From 730c40c696334411ca1a860f80e0a3d0cb8d2a04 Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Thu, 29 Aug 2024 13:47:55 -0400 Subject: [PATCH 1/2] Changing signature source name for prescript --- cape/update_server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cape/update_server.py b/cape/update_server.py index 46295ff..d084625 100644 --- a/cape/update_server.py +++ b/cape/update_server.py @@ -134,7 +134,7 @@ def import_update(self, files_sha256, source_name: str, default_classification=c except Exception as e: self.log.error(f"Error validating {compiled_file.name}: {e}") raise e - yara_importer._save_signatures(signatures=upload_list, source=source_name) + yara_importer._save_signatures(signatures=upload_list, source="prescript_cape") dest_dir = os.path.join(self.latest_updates_dir, source_name) os.makedirs(dest_dir, exist_ok=True) dest_file = os.path.join(dest_dir, f"{source_name}.yar") From 7141a05fff43242147b8adaacd0d77732ccea34e Mon Sep 17 00:00:00 2001 From: cccs-mog <117194682+cccs-mog@users.noreply.github.com> Date: Thu, 29 Aug 2024 13:49:14 -0400 Subject: [PATCH 2/2] Trying to match tags with prescript signatures --- cape/cape_main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cape/cape_main.py b/cape/cape_main.py index b888171..0292469 100644 --- a/cape/cape_main.py +++ b/cape/cape_main.py @@ -493,7 +493,7 @@ def _general_flow( for match in matches: strings = match.strings rule_name = match.rule - _ = add_tag(prescipt_detection_section, "rule.yara.prescript", rule_name) + _ = add_tag(prescipt_detection_section, "file.rule.prescript", f"prescript_cape.{rule_name}") matched_strings = "" for matched_string in strings: for matched_instance in matched_string.instances: