Merge pull request #43 from tstromberg/main

Make output more concise

pkg/bincapz/render.go

@@ -25,6 +25,7 @@ func forceWrap(s string, x int) string {
 	fw := []string{}
 	for _, w := range words {
 		if len(w) > x-2 {
+			klog.Infof("wrapping %s - longer than %d", w, x-2)
 			w = w[0:x-2] + ".."
 		}
 		fw = append(fw, w)
@@ -85,19 +86,21 @@ func RenderTable(fr *FileReport, w io.Writer) {
 		data = append(data, []string{"", "", "", ""})
 	}
 
-	valWidth := 24
 	width := terminalWidth()
-	if width > 110 {
-		valWidth += (width - 110)
+	valWidth := 8
+
+	if width > 90 {
+		valWidth = (width - 90)
 	}
+
 	if valWidth > 65 {
 		valWidth = 65
 	}
 
 	klog.Infof("terminal width: %d / val width: %d", width, valWidth)
 
 	for _, k := range kbs {
-		val := strings.Join(k.Behavior.Strings, "|||")
+		val := strings.Join(k.Behavior.Strings, "\n")
 		val = forceWrap(val, valWidth)
 		val = strings.ReplaceAll(val, "|||", "\n")
 
@@ -114,15 +117,15 @@ func RenderTable(fr *FileReport, w io.Writer) {
 			}
 		}
 
-		words, _ := tablewriter.WrapString(desc, 52)
+		words, _ := tablewriter.WrapString(desc, 40)
 		desc = strings.Join(words, "\n")
 
 		data = append(data, []string{fmt.Sprintf("%d/%s", k.Behavior.RiskScore, k.Behavior.RiskLevel), k.Key, val, desc})
 	}
 	table := tablewriter.NewWriter(os.Stdout)
 	table.SetAutoWrapText(false)
 	table.SetHeader([]string{"Risk", "Key", "Values", "Description"})
-	//table.SetBorder(false)
+	table.SetBorder(false)
 	for _, d := range data {
 		if strings.Contains(d[0], "LOW") {
 			table.Rich(d, []tablewriter.Colors{tablewriter.Colors{tablewriter.Normal, tablewriter.FgGreenColor}})

pkg/bincapz/report.go

@@ -64,6 +64,7 @@ var yaraForgeJunkWords = map[string]bool{
 	"encoded":           true,
 	"forensicartifacts": true,
 	"lnx":               true,
+	"linux":             true,
 }
 
 var dateRe = regexp.MustCompile(`[a-z]{3}\d{1,2}`)

rules/combo/backdoor/linux/sensitive_linux_logs.yara → rules/combo/backdoor/sensitive_logs.yara

@@ -1,5 +1,4 @@
-
-rule system_log_references {
+rule system_log_references : suspicious {
   meta:
 	description = "Accesses multiple sensitive Linux logs"
   strings:

rules/combo/worm/ssh.yara

@@ -1,6 +1,6 @@
-rule generic_scan_tool : critical {
+rule generic_scan_tool : suspicious {
   meta:
-	description = "Probably an SSH worm, like SSH-Snake"
+	description = "possible SSH worm like SSH-Snake"
   strings:
 	$s_dot_ssh = ".ssh"
 	$s_authorized_keys = "authorized_keys"

rules/data/embedded-pem-private_key.yara

@@ -1,4 +1,4 @@
-rule begin_key {
+rule begin_private_key : notable {
 	meta:
 		description = "Contains PRIVATE KEY directive"
 	strings:
@@ -7,4 +7,15 @@ rule begin_key {
 		any of them
 }
 
+rule rsa_private_key : notable {
+	meta:
+		description = "Contains RSA PRIVATE KEY directive"
+	strings:
+		$ref = "RSA PRIVATE KEY-----"
+	condition:
+		any of them
+}
+
+
+
 

rules/data/embedded-ssh-key.yara

@@ -1,5 +1,6 @@
-rule ssh_pubilc_key : suspicious {
+rule ssh_public_key : suspicious {
 	meta:
+		description = "contains SSH public key"
 	    ref = "https://unfinished.bike/qubitstrike-and-diamorphine-linux-kernel-rootkits-go-mainstream"
 	strings:
 	    $ssh_rsa = /ssh-[dr]sa [\w\+\/\=]{0,1024} [\w\-\.]{0,32}\@[\w\.\-]{1,64}/

rules/ref/email.yara

@@ -1,4 +1,4 @@
-rule email_addr {
+rule email_addr : harmless {
   meta:
 	description = "Contains an email address"
   strings:

rules/techniques/code_eval.yara

@@ -6,3 +6,4 @@ rule eval : suspicious {
 	condition:
 		any of them
 }
+