mirror of
https://github.com/mandiant/capa.git
synced 2025-12-22 07:10:29 -08:00
Create RuleSet to test overlap script
This commit is contained in:
Aayush Goel
@@ -48,14 +48,14 @@ def get_features(rule_path: str) -> list:
|
|||||||
feature_list = get_child_features(new_rule.statement)
|
feature_list = get_child_features(new_rule.statement)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
logger.error("Error: New rule " + rule_path + " " + str(type(e)) + " " + str(e))
|
logger.error("Error: New rule " + rule_path + " " + str(type(e)) + " " + str(e))
|
||||||
sys.exit(1)
|
sys.exit(-1)
|
||||||
return feature_list
|
return feature_list
|
||||||
|
|
||||||
|
|
||||||
def find_overlapping_rules(new_rule_path, rules_path):
|
def find_overlapping_rules(new_rule_path, rules_path):
|
||||||
if not new_rule_path.endswith(".yml"):
|
if not new_rule_path.endswith(".yml"):
|
||||||
logger.error("FileNotFoundError ! New rule file name doesn't end with .yml")
|
logger.error("FileNotFoundError ! New rule file name doesn't end with .yml")
|
||||||
sys.exit(1)
|
sys.exit(-1)
|
||||||
|
|
||||||
# Loads features of new rule in a list.
|
# Loads features of new rule in a list.
|
||||||
new_rule_features = get_features(new_rule_path)
|
new_rule_features = get_features(new_rule_path)
|
||||||
|
|||||||
@@ -14,8 +14,6 @@ import subprocess
|
|||||||
import pytest
|
import pytest
|
||||||
from fixtures import *
|
from fixtures import *
|
||||||
|
|
||||||
import capa.main
|
|
||||||
|
|
||||||
CD = os.path.dirname(__file__)
|
CD = os.path.dirname(__file__)
|
||||||
|
|
||||||
|
|
||||||
@@ -88,41 +86,73 @@ def test_proto_conversion(tmpdir):
|
|||||||
assert p.stdout.startswith(b'{\n "meta": ') or p.stdout.startswith(b'{\r\n "meta": ')
|
assert p.stdout.startswith(b'{\n "meta": ') or p.stdout.startswith(b'{\r\n "meta": ')
|
||||||
|
|
||||||
|
|
||||||
def run_detect_duplicate_features(rule_path):
|
def run_detect_duplicate_features(rule_dir, rule_path):
|
||||||
# rule_path = "collection/credit-card/parse-credit-card-information.yml"
|
# rule_path = "collection/credit-card/parse-credit-card-information.yml"
|
||||||
args = [get_rules_path(), rule_path]
|
args = [rule_dir, rule_path]
|
||||||
script_path = get_script_path("detect_duplicate_features.py")
|
script_path = get_script_path("detect_duplicate_features.py")
|
||||||
args = [sys.executable] + [script_path] + args
|
args = [sys.executable] + [script_path] + args
|
||||||
print(f"running: '{args}'")
|
print(f"running: '{args}'")
|
||||||
return subprocess.run(args)
|
return subprocess.run(args)
|
||||||
|
|
||||||
|
|
||||||
def test_detect_duplicate_features(z9324d_extractor, tmpdir):
|
def test_detect_duplicate_features(tmpdir):
|
||||||
RULE_CONTENT = textwrap.dedent(
|
RULESET = {
|
||||||
"""
|
"rule_1": textwrap.dedent(
|
||||||
rule:
|
"""
|
||||||
meta:
|
rule:
|
||||||
name: Test Rule
|
meta:
|
||||||
scope: function
|
name: Test Rule 1
|
||||||
features:
|
scope: function
|
||||||
- string: "sites.ini"
|
features:
|
||||||
"""
|
- or:
|
||||||
)
|
- string: "sites.ini"
|
||||||
expected_overlaps = 3
|
- number: 0xEDB88320
|
||||||
path = z9324d_extractor.path
|
"""
|
||||||
rule_file = tmpdir.mkdir("capa").join("rule.yml")
|
),
|
||||||
rule_file.write(RULE_CONTENT)
|
"rule_2": textwrap.dedent(
|
||||||
assert (
|
"""
|
||||||
capa.main.main(
|
rule:
|
||||||
[
|
meta:
|
||||||
path,
|
name: Test Rule 2
|
||||||
"-v",
|
scope: function
|
||||||
"-r",
|
features:
|
||||||
rule_file.strpath,
|
- and:
|
||||||
]
|
- string: "sites.ini"
|
||||||
)
|
- number: 8
|
||||||
== 0
|
"""
|
||||||
)
|
),
|
||||||
# tests if number of overlaps found are correct.
|
"rule_3": textwrap.dedent(
|
||||||
overlaps_found = run_detect_duplicate_features(rule_file.strpath).returncode
|
"""
|
||||||
assert overlaps_found == expected_overlaps
|
rule:
|
||||||
|
meta:
|
||||||
|
name: Test Rule 3
|
||||||
|
scope: function
|
||||||
|
features:
|
||||||
|
- not:
|
||||||
|
- number: 0xEDB88320
|
||||||
|
"""
|
||||||
|
),
|
||||||
|
"rule_4": textwrap.dedent(
|
||||||
|
"""
|
||||||
|
rule:
|
||||||
|
meta:
|
||||||
|
name: Test Rule 4
|
||||||
|
scope: function
|
||||||
|
features:
|
||||||
|
- not:
|
||||||
|
- number: 4
|
||||||
|
"""
|
||||||
|
),
|
||||||
|
}
|
||||||
|
|
||||||
|
rule_dir = tmpdir.mkdir("capa_rule_overlap_test")
|
||||||
|
rule_overlaps = [3, 2, 2, 1]
|
||||||
|
rule_paths = []
|
||||||
|
for rule_name, RULE_CONTENT in RULESET.items():
|
||||||
|
rule_file = rule_dir.join("%s.yml" % rule_name)
|
||||||
|
rule_file.write(RULE_CONTENT)
|
||||||
|
rule_paths.append(rule_file.strpath)
|
||||||
|
# tests if number of overlaps for rules in RULESET found are correct.
|
||||||
|
for expected_overlaps, rule_path in zip(rule_overlaps, rule_paths):
|
||||||
|
overlaps_found = run_detect_duplicate_features(rule_dir.strpath, rule_path)
|
||||||
|
assert overlaps_found.returncode == expected_overlaps
|
||||||
|
|||||||
Reference in New Issue
Block a user