A package to build YARA rules using Python
Project description
Python module to create Yara rules.
Installation
yarabuilder requires Python 3+:
pip install yarabuilder
Usage
Creating and printing a rule
>>> import yarabuilder
>>> import pprint
>>>
>>> yara_builder = yarabuilder.YaraBuilder()
>>>
>>> yara_builder.create_rule("my_rule")
>>> yara_builder.add_meta("my_rule", "description", "Generated by yarabuilder")
>>> yara_builder.add_import("my_rule", "pe")
>>> yara_builder.add_tag("my_rule", "yarabuilder")
>>> yara_builder.add_text_string("my_rule", "Anonymous string")
>>> yara_builder.add_text_string("my_rule", "Named string", name="str", modifiers=["ascii", "wide"])
>>> yara_builder.add_string_comment("my_rule", "str", "example comment")
>>> yara_builder.add_hex_string("my_rule", "DE AD BE EF")
>>> yara_builder.add_regex_string("my_rule", "regex[0-9]{2}")
>>> yara_builder.add_regex_string("my_rule", "/regex_with_flags/i")
>>> yara_builder.add_condition("my_rule", "any of them")
>>>
>>> rule = yara_builder.build_rules()
>>> print(rule)
import "pe"
rule my_rule : yarabuilder {
meta:
description = "Generated by yarabuilder"
strings:
$ = "Anonymous string"
$str = "Named string" ascii wide // example comment
$ = {DE AD BE EF}
$ = /regex[0-9]{2}/
$ = /regex_with_flags/i
condition:
any of them
}
>>>Converting a YaraBuilder object to lists and dictionaries (and back again)
>>> dict_yara_rules = yara_builder.get_yara_rules()
>>> pprint.pprint(dict_yara_rules)
[{'condition': 'any of them',
'imports': ['pe'],
'meta': OrderedDict([('description',
[{'meta_type': 'text',
'name': 'description',
'position': 0,
'value': 'Generated by yarabuilder'}])]),
'rule_name': 'my_rule',
'strings': OrderedDict([('@anon0',
{'is_anonymous': True,
'name': '@anon0',
'str_type': 'text',
'value': 'Anonymous string'}),
('str',
{'comment': {'inline': 'example comment'},
'is_anonymous': False,
'modifiers': ['ascii', 'wide'],
'name': 'str',
'str_type': 'text',
'value': 'Named string'}),
('@anon1',
{'is_anonymous': True,
'name': '@anon1',
'str_type': 'hex',
'value': 'DE AD BE EF'}),
('@anon2',
{'is_anonymous': True,
'name': '@anon2',
'str_type': 'regex',
'value': 'regex[0-9]{2}'}),
('@anon3',
{'is_anonymous': True,
'name': '@anon3',
'regex_flags': 'i',
'str_type': 'regex',
'value': 'regex_with_flags'})]),
'tags': ['yarabuilder']}]
>>>
>>> new_builder = yarabuilder.YaraBuilder()
>>> new_builder.set_yara_rules(dict_yara_rules)
>>>TODO
More logging in the classes
Add optional validation for building YARA rules (e.g. checking imports are valid, and more longer term check the condition is valid)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
yarabuilder-0.0.6.tar.gz
(11.9 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file yarabuilder-0.0.6.tar.gz.
File metadata
- Download URL: yarabuilder-0.0.6.tar.gz
- Upload date:
- Size: 11.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/3.10.0 pkginfo/1.5.0.1 requests/2.22.0 requests-toolbelt/0.9.1 tqdm/4.46.1 CPython/3.8.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9354f78879a9cf8c7162736969b6298c4f6467af295332addf00ce91afb4734e
|
|
| MD5 |
7b912700040b8af92559cc50078d8439
|
|
| BLAKE2b-256 |
5934765889162d609956b4bb5852a44d7aa3245549852d46e1bf5eb1051109f0
|
File details
Details for the file yarabuilder-0.0.6-py3-none-any.whl.
File metadata
- Download URL: yarabuilder-0.0.6-py3-none-any.whl
- Upload date:
- Size: 12.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/3.10.0 pkginfo/1.5.0.1 requests/2.22.0 requests-toolbelt/0.9.1 tqdm/4.46.1 CPython/3.8.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
86214036f6d4b20fee93f1cdaba7596e46b6e67ac611e711393fcc61b2f15a8c
|
|
| MD5 |
6f5334259cd472b19379ced539a65bbb
|
|
| BLAKE2b-256 |
692e7b61042881ee068450654c52fa35ccfc4fc2d50ffb34b8d533a2ca6b2593
|
