Create a script called match-2-yara #1703

jconnor0426 · 2023-08-10T16:14:27Z

Overview

This PR creates a new script that takes CAPA rule match information and creates code-based YARA rules around them.

The script will enable users to hunt for code reuse of interesting functions in samples they are reviewing.

Features

Supports PE files (x86/x64/.NET)
Generate Code Based YARA rules with detailed comments for a single file
Generate Code Based YARA rules based on similarity between multiple files

Requirements

This script requires the installation of two additional python libraries:

mkyara
yaramod

Checklist

No CHANGELOG update needed

No new tests needed

No documentation update needed

This reverts commit dd5ff32.

…comments

jconnor0426 · 2023-08-25T20:36:51Z

Ready for Review

pyproject.toml

scripts/match-2-yar.py

tests/test_scripts.py

CHANGELOG.md

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>

jconnor0426 mentioned this pull request Aug 11, 2023

Adding expected yara files for match-2-yar tests mandiant/capa-testfiles#211

Open

jconnor0426 added 6 commits August 22, 2023 17:32

Create a script called match-2-yara

718ab68

Add tests and address sources of non-deterministic output in match-2-yar

44104f2

Update the test repo version to include yara test files

913084a

Update changelog for match-2-yar

3178936

Updating to be compliant with code style of project

e6edf43

Add test to validate match-2-yar feature extraction

f04359c

jconnor0426 force-pushed the capa_match_2_yara branch from a1db2b9 to f04359c Compare August 22, 2023 21:35

jconnor0426 added 8 commits August 22, 2023 17:39

Address code style issues

db9b2b4

Syncs data directory with current master

a33194c

Adds match-2-yar test dependencies to github action

dd5ff32

Revert "Adds match-2-yar test dependencies to github action"

72c1cc3

This reverts commit dd5ff32.

Add dev dependency to support running match-2-yar testing

beaf8b2

Address type issue

036fccb

Remove unnecessary debug logging and updated one expected yara file

27049b7

Remove type hint incompatible with python 3.8 and remove unnecessary …

f4d0c2f

…comments

mr-tz reviewed Aug 29, 2023

View reviewed changes

jconnor0426 added 6 commits August 29, 2023 09:43

Update spelling and name suggestions

21e067b

Simplify the match-2-yar function size logic

b544ea3

Move match-2-yar dependecies to another optional set of dependencies

6919c5b

Merge branch 'master' into capa_match_2_yara

ba0b6e3

Remove artifact of merge commit

86a4a3e

Add in dependency installation to tests github action

a888c15

mr-tz reviewed Aug 30, 2023

View reviewed changes

CHANGELOG.md Outdated Show resolved Hide resolved

jconnor0426 and others added 3 commits August 30, 2023 09:04

Update CHANGELOG.md based on suggestion

400bc89

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>

Updating test yara file names to avoid name issues in test files repo

8a0fa9d

Merge branch 'master' into capa_match_2_yara

3da1ad3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Create a script called match-2-yara #1703

Create a script called match-2-yara #1703

jconnor0426 commented Aug 10, 2023

jconnor0426 commented Aug 25, 2023

Create a script called match-2-yara #1703

Are you sure you want to change the base?

Create a script called match-2-yara #1703

Conversation

jconnor0426 commented Aug 10, 2023

Overview

Features

Requirements

Checklist

jconnor0426 commented Aug 25, 2023