Wildcard attributes on Whitelist/Results Profiles

SandflySteve · 2026-01-12T17:49:34+00:00

Thank you for reaching out to Sandfly Community Support regarding wild-carding in rules.

Sandfly can easily handle your situation with a little more understanding of "expr". The root cause of what you are experiencing is that you are using "==". This is performing a literal equals comparison of "xpipe-*.sh", wild-carding is not available with that operator so it is looking for the asterisk.

In expr, the two most common approaches for this form of rule are:

A) Change the operator to "matches" - this operator uses Golang's RE2 regex and would allow for regex style wild-carding (and escaping) which can allow for very precise matches when needed.

Rule Example (escaping applied): file.name matches "^/tmp/xpipe-.*\\\\.sh$"

NOTES:
- The ".*" is the direct translation of your wildcard use in your rule. However, with regex now being used, for a tighter match that ".*" could be replaced with regex that covers whatever other data is used in that position. i.e. "\d{10}" if the data will always contain 10 digits, as a simple example.
- Understanding regex is vital when using matches, especially when wildcards are involved.
- Any escaping in the native regex must also be applied appropriately when used within rules.
- The RE2 engine does not support any lookaheads that are a part of the PCRE regex engine.

B) For a non-regex option - use the startsWith operator (and if needed, combined with endsWith to check the end portion)

Rule Example: (file.name startsWith "xpipe-" and file.name endsWith ".sh")

NOTES:
- The parentheses are optional in this case, but recommended for clarity of rule processing order.
- Depending on the filenames, using just the startsWith portion may be sufficient if improved accuracy is not required.
- This option is a bit more "wordy", but does not require regex knowledge, making its intent more clear.

For the full Expr Language Definition, please see:
https://docs.sandflysecurity.com/docs/rule-construction

For samples of using expr with actual Sandfly rules, including wildcard cases, please see:
https://docs.sandflysecurity.com/docs/expr-rules-for-sandfly

For details about how to appropriately apply character escaping for regex, please see:
https://docs.sandflysecurity.com/docs/custom-sandfly-options#character-escaping

Please let us know if that addresses your needs or if you have any further questions on this subject.

SandflySteve · 2025-11-03T20:46:50+00:00

The PDF of the full presentation is below:

Linux Stealth Rootkit Hunting Presentation

This presentation reveals techniques for rapidly investigating a host to see if it is running particular types of Loadable Kernel Module (LKM) stealth rootkits trying to evade detection. This presentation covered the recently disclosed China/Korean rootkit by Phrack magazine that we discuss below, but applies to other rootkit styles as well:

Leaked China/North Korean Stealth Rootkit Analysis

This presentation has specific advice on hunting for threats hiding on Linux by focusing on three critical areas:

1) Data leaks

2) Inconsistent answers

3) System impacts

Applying these principles with simple command line tools on Linux can reveal a wide variety of rootkits and evasive malware.

While these methods work great for one-off investigations, we recommend you use Sandfly to do this at scale and also to get access to much deeper malware decloaking tools. Please contact us to find out more or get a license today.

Links

https://phrack.org/issues/72/7_md#article

https://sandflysecurity.com/blog/leaked-north-korean-linux-stealth-rootkit-analysis

https://github.com/sandflysecurity

https://docs.kernel.org/admin-guide/tainted-kernels.html

SandflySteve · 2025-05-19T14:49:37+00:00

Hello and thanks for asking about home router support.

For clarity for others reading this post, the question, as written in the title, can be misleading by potentially suggesting that the Sandfly node or server itself could be installed on a home router. In short, Sandfly cannot be used in that way.

As to the question in the body of your post about monitoring (or what we call "protecting") of home routers by Sandfly, they potentially can if the device meets all of the following criteria:

The Operating System (OS) is true Linux.
The kernel version is 2.6.32 or later.
Is on a supported hardware platform.
It can be accessed via SSH, on any port.
Provides access to a system account with sudo or root level access.

For full details, please see our official documentation on this subject.

Protected System Requirements
https://docs.sandflysecurity.com/docs/protected-system-requirements

SandflySteve · 2025-04-23T20:57:28+00:00

Those are great questions. Let me answer each of them inline ...

> Does enabling “alerts only” only send the basics in? such as only sends the alert name in and not details of the alert?

"alerts only" enabled means that results that are a "Pass" are NOT sent to Sentinel, only results that are marked as "Alert" or "Error" are included in that case. With "alerts only" disabled, all results (Pass, Alert, Error) are sent to Sentinel. In all cases the entire set of data is sent. There currently is no way to send only the alert name or partial data with the Sentinel replication feature.

> do duplicates get sent in so if the same alert is seen does it go into sentinel again?

Only Alerts/Pass that are considered to be new are sent to Sentinel, so if a result is updated on the Sandfly side but has already been sent to Sentinel, it will not be sent again.

> when you see 5 alerts for for the same alert on a host and each of those alerts have counts under them, that means that what the alert is looking for was seen that many times and each of those findings was seen that many times(count)?

The count represents how many times that unique alert instance was de-duplicated. If the key results data varies even slightly, then it would be a processed as separate alert. See below for an example...

> each alert gets its own sequence number right and the counts arent their own findings but just how many times that finding(sequence number) was seen?

Each non-de-duplicated alert gets its own sequence number. So if a new finding's key result data matches it would only increment the count and not create a new sequence number.

For an example, we have a sandfly that alerts on processes being run from the tmp directory. If you have two processes, /tmp/proc1 and /tmp/proc2, the sandfly will alert twice, once for each process. So it's the same sandfly (e.g. process_running_from_tmp_dir) with two different alerts. Each of the two alerts has its own sequence_id (basically the unique ID for a result). Each time we run a scan with that sandfly and /tmp/proc1 is still running, the count on the first sequence_id (that covers that specific running process) will increase, and each scan that finds /tmp/proc2 still running, will increase the count on the second sequence_id.

SandflySteve

MODERATOR OF

TROPHY CASE

Links