mr-tz
commented
10 months ago The doc (updated in https://github.com/mandiant/capa-rules/pull/851/files) doesn't mention that scopes get just ignored so maybe I just misunderstood how it's implemented.
Closed mr-tz closed 10 months ago
mr-tz
commented
10 months ago The doc (updated in https://github.com/mandiant/capa-rules/pull/851/files) doesn't mention that scopes get just ignored so maybe I just misunderstood how it's implemented.
yelhamer
commented
10 months ago Sorry for the late reply.
I believe that this was intended behavior. I can't pull the exact discussion on this, but I think the main points supporting this design choice were:
instruction scope. S, emitting it from the get-go and ignoring it (like we do with irrelevant features) made more sense than not doing that, and then having to go back and modify any rules that were written with that logic — capa not emitting instruction in dynamic flavor —.features block (including features and subscopes) helps make this simpler/easier). Example use cases:
point 4 of issue https://github.com/mandiant/capa/issues/1672 talks a bit about this.
mr-tz
commented
10 months ago Thanks for the details. That all makes sense and is much clearer now to me (again? :))
fixes for #855
when generating subscope rules (in the format of rule/uuid) we emit subrules at all scopes, when matching in static flavor this includes dynamic subscopes which can never be matched if static and dynamic are both required, so e.g.
file-system/read/read-file-via-mapping.ymlbefore this update could not match.https://github.com/mandiant/capa/blob/51ddadbc87b113dda18495b49e490f8452292b87/capa/rules/__init__.py#L925-L928
@yelhamer is this intended behavior or a bug? I think our current documentation calls this out differently (and I assumed it works differently since I created these faulty rules in the first place 😄 )