consider appending "via [insert_name] assembly" to applicable rule names #979
Assignees
Labels
Comments
mike-hunhoff
added
enhancement
|
Hey @mike-hunhoff , I'd like to work on this issue. Could you please assign it to me? I have a question regarding this issue. Do I need to go through each yml file or are there any particular folders that have architecture specific yml rule files in them? Thanks! |
|
Yes, thats correct. When a rule relies on architecture-specific assembly (typically mnemonics), and would never match on a different architecture, then the rule name should be updated. This will require going through the existing yml rules. They are not found in a particular namespace, so all rules are in scope. |
|
Got it! Will start working on it soon. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As we've extended capa to process multiple architectures we should consider appending via [insert_name] assembly to applicable rule names. This should help users better distinguish capa's rules and results.
e.g. https://github.com/mandiant/capa-rules/blob/ff9db744255ecd9d5f5e64c4b93af7613a9441f2/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml can only match x86 assembly but this is not obvious based on the rule name.
The text was updated successfully, but these errors were encountered: