Create a script called match-2-yara #1703

jconnor0426 · 2023-08-10T16:14:27Z

Overview

This PR creates a new script that takes CAPA rule match information and creates code-based YARA rules around them.

The script will enable users to hunt for code reuse of interesting functions in samples they are reviewing.

Features

Supports PE files (x86/x64/.NET)
Generate Code Based YARA rules with detailed comments for a single file
Generate Code Based YARA rules based on similarity between multiple files

Requirements

This script requires the installation of two additional python libraries:

mkyara
yaramod

Checklist

No CHANGELOG update needed

No new tests needed

No documentation update needed

This reverts commit dd5ff32.

…comments

jconnor0426 · 2023-08-25T20:36:51Z

Ready for Review

pyproject.toml

scripts/match-2-yar.py

tests/test_scripts.py

CHANGELOG.md

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>

jconnor0426 mentioned this pull request Aug 11, 2023

Adding expected yara files for match-2-yar tests mandiant/capa-testfiles#211

Open

jconnor0426 added 6 commits August 22, 2023 17:32

Create a script called match-2-yara

718ab68

Add tests and address sources of non-deterministic output in match-2-yar

44104f2

Update the test repo version to include yara test files

913084a

Update changelog for match-2-yar

3178936

Updating to be compliant with code style of project

e6edf43

Add test to validate match-2-yar feature extraction

f04359c

jconnor0426 force-pushed the capa_match_2_yara branch from a1db2b9 to f04359c Compare August 22, 2023 21:35

jconnor0426 added 8 commits August 22, 2023 17:39

Address code style issues

db9b2b4

Syncs data directory with current master

a33194c

Adds match-2-yar test dependencies to github action

dd5ff32

Revert "Adds match-2-yar test dependencies to github action"

72c1cc3

This reverts commit dd5ff32.

Add dev dependency to support running match-2-yar testing

beaf8b2

Address type issue

036fccb

Remove unnecessary debug logging and updated one expected yara file

27049b7

Remove type hint incompatible with python 3.8 and remove unnecessary …

f4d0c2f

…comments

mr-tz reviewed Aug 29, 2023

View reviewed changes

jconnor0426 added 6 commits August 29, 2023 09:43

Update spelling and name suggestions

21e067b

Simplify the match-2-yar function size logic

b544ea3

Move match-2-yar dependecies to another optional set of dependencies

6919c5b

Merge branch 'master' into capa_match_2_yara

ba0b6e3

Remove artifact of merge commit

86a4a3e

Add in dependency installation to tests github action

a888c15

mr-tz reviewed Aug 30, 2023

View reviewed changes

CHANGELOG.md Outdated Show resolved Hide resolved

jconnor0426 and others added 3 commits August 30, 2023 09:04

Update CHANGELOG.md based on suggestion

400bc89

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>

Updating test yara file names to avoid name issues in test files repo

8a0fa9d

Merge branch 'master' into capa_match_2_yara

3da1ad3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Create a script called match-2-yara #1703

Create a script called match-2-yara #1703

Uh oh!

jconnor0426 commented Aug 10, 2023

Uh oh!

jconnor0426 commented Aug 25, 2023

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Create a script called match-2-yara #1703

Are you sure you want to change the base?

Create a script called match-2-yara #1703

Uh oh!

Conversation

jconnor0426 commented Aug 10, 2023

Overview

Features

Requirements

Checklist

Uh oh!

jconnor0426 commented Aug 25, 2023

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants