-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rules: apply rule reorganization #14
Conversation
namespace structure:
|
anti-analysis/anti-forensic/self-deletion/self-delete-via-comspec-environment-variable.yml
Outdated
Show resolved
Hide resolved
anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml
Outdated
Show resolved
Hide resolved
anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml
Outdated
Show resolved
Hide resolved
assuming everyone is happy with the rule name/namespace reorganization, this PR is ready for review and merge. |
though, as soon as we merge it, capa will be broken as |
🥳 it's party time |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So much good stuff!
It seems like a bunch of files we would want to keep are deleted?
host-interaction/process/inject/kernel-to-user/attach-user-process-memory.yml
Outdated
Show resolved
Hide resolved
...e-access-control/process-manipulation/create-process-with-modified-stdhandles-and-window.yml
Show resolved
Hide resolved
all comments addressed, no outstanding TODOs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
very good, thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🥳
@@ -1,7 +1,7 @@ | |||
rule: | |||
meta: | |||
name: compiled to the .NET platform |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@williballenthin I think you said we wanted to write rule names in present. Shouldn't this one be modified? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rule names complete one of these two sentences:
- This function/sample may... "reference the VMWare IO port"
- This sample may be [a].... "linked against OpenSSL"
@@ -1,6 +1,7 @@ | |||
rule: | |||
meta: | |||
name: get service handle | |||
namespace: '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are several rules without namespace, is this expected?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these are library rules meant to be used by other rules and they should not be displayed to the user, they could have a namespace, but don't have to
@@ -1,7 +1,7 @@ | |||
rule: | |||
meta: | |||
name: links against Crypto++ | |||
rule-category: other-features/linked-library/linked-with-cryptopp | |||
name: linked against Crypto++ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this one is also not in present 🤔
migration applied by using script in mandiant/capa#25
migration plan: migration.csv.txt
top level namespaces: