Skip to content

feat: update unix commands list #4215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 21 commits into from
Aug 21, 2025
Merged

feat: update unix commands list #4215

merged 21 commits into from
Aug 21, 2025

Conversation

@EsadCetiner
Copy link
Member

@EsadCetiner EsadCetiner commented Jul 26, 2025
edited
Loading

Adds some commands for AppArmor, bubblewrap, auditd, ping6, pip and capabilities commands.

I couldn't get the AppArmor commands to be blocked at PL-1 because it uses the ~ operator to detect permutations and that operator is broken with some rules. The Unix rules are hard to work with, evasion operators are defined inconsistently and all over the place, and there seems to be some overlapping rules too.

@github-actions
Copy link
Contributor

github-actions bot commented Jul 26, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@theseion
Copy link
Contributor

theseion commented Jul 31, 2025

What do you mean by "broken"?

And yes. The RCE rules are a pain.

theseion
theseion requested changes Jul 31, 2025
View reviewed changes
@EsadCetiner
Copy link
Member Author

EsadCetiner commented Jul 31, 2025

@theseion

What do you mean by "broken"?

the ~ Suffix doesn't work at all for some rules, AppArmor commands are being blocked via aa-~ in unix-shell-upto3.ra. See test 932250-15

And yes. The RCE rules are a pain.

I'll open an issue on this so we can get some movement on this

@theseion
Copy link
Contributor

theseion commented Jul 31, 2025

the ~ Suffix doesn't work at all for some rules, AppArmor commands are being blocked via aa-~ in unix-shell-upto3.ra. See test 932250-15

Can you give me an example? Apparently, aa-~ works as intended, doesn't it?

@EsadCetiner
Copy link
Member Author

EsadCetiner commented Jul 31, 2025

@theseion

It doesn't, see the output below:

no_expect_ids: [932250]

aa-disable and friends aren't being blocked at all at PL-1 even though they should, it's not being excluded anywhere.

@EsadCetiner
Copy link
Member Author

EsadCetiner commented Jul 31, 2025

@theseion I noticed the script in unix-shell-4andup.ra is referencing a non-existent shell script (spell.sh), I tried to replace it with the one integrated in crs-toolchain but I encountered some issues. See coreruleset/crs-toolchain#248

@theseion
Copy link
Contributor

theseion commented Aug 1, 2025

Thanks. Let me look at some stuff :)

@theseion
Copy link
Contributor

theseion commented Aug 1, 2025

932250 is written in such a way that the modifiers are ignored. It will only append an approximation of the @ modifier. In that sense, what you're seeing is expected behavior. I have to look into it a bit more though to see whether this is really what we want.

@EsadCetiner EsadCetiner mentioned this pull request Aug 2, 2025
Open
8 tasks
@EsadCetiner EsadCetiner added release:new-feature This PR introduces a new feature release:new-detection In this PR we introduce a new detection and removed release:new-feature This PR introduces a new feature labels Aug 4, 2025
@fzipi fzipi mentioned this pull request Aug 4, 2025
Closed
@theseion
Copy link
Contributor

theseion commented Aug 10, 2025

The issue with 932250 should be fixed with #4231.

theseion
theseion requested changes Aug 15, 2025
View reviewed changes
Copy link
Contributor

@theseion theseion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this is for plain pip, as opposed to pip3. Please add a test.

@EsadCetiner
Copy link
Member Author

EsadCetiner commented Aug 15, 2025

@theseion Done

Is go-ftw not supposed to urlencode payloads? I assumed it always encoded payloads like curl does before it sent the request, it's harder to read the payloads in their encoded variant.

@theseion
Copy link
Contributor

theseion commented Aug 16, 2025

@theseion Done

Is go-ftw not supposed to urlencode payloads? I assumed it always encoded payloads like curl does before it sent the request, it's harder to read the payloads in their encoded variant.

For URLs only. Data is sent verbatim.

theseion
theseion requested changes Aug 16, 2025
View reviewed changes
EsadCetiner and others added 3 commits August 17, 2025 08:05
theseion
theseion previously approved these changes Aug 17, 2025
View reviewed changes
@EsadCetiner EsadCetiner requested a review from theseion August 20, 2025 06:25
@theseion theseion added this pull request to the merge queue Aug 21, 2025
Merged via the queue into coreruleset:main with commit da7b70a Aug 21, 2025
7 checks passed
@EsadCetiner EsadCetiner deleted the feat-update-unix-commands branch August 21, 2025 05:29
@fzipi fzipi mentioned this pull request Sep 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theseion theseion theseion approved these changes

Assignees

No one assigned

Labels

release:new-detection In this PR we introduce a new detection

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EsadCetiner @theseion