# Using Docker Compose (recommended)
docker-compose up -d
# Or using Make
make upOpen your browser to: http://localhost:8080
- Drag and drop a file onto the upload area, or
- Click the upload area to browse for a file
- Watch the analysis progress in the "Recent Analyses" section
Once analysis is complete, click "View Results" to see the capa output.
capa-server provides a REST API for automation and integration.
Interactive API docs are available at:
- Swagger UI:
http://localhost:8080/docs - ReDoc:
http://localhost:8080/redoc
curl -X POST \
-F "file=@/path/to/malware.exe" \
http://localhost:8080/api/analyzeResponse:
{
"message": "Analysis started",
"analysis_id": 1,
"duplicate": false
}curl http://localhost:8080/api/analyses/1Response:
{
"id": 1,
"filename": "malware.exe",
"file_hash": "abc123...",
"file_size": 102400,
"created_at": "2024-11-14T10:30:00",
"status": "completed",
"capa_version": "7.0.0",
"capabilities_count": 42,
"attack_techniques": ["T1027", "T1082", ...],
"results": { ... }
}curl http://localhost:8080/api/analyses/1/download \
-o results.json# Get first 100 analyses
curl http://localhost:8080/api/analyses
# Filter by status
curl "http://localhost:8080/api/analyses?status=completed&limit=50"curl -X DELETE http://localhost:8080/api/analyses/1import requests
# Upload file
with open('malware.exe', 'rb') as f:
response = requests.post(
'http://localhost:8080/api/analyze',
files={'file': f}
)
analysis_id = response.json()['analysis_id']
# Poll for completion
import time
while True:
result = requests.get(
f'http://localhost:8080/api/analyses/{analysis_id}'
).json()
if result['status'] == 'completed':
print(f"Found {result['capabilities_count']} capabilities")
print(f"ATT&CK: {result['attack_techniques']}")
break
elif result['status'] == 'failed':
print(f"Analysis failed: {result['error_message']}")
break
time.sleep(2)
# Download full results
response = requests.get(
f'http://localhost:8080/api/analyses/{analysis_id}/download'
)
with open('results.json', 'wb') as f:
f.write(response.content)Process multiple files:
#!/bin/bash
# batch-analyze.sh
for file in samples/*.exe; do
echo "Analyzing $file..."
curl -X POST \
-F "file=@$file" \
http://localhost:8080/api/analyze
sleep 1
donename: Malware Analysis
on: [push]
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Start capa-server
run: |
docker-compose up -d
sleep 10
- name: Analyze binary
run: |
curl -X POST \
-F "file=@suspicious.exe" \
http://localhost:8080/api/analyzeCreate a .env file:
CAPA_RULES_PATH=/app/rules
MAX_FILE_SIZE_MB=200
DEBUG=trueMount custom capa rules:
# docker-compose.yml
services:
capa-server:
volumes:
- ./my-rules:/app/custom-rules
environment:
- CAPA_RULES_PATH=/app/custom-rulescapa supports PE, ELF, .NET modules, shellcode, and sandbox reports (CAPE, VMRay, DRAKVUF). If your file isn't one of these formats, analysis will fail.
Check logs:
docker-compose logs -fClean old analyses:
curl -X DELETE http://localhost:8080/api/analyses/1
curl -X DELETE http://localhost:8080/api/analyses/2
# ... or clean all data
make cleanLarge files may take several minutes to analyze. Consider:
- Increasing container resources
- Setting
MAX_FILE_SIZE_MBlower - Running analysis as a separate background service
capa-server is designed for internal lab use. For production:
- Add authentication - Use a reverse proxy (nginx/Traefide) with basic auth or OAuth
- Network isolation - Run in an isolated network segment
- Resource limits - Configure Docker resource constraints
- Read-only filesystem - Uncomment security options in docker-compose.yml
- Regular updates - Keep capa and rules up to date
- Run in an isolated VM or container environment
- Don't expose to the internet
- Use file size limits
- Monitor disk usage
- Consider running with network disabled
docker-compose down
docker-compose build --no-cache
docker-compose up -dcp data/capa.db data/capa.db.backupcurl http://localhost:8080/api/info