mirror of
https://github.com/mandiant/capa.git
synced 2025-12-31 15:06:17 -08:00
update tests to explicitely specify scopes
This commit is contained in:
Yacine Elhamer
@@ -43,6 +43,9 @@ def test_match_simple():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
namespace: testns1/testns2
|
||||
features:
|
||||
- number: 100
|
||||
@@ -63,6 +66,9 @@ def test_match_range_exact():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- count(number(100)): 2
|
||||
"""
|
||||
@@ -87,7 +93,10 @@ def test_match_range_range():
|
||||
"""
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- count(number(100)): (2, 3)
|
||||
"""
|
||||
@@ -117,6 +126,9 @@ def test_match_range_exact_zero():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- count(number(100)): 0
|
||||
"""
|
||||
@@ -142,7 +154,10 @@ def test_match_range_with_zero():
|
||||
"""
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- count(number(100)): (0, 1)
|
||||
"""
|
||||
@@ -169,6 +184,9 @@ def test_match_adds_matched_rule_feature():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- number: 100
|
||||
"""
|
||||
@@ -187,6 +205,9 @@ def test_match_matched_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule1
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- number: 100
|
||||
"""
|
||||
@@ -198,6 +219,9 @@ def test_match_matched_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule2
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- match: test rule1
|
||||
"""
|
||||
@@ -232,6 +256,9 @@ def test_match_namespace():
|
||||
rule:
|
||||
meta:
|
||||
name: CreateFile API
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
namespace: file/create/CreateFile
|
||||
features:
|
||||
- api: CreateFile
|
||||
@@ -244,6 +271,9 @@ def test_match_namespace():
|
||||
rule:
|
||||
meta:
|
||||
name: WriteFile API
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
namespace: file/write
|
||||
features:
|
||||
- api: WriteFile
|
||||
@@ -256,6 +286,9 @@ def test_match_namespace():
|
||||
rule:
|
||||
meta:
|
||||
name: file-create
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- match: file/create
|
||||
"""
|
||||
@@ -267,6 +300,9 @@ def test_match_namespace():
|
||||
rule:
|
||||
meta:
|
||||
name: filesystem-any
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- match: file
|
||||
"""
|
||||
@@ -304,6 +340,9 @@ def test_match_substring():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- substring: abc
|
||||
@@ -355,6 +394,9 @@ def test_match_regex():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- string: /.*bbbb.*/
|
||||
@@ -367,6 +409,9 @@ def test_match_regex():
|
||||
rule:
|
||||
meta:
|
||||
name: rule with implied wildcards
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- string: /bbbb/
|
||||
@@ -379,6 +424,9 @@ def test_match_regex():
|
||||
rule:
|
||||
meta:
|
||||
name: rule with anchor
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- string: /^bbbb/
|
||||
@@ -425,6 +473,9 @@ def test_match_regex_ignorecase():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- string: /.*bbbb.*/i
|
||||
@@ -448,6 +499,9 @@ def test_match_regex_complex():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- string: /.*HARDWARE\\Key\\key with spaces\\.*/i
|
||||
@@ -471,6 +525,9 @@ def test_match_regex_values_always_string():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- string: /123/
|
||||
@@ -500,6 +557,9 @@ def test_match_not():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
namespace: testns1/testns2
|
||||
features:
|
||||
- not:
|
||||
@@ -518,6 +578,9 @@ def test_match_not_not():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
namespace: testns1/testns2
|
||||
features:
|
||||
- not:
|
||||
@@ -537,6 +600,9 @@ def test_match_operand_number():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- operand[0].number: 0x10
|
||||
@@ -564,6 +630,9 @@ def test_match_operand_offset():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- operand[0].offset: 0x10
|
||||
@@ -591,6 +660,9 @@ def test_match_property_access():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- property/read: System.IO.FileInfo::Length
|
||||
@@ -632,6 +704,9 @@ def test_match_os_any():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- and:
|
||||
|
||||
@@ -79,6 +79,9 @@ def test_rule_yaml_complex():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- and:
|
||||
@@ -103,6 +106,9 @@ def test_rule_descriptions():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- description: and description
|
||||
@@ -147,6 +153,9 @@ def test_invalid_rule_statement_descriptions():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- number: 1 = This is the number 1
|
||||
@@ -163,6 +172,9 @@ def test_rule_yaml_not():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- number: 1
|
||||
@@ -181,6 +193,9 @@ def test_rule_yaml_count():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- count(number(100)): 1
|
||||
"""
|
||||
@@ -197,6 +212,9 @@ def test_rule_yaml_count_range():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- count(number(100)): (1, 2)
|
||||
"""
|
||||
@@ -214,6 +232,9 @@ def test_rule_yaml_count_string():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- count(string(foo)): 2
|
||||
"""
|
||||
@@ -233,6 +254,9 @@ def test_invalid_rule_feature():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- foo: true
|
||||
"""
|
||||
@@ -315,6 +339,9 @@ def test_multi_scope_rules_features():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- api: read
|
||||
@@ -375,6 +402,9 @@ def test_lib_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: a lib rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
lib: true
|
||||
features:
|
||||
- api: CreateFileA
|
||||
@@ -387,6 +417,9 @@ def test_lib_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: a standard rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
lib: false
|
||||
features:
|
||||
- api: CreateFileW
|
||||
@@ -486,6 +519,9 @@ def test_duplicate_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: rule-name
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- api: CreateFileA
|
||||
"""
|
||||
@@ -497,6 +533,9 @@ def test_duplicate_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: rule-name
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- api: CreateFileW
|
||||
"""
|
||||
@@ -516,6 +555,9 @@ def test_missing_dependency():
|
