A package to build YARA rules using Python
Project description
yarabuilder
.. image:: https://readthedocs.org/projects/yarabuilder/badge/?version=latest :target: https://yarabuilder.readthedocs.io/en/latest/?badge=latest :alt: Documentation Status .. image:: http://img.shields.io/pypi/v/yarabuilder.svg :target: https://pypi.org/project/yarabuilder/ :alt: PyPi Version
Python module to create Yara rules.
Installation
yarabuilder requires Python 3+::
pip install yarabuilder
Usage
.. code-block:: python
>>> import yarabuilder
>>> yara_builder = yarabuilder.YaraBuilder()
>>>
>>> yara_builder.create_rule("my_rule")
>>> yara_builder.add_meta("my_rule", "description", "Generated by yarabuilder")
>>> yara_builder.add_import("my_rule", "pe")
>>> yara_builder.add_tag("my_rule", "yarabuilder")
>>> yara_builder.add_text_string("my_rule", "Anonymous string")
>>> yara_builder.add_text_string("my_rule", "Named string", name="str", modifiers=["ascii", "wide"])
>>> yara_builder.add_string_comment("my_rule", "str", "example comment")
>>> yara_builder.add_hex_string("my_rule", "DE AD BE EF")
>>> yara_builder.add_regex_string("my_rule", "regex[0-9]{2}")
>>> yara_builder.add_condition("my_rule", "any of them")
>>>
>>> rule = yara_builder.build_rules()
>>> print(rule)
import "pe"
rule my_rule : yarabuilder {
meta:
description = "Generated by yarabuilder"
strings:
$ = "Anonymous string"
$str = "Named string" ascii wide // example comment
$ = {DE AD BE EF}
$ = /regex[0-9]{2}/
condition:
any of them
}
>>>
TODO
- More logging in the classes
- Add optional validation for building YARA rules (e.g. checking imports are valid, and more longer term check the condition is valid)
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
yarabuilder-0.0.2.tar.gz
(8.2 kB
view hashes)
Built Distribution
Close
Hashes for yarabuilder-0.0.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bee1a7ea44df3995a89bfa117be19847883a7c19a651817cd51f33cd98e3096e |
|
MD5 | 56551cea8f056b95a41126d5202d4e95 |
|
BLAKE2b-256 | d77681de05fc4eae9ce9b85baacc9ade92199b0dacea152e995c4194d2c0f669 |