capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

render: do not display lib rules (or make display optional)

Open mike-hunhoff opened this issue 2 years ago • 2 comments

We no longer filter library rules when rendering vverbose. This can be problematic because some library rules can have many matches, polluting the output and in some cases making it unreadable e.g.

...
contain loop (530 matches)
namespace
author     [email protected]
scope      function
...

and

...
contain loop (7054 matches)
namespace
author     [email protected]
scope      function
...

This is also problematic for capa explorer when trying to display, e.g. 7,054 rule matches, in a GUI.

Proposed alternatives:

  • Do not display lib rule matches (as before)
  • Make it optional to display lib rule matches (off by default)

The following code supports rendering all rule matches, including lib rules.

https://github.com/mandiant/capa/blob/5960f51f130284359de00eaedf1466da7dedb59b/capa/render/vverbose.py#L225-L233

mike-hunhoff avatar Sep 12 '22 20:09 mike-hunhoff

This changed in 65552575f8f214a935162fdd4f8be6253c93ada1. I think lib rules add little value by themselves and we should not display them even in vverbose mode.

mr-tz avatar Sep 13 '22 14:09 mr-tz

agree with moritz, lets not display them

williballenthin avatar Sep 14 '22 10:09 williballenthin

capa explorer does not display lib rules. If there are regular rules with too many hits, we could think about not displaying them all at once.

mr-tz avatar Jan 05 '23 14:01 mr-tz