Skip to content

fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) #4019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
EsadCetiner merged 2 commits into from
Mar 31, 2025
Merged

fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) #4019

EsadCetiner merged 2 commits into from
Mar 31, 2025

Conversation

@EsadCetiner
Copy link
Member

@EsadCetiner EsadCetiner commented Feb 25, 2025

Fixes false positive reported in round 2 quantitative testing for the Unix RCE rules by removing the following commands specifically for 932235:

date
group
jobs
last
less
links
local
source
watch

I've made some minor changes to the unix evasion prefix by adding @ to common English words (time, watch, etc) which resolved 2 of the false positives for all paranoia levels, and will likely prevent similar false positives in the future.

closes #3932

@EsadCetiner
fix: false positive found in quantitative testing round 2 for unix rc…
4026684 
…e rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3)
@github-actions
Copy link
Contributor

github-actions bot commented Feb 25, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@fzipi fzipi mentioned this pull request Mar 3, 2025
Closed
@github-actions github-actions bot added the Stale label Mar 28, 2025
franbuehler
franbuehler approved these changes Mar 31, 2025
View reviewed changes
Copy link
Contributor

@franbuehler franbuehler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@EsadCetiner EsadCetiner added this pull request to the merge queue Mar 31, 2025
Merged via the queue into coreruleset:main with commit 3be3ac7 Mar 31, 2025
6 checks passed
@EsadCetiner EsadCetiner deleted the fix-932235-corpus-fp branch March 31, 2025 12:50
@dune73
Copy link
Member

dune73 commented Mar 31, 2025

Nice. Thank you.

@fzipi fzipi mentioned this pull request Apr 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@franbuehler franbuehler franbuehler approved these changes

Assignees

No one assigned

Labels

release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

False positives with 932235 PL1 Remote Command Execution: Unix Command Injection (command without evasion)

3 participants

@EsadCetiner @dune73 @franbuehler