A package to build YARA rules using Python
Project description
Python module to create Yara rules.
Installation
yarabuilder requires Python 3+:
pip install yarabuilder
Usage
Creating and printing a rule
>>> import yarabuilder
>>> import pprint
>>>
>>> yara_builder = yarabuilder.YaraBuilder()
>>>
>>> yara_builder.create_rule("my_rule")
>>> yara_builder.add_meta("my_rule", "description", "Generated by yarabuilder")
>>> yara_builder.add_import("my_rule", "pe")
>>> yara_builder.add_tag("my_rule", "yarabuilder")
>>> yara_builder.add_text_string("my_rule", "Anonymous string")
>>> yara_builder.add_text_string("my_rule", "Named string", name="str", modifiers=["ascii", "wide"])
>>> yara_builder.add_string_comment("my_rule", "str", "example comment")
>>> yara_builder.add_hex_string("my_rule", "DE AD BE EF")
>>> yara_builder.add_regex_string("my_rule", "regex[0-9]{2}")
>>> yara_builder.add_regex_string("my_rule", "/regex_with_flags/i")
>>> yara_builder.add_condition("my_rule", "any of them")
>>>
>>> rule = yara_builder.build_rules()
>>> print(rule)
import "pe"
rule my_rule : yarabuilder {
meta:
description = "Generated by yarabuilder"
strings:
$ = "Anonymous string"
$str = "Named string" ascii wide // example comment
$ = {DE AD BE EF}
$ = /regex[0-9]{2}/
$ = /regex_with_flags/i
condition:
any of them
}
>>>Converting a YaraBuilder object to lists and dictionaries (and back again)
>>> dict_yara_rules = yara_builder.get_yara_rules()
>>> pprint.pprint(dict_yara_rules)
[{'condition': 'any of them',
'imports': ['pe'],
'meta': OrderedDict([('description',
[{'meta_type': 'text',
'name': 'description',
'position': 0,
'value': 'Generated by yarabuilder'}])]),
'rule_name': 'my_rule',
'strings': OrderedDict([('@anon0',
{'is_anonymous': True,
'name': '@anon0',
'str_type': 'text',
'value': 'Anonymous string'}),
('str',
{'comment': {'inline': 'example comment'},
'is_anonymous': False,
'modifiers': ['ascii', 'wide'],
'name': 'str',
'str_type': 'text',
'value': 'Named string'}),
('@anon1',
{'is_anonymous': True,
'name': '@anon1',
'str_type': 'hex',
'value': 'DE AD BE EF'}),
('@anon2',
{'is_anonymous': True,
'name': '@anon2',
'str_type': 'regex',
'value': 'regex[0-9]{2}'}),
('@anon3',
{'is_anonymous': True,
'name': '@anon3',
'regex_flags': 'i',
'str_type': 'regex',
'value': 'regex_with_flags'})]),
'tags': ['yarabuilder']}]
>>>
>>> new_builder = yarabuilder.YaraBuilder()
>>> new_builder.set_yara_rules(dict_yara_rules)
>>>TODO
More logging in the classes
Add optional validation for building YARA rules (e.g. checking imports are valid, and more longer term check the condition is valid)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
yarabuilder-0.0.6.tar.gz
(11.9 kB
view hashes)
Built Distribution
Close
Hashes for yarabuilder-0.0.6-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 86214036f6d4b20fee93f1cdaba7596e46b6e67ac611e711393fcc61b2f15a8c |
|
| MD5 | 6f5334259cd472b19379ced539a65bbb |
|
| BLAKE2b-256 | 692e7b61042881ee068450654c52fa35ccfc4fc2d50ffb34b8d533a2ca6b2593 |