||||
rule:
|
||||
meta:
|
||||
name: dependent rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- match: missing rule
|
||||
"""
|
||||
@@ -533,6 +575,9 @@ def test_invalid_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- characteristic: number(1)
|
||||
"""
|
||||
@@ -546,6 +591,9 @@ def test_invalid_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- characteristic: count(number(100))
|
||||
"""
|
||||
@@ -560,6 +608,9 @@ def test_invalid_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
att&ck: Tactic::Technique::Subtechnique [Identifier]
|
||||
features:
|
||||
- number: 1
|
||||
@@ -573,6 +624,9 @@ def test_invalid_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
mbc: Objective::Behavior::Method [Identifier]
|
||||
features:
|
||||
- number: 1
|
||||
@@ -647,6 +701,9 @@ def test_number_symbol():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- number: 1
|
||||
@@ -674,6 +731,9 @@ def test_count_number_symbol():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- count(number(2 = symbol name)): 1
|
||||
@@ -697,6 +757,9 @@ def test_invalid_number():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- number: "this is a string"
|
||||
"""
|
||||
@@ -710,6 +773,9 @@ def test_invalid_number():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- number: 2=
|
||||
"""
|
||||
@@ -723,6 +789,9 @@ def test_invalid_number():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- number: symbol name = 2
|
||||
"""
|
||||
@@ -736,6 +805,9 @@ def test_offset_symbol():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- offset: 1
|
||||
@@ -760,6 +832,9 @@ def test_count_offset_symbol():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- count(offset(2 = symbol name)): 1
|
||||
@@ -783,6 +858,9 @@ def test_invalid_offset():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- offset: "this is a string"
|
||||
"""
|
||||
@@ -796,6 +874,9 @@ def test_invalid_offset():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- offset: 2=
|
||||
"""
|
||||
@@ -809,6 +890,9 @@ def test_invalid_offset():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- offset: symbol name = 2
|
||||
"""
|
||||
@@ -824,6 +908,9 @@ def test_invalid_string_values_int():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- string: 123
|
||||
"""
|
||||
@@ -837,6 +924,9 @@ def test_invalid_string_values_int():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- string: 0x123
|
||||
"""
|
||||
@@ -850,6 +940,9 @@ def test_explicit_string_values_int():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- string: "123"
|
||||
@@ -868,6 +961,9 @@ def test_string_values_special_characters():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- string: "hello\\r\\nworld"
|
||||
@@ -887,6 +983,9 @@ def test_substring_feature():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- substring: abc
|
||||
@@ -907,6 +1006,9 @@ def test_substring_description():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- substring: abc
|
||||
@@ -927,6 +1029,9 @@ def test_filter_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 1
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
authors:
|
||||
- joe
|
||||
features:
|
||||
@@ -940,6 +1045,9 @@ def test_filter_rules():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 2
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- string: joe
|
||||
"""
|
||||
@@ -961,6 +1069,9 @@ def test_filter_rules_dependencies():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 1
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- match: rule 2
|
||||
"""
|
||||
@@ -972,6 +1083,9 @@ def test_filter_rules_dependencies():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 2
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- match: rule 3
|
||||
"""
|
||||
@@ -983,6 +1097,9 @@ def test_filter_rules_dependencies():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 3
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- api: CreateFile
|
||||
"""
|
||||
@@ -1007,6 +1124,9 @@ def test_filter_rules_missing_dependency():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 1
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
authors:
|
||||
- joe
|
||||
features:
|
||||
@@ -1026,6 +1146,9 @@ def test_rules_namespace_dependencies():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 1
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
namespace: ns1/nsA
|
||||
features:
|
||||
- api: CreateFile
|
||||
@@ -1038,6 +1161,9 @@ def test_rules_namespace_dependencies():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 2
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
namespace: ns1/nsB
|
||||
features:
|
||||
- api: CreateFile
|
||||
@@ -1050,6 +1176,9 @@ def test_rules_namespace_dependencies():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 3
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- match: ns1/nsA
|
||||
"""
|
||||
@@ -1061,6 +1190,9 @@ def test_rules_namespace_dependencies():
|
||||
rule:
|
||||
meta:
|
||||
name: rule 4
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- match: ns1
|
||||
"""
|
||||
@@ -1170,6 +1302,9 @@ def test_property_access():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- property/read: System.IO.FileInfo::Length
|
||||
"""
|
||||
@@ -1188,6 +1323,9 @@ def test_property_access_symbol():
|
||||
rule:
|
||||
meta:
|
||||
name: test rule
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- property/read: System.IO.FileInfo::Length = some property
|
||||
"""
|
||||
|
||||
@@ -124,6 +124,9 @@ def test_detect_duplicate_features(tmpdir):
|
||||
rule:
|
||||
meta:
|
||||
name: Test Rule 1
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- string: unique
|
||||
@@ -143,6 +146,9 @@ def test_detect_duplicate_features(tmpdir):
|
||||
rule:
|
||||
meta:
|
||||
name: Test Rule 2
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- and:
|
||||
- string: "sites.ini"
|
||||
@@ -157,6 +163,9 @@ def test_detect_duplicate_features(tmpdir):
|
||||
rule:
|
||||
meta:
|
||||
name: Test Rule 3
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- or:
|
||||
- not:
|
||||
@@ -172,6 +181,9 @@ def test_detect_duplicate_features(tmpdir):
|
||||
rule:
|
||||
meta:
|
||||
name: Test Rule 4
|
||||
scopes:
|
||||
static: function
|
||||
dynamic: process
|
||||
features:
|
||||
- not:
|
||||
- string: "expa"
|
||||
|
||||
Reference in New Issue
Block a user