Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pre-filter strings, bytes based on whats found in the file #2126

Open
williballenthin opened this issue Jun 6, 2024 · 0 comments
Open

pre-filter strings, bytes based on whats found in the file #2126

williballenthin opened this issue Jun 6, 2024 · 0 comments
Labels
performance Related to capa's performance

Comments

@williballenthin
Copy link
Collaborator

To avoid searching for strings/bytes that won't ever be found at a particular scope, we could first check that each string/bytes is present somewhere in the file.

If its not, then we can partially evaluate some rule logic (like and statements) to see if further logic can be pruned and/or rules skipped.

For example, we have HTTP User-Agent rules that contain tons of strings that match under a single or. If none are present in the file, we can skip the whole rule.

We'd want to ensure that the up-front scan to find the file matches doesn't take much time, and that it doesn't outweigh any performance improvements. Remember we may have hundreds or thousands of terms to look for. We can also use evaluation counts to show that less logic needs to be matched when some branches are pruned.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
performance Related to capa's performance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@williballenthin