Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

render: do not display lib rules (or make display optional) #1174

Closed
mike-hunhoff opened this issue Sep 12, 2022 · 3 comments · Fixed by #1266
Closed

render: do not display lib rules (or make display optional) #1174

mike-hunhoff opened this issue Sep 12, 2022 · 3 comments · Fixed by #1266
Assignees
@williballenthin @mr-tz
Labels
enhancement New feature or request question Further information is requested
Milestone
5.0.0

Comments

@mike-hunhoff
Copy link
Collaborator

mike-hunhoff commented Sep 12, 2022
edited
Loading

We no longer filter library rules when rendering vverbose. This can be problematic because some library rules can have many matches, polluting the output and in some cases making it unreadable e.g.

...
contain loop (530 matches)
namespace
author     moritz.raabe@mandiant.com
scope      function
...

and

...
contain loop (7054 matches)
namespace
author     moritz.raabe@mandiant.com
scope      function
...

This is also problematic for capa explorer when trying to display, e.g. 7,054 rule matches, in a GUI.

Proposed alternatives:

  • Do not display lib rule matches (as before)
  • Make it optional to display lib rule matches (off by default)

The following code supports rendering all rule matches, including lib rules.

capa/capa/render/vverbose.py

Lines 225 to 233 in 5960f51

for (_, _, rule) in sorted(
map(lambda rule: (rule.meta.namespace or "", rule.meta.name, rule), doc.rules.values())
):
# default scope hides things like lib rules, malware-category rules, etc.
# but in vverbose mode, we really want to show everything.
#
# still ignore subscope rules because they're stitched into the final document.
if rule.meta.is_subscope_rule:
continue

@mike-hunhoff mike-hunhoff added enhancement New feature or request question Further information is requested labels Sep 12, 2022
@mr-tz
Copy link
Collaborator

mr-tz commented Sep 13, 2022

This changed in 6555257. I think lib rules add little value by themselves and we should not display them even in vverbose mode.

@williballenthin
Copy link
Collaborator

agree with moritz, lets not display them

@williballenthin williballenthin self-assigned this Dec 6, 2022
@mr-tz mr-tz added this to the 5.0.0 milestone Jan 4, 2023
@mr-tz
Copy link
Collaborator

mr-tz commented Jan 5, 2023

capa explorer does not display lib rules. If there are regular rules with too many hits, we could think about not displaying them all at once.

@mr-tz mr-tz self-assigned this Jan 5, 2023
@mr-tz mr-tz mentioned this issue Jan 5, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@williballenthin williballenthin

@mr-tz mr-tz

Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
5.0.0
Development

Successfully merging a pull request may close this issue.

only show first lib match to reduce vverbose output noise mandiant/capa
3 participants
@williballenthin @mr-tz @mike-hunhoff