Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create capa2yara.py #561

Merged
merged 3 commits into from May 19, 2021
Merged

Create capa2yara.py #561

merged 3 commits into from May 19, 2021

Conversation

ruppde
Copy link
Contributor

@ruppde ruppde commented May 17, 2021

@ruppde ruppde mentioned this pull request May 17, 2021
Closed
@ruppde
Copy link
Contributor Author

ruppde commented May 18, 2021

btw, it's a weekend project and the code quality is rather ermmm average. it's totally fine if you take this as a POC and rewrite it properly from your codebase (if we find enough use for the result ;)

@mr-tz
Copy link
Collaborator

mr-tz commented May 19, 2021

I'm ok with merging once the code style matches (unless someone else objects, of course), for that please run:

  1. isort --profile black --length-sort --line-width 120
  2. black -l 120

@ruppde
Update capa2yara.py
49b2554 
    isort --profile black --length-sort --line-width 120

    black -l 120
@mr-tz
Copy link
Collaborator

mr-tz commented May 19, 2021

Thank you very much!
Let's wait for @williballenthin or @Ana06 to chime in and then we're good to go.

williballenthin
williballenthin approved these changes May 19, 2021
View reviewed changes
Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a great script to include in the capa repository. As it gets some use (and any bug fixes) we can bring minor characteristics (line length, globals, etc.) into line with the rest of the capa code; however, in the meantime, its much more valuable to get this into the hands of others.

Thanks @ruppde for the hard work here! I hope you'll continue to contribute as you update the script, have new ideas, etc.

scripts/capa2yara.py
today = str(datetime.date.today())

# create unique variable names for each rule in case somebody wants to move/copy stuff around later
var_names = ["".join(letters) for letters in itertools.product(string.ascii_lowercase, repeat=3)]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alternatively, rather than realizing the generator into a concrete list, could use just the generator, and call next(var_names) when fetching the next term.

upside is that there is less upfront computation and memory overhead.

this is just an FYI, no need to change here.

scripts/capa2yara.py
regex = re.sub(r"(?<!\\)/", r"\/", regex)

# capa uses python regex which accepts /reg(|.exe)/ but yaras regex engine doesn't not => fix it
# /reg(|.exe)/ => /reg(.exe)?/
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the explanations here, they're really helpful.

scripts/capa2yara.py Outdated Show resolved Hide resolved
@mr-tz @williballenthin
Update scripts/capa2yara.py
ab8a1a4 
Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>
@mr-tz mr-tz merged commit 7b62b58 into mandiant:master May 19, 2021
@ruppde
Copy link
Contributor Author

ruppde commented May 19, 2021

@williballenthin @mr-tz sure & thanks for capa and the rules!

@Ana06
Copy link
Member

Ana06 commented May 20, 2021

Nice idea @ruppde! btw, changelog entry is missing. I'll add it! (There will be soon a GitHub Action to avoid we forget this: #457 (comment))

Ana06 added a commit that referenced this pull request May 20, 2021
@Ana06
changelog: convert capa rules to YARA rules
83606bb 
Add #561 to CHANGELOG.
@ruppde
Copy link
Contributor Author

ruppde commented May 20, 2021

@Ana06 no, I can't get credit for the idea, someone else wrote "capa rules are a mixture of the OpenIOC, Yara, and YAML formats." ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@williballenthin williballenthin williballenthin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ruppde @mr-tz @Ana06 @williballenthin