From 7564e6e8e6dfcc7693d3165370f99ce5197d22e5 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 24 Jan 2019 11:03:01 +0100
Subject: [PATCH] False Positive Reduction
 https://github.com/Neo23x0/signature-base/issues/54

---
 iocs/filename-iocs.txt          | 1 -
 yara/gen_elf_file_anomalies.yar | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/iocs/filename-iocs.txt b/iocs/filename-iocs.txt
index e753b73..8ac69bf 100644
--- a/iocs/filename-iocs.txt
+++ b/iocs/filename-iocs.txt
@@ -635,7 +635,6 @@ AppData\\adobe\\adobe\.dat;65
 \\firef0x\.exe;45
 \\firefly\.exe;45
 \\firefo\.exe;45
-\\firefox_\.exe;45
 \\firefox2\.exe;45
 \\firefox32\.exe;45
 \\firefoxe\.exe;45
diff --git a/yara/gen_elf_file_anomalies.yar b/yara/gen_elf_file_anomalies.yar
index 8612d57..ab08a73 100644
--- a/yara/gen_elf_file_anomalies.yar
+++ b/yara/gen_elf_file_anomalies.yar
@@ -11,5 +11,5 @@ rule SUSP_ELF_LNX_UPX_Compressed_File {
       $s1 = "PROT_EXEC|PROT_WRITE failed." fullword ascii
       $s3 = "$Id: UPX" fullword ascii
    condition:
-      uint16(0) == 0x457f and filesize < 2000KB and filesize > 30KB and all of them
+      uint32be(0) == 0x7f454c46 and filesize < 2000KB and filesize > 30KB and all of them
 }