Merge pull request #111 from CybercentreCanada/domain_fpos

Filter more domain false positives
CybercentreCanada · Oct 30, 2024 · aa406d7 · aa406d7
2 parents 6248692 + f0e7b2e
commit aa406d7
Showing 1 changed file with 64 additions and 1 deletion.
diff --git a/src/multidecoder/decoders/network.py b/src/multidecoder/decoders/network.py
@@ -117,29 +117,82 @@ def domain_is_false_positive(domain: bytes) -> bool:
     domain_fpos = {b"wscript.shell", b"system.io", b"adodb.stream", b"set.name", b"wshshell.run", b"oshlnk.save"}
     # Common variable roots
     root_fpos = {
+        b"aquota",
         b"at",
         b"array",
         b"arrayprototype",
+        b"basic",
         b"button",
+        b"cgroup",
+        b"ctrl-alt-del",
+        b"di",
         b"date",
+        b"default",
         b"email",
+        b"emergency",
         b"enduser",
         b"error",
         b"event",
+        b"exit",
         b"function",
         b"functionprototype",
+        b"graphical",
+        b"halt",
+        b"httpd",
+        b"init",
+        b"initrd-fs",
+        b"initrd-root-fs",
+        b"install",
         b"it",
+        b"ipconf",
+        b"local-fs",
+        b"local-fs-pre",
+        b"manager",
+        b"memory",
         b"method",
+        b"mount",
+        b"multi-user",
+        b"myapplication",
         b"nativedate",
+        b"network",
+        b"network-online",
+        b"nss",
+        b"nss-lookup",
         b"obj",
         b"object",
+        b"org",
+        b"path",
+        b"paths",
+        b"poweroff",
+        b"reboot",
+        b"remote",
+        b"remote-fs",
+        b"remote-fs-pre",
+        b"rescue",
         b"ribbon",
+        b"rpcbind",
+        b"service",
+        b"socket",
+        b"sockets",
         b"string",
+        b"shutdown",
+        b"sigpwr",
+        b"simple",
+        b"startup",
+        b"swap",
         b"syntaxerror",
+        b"sysinit",
+        b"syslog",
         b"table",
+        b"time",
+        b"timers",
+        b"time-sync",
+        b"tomcat",
         b"ui",
+        b"umount",
         b"user",
         b"window",
+        b"zone",
     }
     # Common variable name ends
     tld_fpos = {
@@ -152,7 +205,9 @@ def domain_is_false_positive(domain: bytes) -> bool:
         b"center",
         b"click",
         b"country",
+        b"data",
         b"day",
+        b"events",
         b"exposed",
         b"fail",
         b"global",
@@ -174,30 +229,38 @@ def domain_is_false_positive(domain: bytes) -> bool:
         b"now",
         b"open",
         b"page",
+        b"pid",
+        b"pl",
+        b"pm",
         b"play",
+        b"py",
         b"radio",
         b"read",
         b"red",
         b"search",
+        b"sh",
+        b"so",
         b"software",
         b"spa",
         b"space",
         b"services",
         b"store",
         b"style",
         b"support",
+        b"tab",
         b"target",
         b"total",
         b"top",
         b"zone",
     }
-    return (
+    return bool(
         (tld == b"next" and b"iterator" in domain_lower)  # Iterator not domain
         or re.match(b"[a-z]+[.][A-Z][a-z]+", domain)  # attribute access not domain
         or domain_lower in domain_fpos  # common false positive
         or (tld in tld_fpos and (root in root_fpos or len(root) == 1))  # variable attribute
         or domain_lower.startswith(b"this.")  # super common variable name in javascript
         or (len(split) == 3 and split[1] == b"prototype" and len(root) < 3 and len(tld) < 3)  # javascript pattern
+        or (domain_lower.startswith(b"lib") and tld == "so")  # ELF false positive
     )