gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 15:49:46 -08:00
Code Issues Packages Projects Releases Wiki Activity

simplified rule release guidance

Browse Source
This commit is contained in:
mr-tz
2022-12-21 16:03:05 +01:00
parent d466345e4e
commit 3b95ed0b5a
3 changed files with 41 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
doc/rules.md
View File

@@ -1,6 +1,5 @@
### rules
capa uses a collection of rules to identify capabilities within a program.
The [github.com/mandiant/capa-rules](https://github.com/mandiant/capa-rules) repository contains hundreds of standard library rules that are distributed with capa.
@@ -12,8 +11,8 @@ $ capa suspicious.exe
However, you may want to modify the rules for a variety of reasons:
- develop new rules to find behaviors, and/or
- tweak existing rules to reduce false positives, and/or
- develop new rules to find behaviors,
- tweak existing rules to reduce false positives,
- collect a private selection of rules not shared publicly.
Or, you may want to use capa as a Python library within another application.
@@ -21,22 +20,18 @@ Or, you may want to use capa as a Python library within another application.
In these scenarios, you must provide the rule set to capa as a directory on your file system. Do this using the `-r`/`--rules` parameter:
```console
$ capa --rules /local/path/to/rules suspicious.exe
$ capa --rules /local/path/to/rules suspicious.exe
```
You can collect the standard set of rules in two ways:
You can download the standard set of rules as ZIP or TGZ archives from the [capa-rules release page](https://github.com/mandiant/capa-rules/releases).
- [download from the Github releases page](#download-release-archive), or
- [clone from Github](#clone-with-git).
Note that you must use match the rules major version with the capa major version,
i.e., use `v1` rules with `v1` of capa.
Note that you must use match the rules major version with the capa major version, i.e., use `v1` rules with `v1` of capa.
This is so that new versions of capa can update rule syntax, such as by adding new fields and logic.
Otherwise, using rules with a mismatched version of capa may lead to errors like:
```
$ capa --rules /path/to/mismatched/rules suspicious.exe
$ capa --rules /path/to/mismatched/rules suspicious.exe
ERROR:lint:invalid rule: injection.yml: invalid rule: unexpected statement: instruction
```
@@ -46,27 +41,3 @@ You can check the version of capa you're currently using like this:
$ capa --version
capa 3.0.3
```
#### download release archive
The releases page is [here](https://github.com/mandiant/capa-rules/tags/).
Find the most recent release corresponding to your major version of capa and download the ZIP archive.
Here are some quick links:
- v1: [v1](https://github.com/mandiant/capa-rules/releases/tag/v1)
- v2: [v2](https://github.com/mandiant/capa-rules/releases/tag/v2)
- v3: [v3](https://github.com/mandiant/capa-rules/releases/tag/v3)
#### clone with git
To fetch with git, clone the appropriate branch like this:
```console
$ git clone https://github.com/mandiant/capa-rules.git -b v3 /local/path/to/rules
```
Note that the branch name (`v3` in the example above) must match the major version of capa you're using.
- [v1](https://github.com/mandiant/capa-rules/tree/v1): `v1`
- [v2](https://github.com/mandiant/capa-rules/tree/v2): `v2`
- [v3](https://github.com/mandiant/capa-rules/tree/v3): `v3`