From c874de8a377dc8321ca72ae67285100b1b36b12f Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+ruppde@users.noreply.github.com>
Date: Tue, 12 Dec 2023 23:41:14 +0100
Subject: [PATCH] Update capa2yara.py

Extend unhandled strings to allow capa2yara to run through
---
 scripts/capa2yara.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/scripts/capa2yara.py b/scripts/capa2yara.py
index e287aac3e..a146892d9 100644
--- a/scripts/capa2yara.py
+++ b/scripts/capa2yara.py
@@ -61,7 +61,7 @@
 
 
 # this have to be the internal names used by capa.py which are sometimes different to the ones written out in the rules, e.g. "2 or more" is "Some", count is Range
-unsupported = ["characteristic", "mnemonic", "offset", "subscope", "Range"]
+unsupported = ["characteristic", "mnemonic", "offset", "subscope", "Range", "os", "property", "format", "class", "operand[0].number", "operand[1].number", "substring", "arch", "namespace"]
 # further idea: shorten this list, possible stuff:
 # - 2 or more strings: e.g.
 # -- https://github.com/mandiant/capa-rules/blob/master/collection/file-managers/gather-direct-ftp-information.yml
@@ -90,8 +90,7 @@
 condition_rule = """
 private rule capa_pe_file : CAPA {
     meta:
-        description = "match in PE files. used by all further CAPA rules"
-        author = "Arnim Rupp"
+        description = "Match in PE files. Used by other CAPA rules"
     condition:
         uint16be(0) == 0x4d5a
         or uint16be(0) == 0x558b