = '    
     rule syscalls {
     strings:
         $inet_ntoa = "inet_ntoa"

diff --git a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql
@@ -42,7 +42,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 3600)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 3600)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule cryptexec {
     strings:

diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql
@@ -38,7 +38,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule http_exec {
     strings:

diff --git a/detection/persistence/yara-libtomcrypt-process.sql b/detection/persistence/yara-libtomcrypt-process.sql
@@ -42,14 +42,23 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 3600)
-  AND
-  yara.sigrule = '    
-    rule redflags {
-    strings:
-        $libtomcrypt = "LibTomCrypt"
-        $email = "tomstdenis@gmail.com"
-    condition:
-        filesize < 10MB and 1 of them
-}'
-  AND yara.count > 0
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 3600)
+      AND path != ""
+    GROUP BY
+      path
+  )
+  AND yara.sigrule = '    
+      rule redflags {
+      strings:
+          $libtomcrypt = "LibTomCrypt"
+          $email = "tomstdenis@gmail.com"
+      condition:
+          filesize < 10MB and 1 of them
+  }'
+  AND yara.count > 0
diff --git a/detection/persistence/yara-suspicious-strings-process-linux.sql b/detection/persistence/yara-suspicious-strings-process-linux.sql
@@ -42,7 +42,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule redflags {
     strings: