signatures: serialize TRC IDs

Author: roikol

signatures/golang/anti_debugging_ptraceme.go

@@ -22,7 +22,7 @@ func (sig *AntiDebuggingPtraceme) Init(cb detect.SignatureHandler) error {
 
 func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) {
 	return detect.SignatureMetadata{
-		ID:          "TRC-2",
+		ID:          "TRC-102",
 		Version:     "1",
 		Name:        "Anti-Debugging detected",
 		Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",

signatures/golang/anti_debugging_ptraceme_test.go

@@ -32,7 +32,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 				},
 			},
 			Findings: map[string]detect.Finding{
-				"TRC-2": {
+				"TRC-102": {
 					Data: nil,
 					Event: trace.Event{
 						EventName: "ptrace",
@@ -46,7 +46,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 						},
 					}.ToProtocol(),
 					SigMetadata: detect.SignatureMetadata{
-						ID:          "TRC-2",
+						ID:          "TRC-102",
 						Version:     "1",
 						Name:        "Anti-Debugging detected",
 						Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",

signatures/golang/aslr_inspection.go

@@ -22,7 +22,7 @@ func (sig *AslrInspection) Init(cb detect.SignatureHandler) error {
 
 func (sig *AslrInspection) GetMetadata() (detect.SignatureMetadata, error) {
 	return detect.SignatureMetadata{
-		ID:          "TRC-9",
+		ID:          "TRC-109",
 		Version:     "1",
 		Name:        "ASLR inspection detected",
 		Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.",

signatures/golang/aslr_inspection_test.go

@@ -38,7 +38,7 @@ func TestAslrInspection(t *testing.T) {
 				},
 			},
 			Findings: map[string]detect.Finding{
-				"TRC-9": {
+				"TRC-109": {
 					Data: nil,
 					Event: trace.Event{
 						EventName: "security_file_open",
@@ -58,7 +58,7 @@ func TestAslrInspection(t *testing.T) {
 						},
 					}.ToProtocol(),
 					SigMetadata: detect.SignatureMetadata{
-						ID:          "TRC-9",
+						ID:          "TRC-109",
 						Version:     "1",
 						Name:        "ASLR inspection detected",
 						Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.",

signatures/golang/cgroup_notify_on_release_modification.go

@@ -23,7 +23,7 @@ func (sig *CgroupNotifyOnReleaseModification) Init(cb detect.SignatureHandler) e
 
 func (sig *CgroupNotifyOnReleaseModification) GetMetadata() (detect.SignatureMetadata, error) {
 	return detect.SignatureMetadata{
-		ID:          "TRC-30",
+		ID:          "TRC-106",
 		Version:     "1",
 		Name:        "Cgroups notify_on_release file modification",
 		Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",

signatures/golang/cgroup_notify_on_release_modification_test.go

@@ -38,7 +38,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 				},
 			},
 			Findings: map[string]detect.Finding{
-				"TRC-30": {
+				"TRC-106": {
 					Data: nil,
 					Event: trace.Event{
 						EventName: "security_file_open",
@@ -58,7 +58,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 						},
 					}.ToProtocol(),
 					SigMetadata: detect.SignatureMetadata{
-						ID:          "TRC-30",
+						ID:          "TRC-106",
 						Version:     "1",
 						Name:        "Cgroups notify_on_release file modification",
 						Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",

signatures/golang/cgroup_release_agent_modification.go

@@ -23,7 +23,7 @@ func (sig *CgroupReleaseAgentModification) Init(cb detect.SignatureHandler) erro
 
 func (sig *CgroupReleaseAgentModification) GetMetadata() (detect.SignatureMetadata, error) {
 	return detect.SignatureMetadata{
-		ID:          "TRC-95",
+		ID:          "TRC-1010",
 		Version:     "1",
 		Name:        "Cgroups release agent file modification",
 		Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",

signatures/golang/cgroup_release_agent_modification_test.go

@@ -38,7 +38,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 				},
 			},
 			Findings: map[string]detect.Finding{
-				"TRC-95": {
+				"TRC-1010": {
 					Data: nil,
 					Event: trace.Event{
 						EventName: "security_file_open",
@@ -58,7 +58,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 						},
 					}.ToProtocol(),
 					SigMetadata: detect.SignatureMetadata{
-						ID:          "TRC-95",
+						ID:          "TRC-1010",
 						Version:     "1",
 						Name:        "Cgroups release agent file modification",
 						Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
@@ -90,7 +90,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 				},
 			},
 			Findings: map[string]detect.Finding{
-				"TRC-95": {
+				"TRC-1010": {
 					Data: nil,
 					Event: trace.Event{
 						EventName: "security_inode_rename",
@@ -104,7 +104,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 						},
 					}.ToProtocol(),
 					SigMetadata: detect.SignatureMetadata{
-						ID:          "TRC-95",
+						ID:          "TRC-1010",
 						Version:     "1",
 						Name:        "Cgroups release agent file modification",
 						Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",

signatures/golang/core_pattern_modification.go

@@ -23,7 +23,7 @@ func (sig *CorePatternModification) Init(cb detect.SignatureHandler) error {
 
 func (sig *CorePatternModification) GetMetadata() (detect.SignatureMetadata, error) {
 	return detect.SignatureMetadata{
-		ID:          "TRC-28",
+		ID:          "TRC-1011",
 		Version:     "1",
 		Name:        "Core dumps configuration file modification detected",
 		Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.",

signatures/golang/core_pattern_modification_test.go

@@ -38,7 +38,7 @@ func TestCorePatternModification(t *testing.T) {
 				},
 			},
 			Findings: map[string]detect.Finding{
-				"TRC-28": {
+				"TRC-1011": {
 					Data: nil,
 					Event: trace.Event{
 						EventName: "security_file_open",
@@ -58,7 +58,7 @@ func TestCorePatternModification(t *testing.T) {
 						},
 					}.ToProtocol(),
 					SigMetadata: detect.SignatureMetadata{
-						ID:          "TRC-28",
+						ID:          "TRC-1011",
 						Version:     "1",
 						Name:        "Core dumps configuration file modification detected",
 						Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.",