From 1d63590c93f39ee644129f42960cb51894ab96d5 Mon Sep 17 00:00:00 2001
From: ransomsec <83533000+ransomsec@users.noreply.github.com>
Date: Wed, 14 Sep 2022 16:06:58 +0530
Subject: [PATCH] Bash Scanner!

Idea behind this file, i downloaded a shell script from the internet, and i don't revive the source code of the file, and run it, but the file is contains `rm -rf .` command, after running the file, my all files are deleted in current directory. :-(
---
 file/bash/bash.yaml | 50 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 file/bash/bash.yaml

diff --git a/file/bash/bash.yaml b/file/bash/bash.yaml
new file mode 100644
index 0000000000..9fe01acbdb
--- /dev/null
+++ b/file/bash/bash.yaml
@@ -0,0 +1,50 @@
+id: bash-scanner
+
+info:
+  name: bash-scanner
+  author: ransomsec
+  severity: info
+  description: "Indicator for bash Dangerous Commands – You Should Never Execute on Linux"
+  tags: bash,shell,sh
+  reference:
+    - "https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/"
+    - "https://phoenixnap.com/kb/dangerous-linux-terminal-commands"
+
+
+file:
+  - extensions:
+    - sh
+
+
+    extractors:
+      - type: regex
+        name: fork-bomb
+        regex:
+          - ":(){:|:&};:"
+
+      - type: regex
+        name: rm commad found
+        regex:
+          - "rm -(f|r)"
+          - "rm -(fr|rf)"
+
+
+      - type: regex
+        name: code injection
+        regex:
+          - "/bin/(sh|bash) -"
+          - "eval"
+          - "echo -c"
+          - "/bin/(sh|bash) -c"
+          - "(sh|bash) -"
+          - "(sh|bash) -c"
+
+      - type: regex
+        name: file manipulation
+        regex:
+          - "cat /dev/null >"
+
+      - type: regex
+        name: unknown-file-download
+        regex:
+          - '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'