From 1d3ae1f216158dcc985b60332307b7b6d4a9d14e Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+ruppde@users.noreply.github.com>
Date: Wed, 13 Dec 2023 15:51:56 +0100
Subject: [PATCH] Update capa2yara.py (#1904)

Extend unhandled strings to allow capa2yara to run through
---
 scripts/capa2yara.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/scripts/capa2yara.py b/scripts/capa2yara.py
index e287aac3e..a146892d9 100644
--- a/scripts/capa2yara.py
+++ b/scripts/capa2yara.py
@@ -61,7 +61,7 @@
 
 
 # this have to be the internal names used by capa.py which are sometimes different to the ones written out in the rules, e.g. "2 or more" is "Some", count is Range
-unsupported = ["characteristic", "mnemonic", "offset", "subscope", "Range"]
+unsupported = ["characteristic", "mnemonic", "offset", "subscope", "Range", "os", "property", "format", "class", "operand[0].number", "operand[1].number", "substring", "arch", "namespace"]
 # further idea: shorten this list, possible stuff:
 # - 2 or more strings: e.g.
 # -- https://github.com/mandiant/capa-rules/blob/master/collection/file-managers/gather-direct-ftp-information.yml
@@ -90,8 +90,7 @@
 condition_rule = """
 private rule capa_pe_file : CAPA {
     meta:
-        description = "match in PE files. used by all further CAPA rules"
-        author = "Arnim Rupp"
+        description = "Match in PE files. Used by other CAPA rules"
     condition:
         uint16be(0) == 0x4d5a
         or uint16be(0) == 0x558b