Skip to content

Commit

Permalink
Update capa2yara.py (#1904)
Browse files Browse the repository at this point in the history 
Extend unhandled strings to allow capa2yara to run through
  • Loading branch information
@ruppde
ruppde authored Dec 13, 2023
1 parent f229c8e commit 1d3ae1f
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions scripts/capa2yara.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@


# this have to be the internal names used by capa.py which are sometimes different to the ones written out in the rules, e.g. "2 or more" is "Some", count is Range
unsupported = ["characteristic", "mnemonic", "offset", "subscope", "Range"]
unsupported = ["characteristic", "mnemonic", "offset", "subscope", "Range", "os", "property", "format", "class", "operand[0].number", "operand[1].number", "substring", "arch", "namespace"]
# further idea: shorten this list, possible stuff:
# - 2 or more strings: e.g.
# -- https://github.com/mandiant/capa-rules/blob/master/collection/file-managers/gather-direct-ftp-information.yml
Expand Down Expand Up @@ -90,8 +90,7 @@
condition_rule = """
private rule capa_pe_file : CAPA {
meta:
description = "match in PE files. used by all further CAPA rules"
author = "Arnim Rupp"
description = "Match in PE files. Used by other CAPA rules"
condition:
uint16be(0) == 0x4d5a
or uint16be(0) == 0x558b
Expand Down

0 comments on commit 1d3ae1f

Please sign in to comment.