Python libary to normalize Yara signatures
Project description
# Overview
YaraTool was created to normalize yara signatures to format the signatures nicely, detect duplicates, and express a specific signature by hash (similar to how we express malware). The hashing method in this tool is the same as the Ruby Yara-Normalize module.
# Normalizing a signature
The following snippet takes a signature, normalizes it, prints out the pieces of the rule, and provides the "Yara Normalized" hash. The YNHash is designed to identify yara signatures.
import yaratool
if __name__ == "__main__":
ruletext = """rule DebuggerCheck__API : AntiDebug DebuggerCheck {
meta:
author="Some dude or dudette"
weight = 1
strings:
$ ="IsDebuggerPresent"
condition:
any of them
}"""
yr = yaratool.YaraRule(ruletext)
print yr.normalize()
print "Name: %s, Tags: %s, Author: %s" % (yr.name, "&".join(yr.tags), yr.metas['author'])
print "Strings: "
for string in yr.strings:
print " %s" % (string)
print "Condition: "
for condition in yr.condition:
print " %s" % (condition)
print yr.hash()
Outputs
rule DebuggerCheck__API : AntiDebug DebuggerCheck {
meta:
author = "Some dude or dudette"
weight = 1
strings:
$ = "IsDebuggerPresent"
condition:
any of them
}
Name: DebuggerCheck__API, Tags: AntiDebug&DebuggerCheck, Author: "Some dude or dudette"
Strings:
$ = "IsDebuggerPresent"
Condition:
any of them
yn01:d28d649e24c37244:d936fceffe
# Detecting Duplicate Rules
The following code iterates through all the files specified on the command line and counts the number of rules and duplicate rules. It will display the normalized versions of any duplicate rules.
import yaratool
import sys
if __name__ == "__main__":
count = 0
duplicates = 0
drf = yaratool.DuplicateDetector()
for filename in sys.argv[1:]:
fh = open(filename, 'r')
sigrules = fh.read()
fh.close()
rules = yaratool.split(sigrules)
for rule in rules:
ynhash = rule.hash()
res = drf.check(rule)
if res:
duplicates += 1
for r in res:
print r.normalize()
pass
print rule.normalize()
print
count += len(rules)
print "Count: %d, Duplicates: %d" % (count, duplicates)
YaraTool was created to normalize yara signatures to format the signatures nicely, detect duplicates, and express a specific signature by hash (similar to how we express malware). The hashing method in this tool is the same as the Ruby Yara-Normalize module.
# Normalizing a signature
The following snippet takes a signature, normalizes it, prints out the pieces of the rule, and provides the "Yara Normalized" hash. The YNHash is designed to identify yara signatures.
import yaratool
if __name__ == "__main__":
ruletext = """rule DebuggerCheck__API : AntiDebug DebuggerCheck {
meta:
author="Some dude or dudette"
weight = 1
strings:
$ ="IsDebuggerPresent"
condition:
any of them
}"""
yr = yaratool.YaraRule(ruletext)
print yr.normalize()
print "Name: %s, Tags: %s, Author: %s" % (yr.name, "&".join(yr.tags), yr.metas['author'])
print "Strings: "
for string in yr.strings:
print " %s" % (string)
print "Condition: "
for condition in yr.condition:
print " %s" % (condition)
print yr.hash()
Outputs
rule DebuggerCheck__API : AntiDebug DebuggerCheck {
meta:
author = "Some dude or dudette"
weight = 1
strings:
$ = "IsDebuggerPresent"
condition:
any of them
}
Name: DebuggerCheck__API, Tags: AntiDebug&DebuggerCheck, Author: "Some dude or dudette"
Strings:
$ = "IsDebuggerPresent"
Condition:
any of them
yn01:d28d649e24c37244:d936fceffe
# Detecting Duplicate Rules
The following code iterates through all the files specified on the command line and counts the number of rules and duplicate rules. It will display the normalized versions of any duplicate rules.
import yaratool
import sys
if __name__ == "__main__":
count = 0
duplicates = 0
drf = yaratool.DuplicateDetector()
for filename in sys.argv[1:]:
fh = open(filename, 'r')
sigrules = fh.read()
fh.close()
rules = yaratool.split(sigrules)
for rule in rules:
ynhash = rule.hash()
res = drf.check(rule)
if res:
duplicates += 1
for r in res:
print r.normalize()
pass
print rule.normalize()
count += len(rules)
print "Count: %d, Duplicates: %d" % (count, duplicates)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
yaratool-0.0.7.tar.gz
(6.4 kB
view details)
Built Distributions
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file yaratool-0.0.7.tar.gz.
File metadata
- Download URL: yaratool-0.0.7.tar.gz
- Upload date:
- Size: 6.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0b550d521d9fcc57eabc630fde5db8eb4e8fd3bae15566e3974bf08f1e9e1fca
|
|
| MD5 |
8de4c3abf436d4b5ac038327e9191bae
|
|
| BLAKE2b-256 |
c21a5b0791feade084923ceb778681010a26a4133339c622153c076b8f8c4044
|
File details
Details for the file yaratool-0.0.7-py3-none-any.whl.
File metadata
- Download URL: yaratool-0.0.7-py3-none-any.whl
- Upload date:
- Size: 8.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0b3a193885821258ca39fdce175551d3089652781fb410178e9e47a7b220e4ed
|
|
| MD5 |
204bf7fd18cf8719a4b4a8cbf443e58b
|
|
| BLAKE2b-256 |
cd7cd1fa1d7bbe9849b1111897a5e3c09a74daa5fb4fc2dcca78026407347761
|
File details
Details for the file yaratool-0.0.7-py2-none-any.whl.
File metadata
- Download URL: yaratool-0.0.7-py2-none-any.whl
- Upload date:
- Size: 8.5 kB
- Tags: Python 2
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f69856083ffe9655ec27d1992c7a3732e1ab836d55705093fbcf50fca8a81e3a
|
|
| MD5 |
9b5163e971bbbc13328ab8649181ba0f
|
|
| BLAKE2b-256 |
d7bf4789f5e2b78f51a829a5fcb876986fe860f70da397ba6fa5b2651a2e39b1
|
