chore(rules): 2026/05/04 FPR (#1499)

egibs · web-flow · commit e6956900fc1b · 2026-05-04T06:18:45.000-07:00
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/rules/false_positives/altinity_clickhouse.yara b/rules/false_positives/altinity_clickhouse.yara
@@ -0,0 +1,12 @@
+rule altinity_clickhouse_keeper_debug: override {
+  meta:
+    description                                          = "clickhouse-keeper.debug detached debug symbols file"
+    fake_section_headers_conflicting_entry_point_address = "harmless"
+
+  strings:
+    $keeper_dispatcher = "_GLOBAL__sub_I_KeeperDispatcher.cpp"
+    $keeper_resource   = "gkeeper_resource_embedded_xmlData"
+
+  condition:
+    filesize < 15728640 and all of them
+}
diff --git a/rules/false_positives/ansible.yara b/rules/false_positives/ansible.yara
@@ -27,3 +27,29 @@ rule ansible_report_coverage: override {
   condition:
     filesize < 2048 and all of them
 }
+
+rule ansible_shippable_ci: override {
+  meta:
+    description       = "shippable.sh CI test runners from Ansible collections"
+    pip_installer_url = "low"
+
+  strings:
+    $shippable    = "SHIPPABLE_BUILD_ID"
+    $ansible_test = "ansible-test env --dump"
+
+  condition:
+    filesize < 8192 and all of them
+}
+
+rule ansible_collection_ci_workflow: override {
+  meta:
+    description       = "Ansible collection CI workflow installing ansible-core for testing"
+    pip_installer_url = "low"
+
+  strings:
+    $ansible_core = "Install ansible-core"
+    $test_deps    = "ansible-lint docker flake8 molecule"
+
+  condition:
+    filesize < 4096 and all of them
+}
diff --git a/rules/false_positives/cg.yara b/rules/false_positives/cg.yara
@@ -0,0 +1,17 @@
+rule cg: override {
+  meta:
+    description                    = "/usr/bin/cg"
+    rename_system_binary           = "low"
+    powershell_encoded_command_val = "low"
+    slack_leveldb                  = "low"
+    curl_python_pipe               = "low"
+    hidden_short_path_temp         = "low"
+    ssh_backdoor                   = "low"
+
+  strings:
+    $go_mod = "chainguard.dev/cg"
+    $mono   = "mono"
+
+  condition:
+    filesize < 250000000 and all of them
+}
diff --git a/rules/false_positives/electric.yara b/rules/false_positives/electric.yara
@@ -0,0 +1,13 @@
+rule electric_phoenix_eex: override {
+  meta:
+    description                      = "app/lib/phoenix-*/priv/templates/phx.gen.release/rel/migrate.sh.eex"
+    SIGNATURE_BASE_WEBSHELL_ASP_Nano = "harmless"
+
+  strings:
+    $otp_app         = "otp_app"
+    $app_namespace   = "app_namespace"
+    $release_migrate = "Release.migrate"
+
+  condition:
+    filesize < 500 and all of them
+}
diff --git a/rules/false_positives/mise.yara b/rules/false_positives/mise.yara
@@ -5,8 +5,8 @@ rule mise: override {
     polkit_pkexec_exploit = "harmless"
 
   strings:
-    $jdx_mise     = "jdx/mise"
-    $mise_jdx_dev = "mise.jdx.dev"
+    $jdx_mise    = "jdx/mise"
+    $mise_config = "~/.config/mise/config.toml"
 
   condition:
     filesize > 50MB and filesize < 150MB and all of them
diff --git a/rules/false_positives/renovate.yara b/rules/false_positives/renovate.yara
@@ -0,0 +1,12 @@
+rule renovate_mise_registry: override {
+  meta:
+    description     = "/usr/lib/renovate/dist/data/mise-registry.js"
+    hacktool_chisel = "harmless"
+
+  strings:
+    $mise_plugins = "mise-plugins/vfox-1password"
+    $zprint       = "kkinnear/zprint"
+
+  condition:
+    filesize < 300KB and all of them
+}
diff --git a/rules/false_positives/wazuh.yara b/rules/false_positives/wazuh.yara
@@ -60,6 +60,7 @@ rule wazuh_syscheckd: override {
     rootkit_high        = "medium"
     cmd_dev_null_quoted = "medium"
     proc_s_exe          = "medium"
+    curl_easy_exfil     = "low"
 
   strings:
     $libwazuhext   = "libwazuhext.so"
