A Python library for parsing and manipulating YARA rules using Abstract Syntax Trees

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for seifreed from gravatar.com seifreed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Marc Rivero
  • Requires: Python >=3.13
  • Provides-Extra: lsp , dev , libyara , performance , visualization , serialization , quality , all
Classifiers
Report project as malware

Project description

YARAAST

yaraast

Parse, analyze, and transform YARA rules with a Python AST toolkit

CI License: MIT Python 3.13+

GitHub Stars GitHub Issues Docs

Overview

yaraast is a Python library for parsing and manipulating YARA-family rules using Abstract Syntax Trees (AST). It supports classic YARA, YARA-L, and YARA-X workflows with automatic dialect detection and CLI tooling.

Key Features

Feature Description
Multi-dialect Parsing Parse YARA, YARA-L, and YARA-X from files or strings
Automatic Dialect Detection Unified parser auto-detects rule dialects
AST Tooling Build, transform, diff, and serialize ASTs
Formatting & Validation CLI commands for parse/format/validate workflows
Streaming Support Parse very large files with streaming mode
Ecosystem Integrations Optional LSP and libyara-related capabilities

Supported Rule Ecosystem

Dialects   YARA, YARA-L, YARA-X
Parsers    Standard parser, unified parser, streaming parser
Outputs    YARA, JSON, YAML, AST tree views
Tooling    CLI, visitors, builders, serialization, semantic checks

Installation

From PyPI (Recommended)

pip install yaraast

From Source

git clone https://github.com/mriverolopez/yaraast.git
cd yaraast
python3 -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -e .

Quick Start

from yaraast.unified_parser import UnifiedParser

yara_code = """
rule example {
    strings:
        $a = "malware" nocase
    condition:
        $a
}
"""

ast = UnifiedParser.parse_string(yara_code)
print(ast.rules[0].name)

Usage

Command Line Interface

# Parse and print normalized YARA
yaraast parse rules.yar

# Parse to JSON
yaraast parse rules.yar --format json

# Parse with explicit dialect
yaraast parse rules.yar --dialect yara-x

# Validate file (syntax + parse checks)
yaraast validate rules.yar

# Format file in-place (AST-based formatter)
yaraast fmt rules.yar

# Check formatting without modifying file
yaraast fmt rules.yar --check

Core CLI Commands

Command Description
parse Parse a rule file and output YARA/JSON/YAML/tree
validate Validate rules and run validation subcommands
fmt AST-based formatter (with --check and --diff)
format Format input into a target output file
validate-syntax Syntax-focused validation entrypoint
lsp Launch Language Server Protocol features

Python Library

Unified Parsing

from yaraast.unified_parser import UnifiedParser
from yaraast.dialects import YaraDialect

# Auto-detect dialect
ast = UnifiedParser.parse_file("rules.yar")

# Force specific dialect
ast = UnifiedParser.parse_file("rules.yar", dialect=YaraDialect.YARA)

Direct Parser + Visitor

from yaraast import Parser
from yaraast.visitor import BaseVisitor

class RuleCollector(BaseVisitor):
    def __init__(self):
        self.rules = []

    def visit_rule(self, node):
        self.rules.append(node.name)
        super().visit_rule(node)

ast = Parser(open("rules.yar", encoding="utf-8").read()).parse()
collector = RuleCollector()
collector.visit(ast)
print(collector.rules)

Optional Dependencies

# LSP support
pip install yaraast[lsp]

# libyara integration
pip install yaraast[libyara]

# Performance tooling
pip install yaraast[performance]

# Visualization support
pip install yaraast[visualization]

# Everything
pip install yaraast[all]

Runtime Docs

Requirements

Contributing

Contributions are welcome. See CONTRIBUTING.md for setup, quality checks, and workflow guidelines.

  1. Fork the repository
  2. Create a branch (git checkout -b feature/your-change)
  3. Commit changes (git commit -m "Add your change")
  4. Push (git push origin feature/your-change)
  5. Open a Pull Request

License

This project is licensed under the MIT License - see LICENSE.

Author

Built for malware analysis and detection engineering workflows

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for seifreed from gravatar.com seifreed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Marc Rivero
  • Requires: Python >=3.13
  • Provides-Extra: lsp , dev , libyara , performance , visualization , serialization , quality , all
Classifiers

Release history Release notifications | RSS feed

This version

1.0.1

1.0.0

0.7

0.6.1

0.6.0

0.4.0

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

yaraast-1.0.1.tar.gz (753.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

yaraast-1.0.1-py3-none-any.whl (600.9 kB view details)

Uploaded Python 3

File details

Details for the file yaraast-1.0.1.tar.gz.

File metadata

  • Download URL: yaraast-1.0.1.tar.gz
  • Upload date:
  • Size: 753.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for yaraast-1.0.1.tar.gz
Algorithm Hash digest
SHA256 e44d8c9a96303570599dc88152ae1292926a63e6406d05b257b5393a8fea9a6f
MD5 191062e20d35c1370ed55bb0a12332d7
BLAKE2b-256 56ef417b2d3ab0944efa0b5e79cf778dcda30a066b5600660d001762c3fc85e4

See more details on using hashes here.

Provenance

The following attestation bundles were made for yaraast-1.0.1.tar.gz:

Publisher: release.yml on seifreed/yaraast

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file yaraast-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: yaraast-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 600.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for yaraast-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 56079363ac4f830e60f799f9d29751e0e67b6b419fcab5bbadd8053f1ab14985
MD5 ec299521e9ff3aab4174d7f4eec61340
BLAKE2b-256 1edd5174cac9c522e08aa8e5cef541bd7e18fc20288aa63b871db6508a3060c7

See more details on using hashes here.

Provenance

The following attestation bundles were made for yaraast-1.0.1-py3-none-any.whl:

Publisher: release.yml on seifreed/yaraast

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page