Fix ScanCapa, Add Tests, Add Elf #277
Conversation
ryanohoro
changed the title
ryanohoro
changed the title
ryanohoro
changed the title
| @@ -25,11 +26,11 @@ oletools==0.56.1 | |||
| opencv-contrib-python==4.6.0.66 | |||
| opencv-python==4.6.0.66 | |||
| openpyxl==3.0.9 | |||
| pefile==2019.4.18 | |||
| pefile | |||
There was a problem hiding this comment.
@ryanohoro Do we want to pin a pefile version here?
There was a problem hiding this comment.
There's a dependency conflict with flare-capa that pip identified. It was automatically resolved by pip when I removed the pin. I'm not sure which version it picks, though I can go back and check which one pip picked.
There was a problem hiding this comment.
Added a pin version suggested by pip.
| @@ -8,6 +8,7 @@ cryptography==3.4.7 | |||
| docker==5.0.0 | |||
| eml-parser>=1.17 | |||
| esprima==4.0.1 | |||
| flare-capa==4.0.1 | |||
There was a problem hiding this comment.
Are we using flare-capa in this PR?
There was a problem hiding this comment.
Yes. We switched from the binary release (which I think is just a python binary wrapper) to the python module release which is flare-capa in pip. It's still called from subprocess.POpen very similarly though. I was attempting to close #159 and used Method #2 for installation.
It turns out that capa isn't really built to be imported as a module into a script, the main script is a bit of a monolith and it wasn't obvious how to use it the way we want (not documented for that either).
|
An issue where the build was failing occasionally has been fixed by extending |
Describe the change
Installs Fireeye Capa with pip, most recent version. Installs default rules, signatures.
Adds separate rules and signatures location options.
Adds three tests for ScanCapa.
Adds elf files to ScanCapa taste config.
This was intended to include code for #159, however, Fireeye Capa is not designed to be used as a module. Its structure and monolithic
main.pymakes it very unappealing.Removes a print() from ScanDmg.
Describe testing procedures
============================= test session starts ==============================
platform linux -- Python 3.10.6, pytest-7.2.0, pluggy-1.0.0
rootdir: /strelka
plugins: mock-3.10.0, unordered-0.5.2
collected 71 items
tests/test_required_for_scanner.py .
tests/test_scan_base64.py .
tests/test_scan_base64_pe.py .
tests/test_scan_batch.py .
tests/test_scan_bmp_eof.py .
tests/test_scan_bzip2.py .
tests/test_scan_capa.py ...
tests/test_scan_ccn.py .
tests/test_scan_dmg.py .
tests/test_scan_docx.py .
tests/test_scan_elf.py .
tests/test_scan_email.py .
tests/test_scan_encrypted_doc.py ....
tests/test_scan_encrypted_zip.py ..
tests/test_scan_entropy.py .
tests/test_scan_exiftool.py ..
tests/test_scan_footer.py .
tests/test_scan_gif.py .
tests/test_scan_gzip.py .
tests/test_scan_hash.py .
tests/test_scan_header.py .
tests/test_scan_html.py .
tests/test_scan_ini.py .
tests/test_scan_iso.py .
tests/test_scan_javascript.py .
tests/test_scan_jpeg.py ..
tests/test_scan_json.py .
tests/test_scan_libarchive.py ......
tests/test_scan_lnk.py .
tests/test_scan_lzma.py .
tests/test_scan_macho.py .
tests/test_scan_manifest.py .
tests/test_scan_msi.py .
tests/test_scan_ocr.py .
tests/test_scan_pdf.py .
tests/test_scan_pe.py .
tests/test_scan_png_eof.py ...
tests/test_scan_qr.py .
tests/test_scan_rar.py .
tests/test_scan_strings.py .
tests/test_scan_tar.py .
tests/test_scan_upx.py .
tests/test_scan_url.py .....
tests/test_scan_vhd.py ..
tests/test_scan_x509.py ..
tests/test_scan_xml.py .
tests/test_scan_yara.py .
tests/test_scan_zip.py ..
=============================== warnings summary ===============================
...
======================= 72 passed, 25 warnings in 13.22s =======================
Sample output
No changes.
Checklist