Skip to main content

Python libary to normalize Yara signatures

Project description

# Overview

YaraTool was created to normalize yara signatures to format the signatures nicely, detect duplicates, and express a specific signature by hash (similar to how we express malware). The hashing method in this tool is the same as the Ruby Yara-Normalize module.

# Normalizing a signature

The following snippet takes a signature, normalizes it, prints out the pieces of the rule, and provides the "Yara Normalized" hash. The YNHash is designed to identify yara signatures.

import yaratool

if __name__ == "__main__":
ruletext = """rule DebuggerCheck__API : AntiDebug DebuggerCheck {
author="Some dude or dudette"
weight = 1
$ ="IsDebuggerPresent"
any of them
yr = yaratool.YaraRule(ruletext)
print yr.normalize()
print "Name: %s, Tags: %s, Author: %s" % (, "&".join(yr.tags), yr.metas['author'])
print "Strings: "
for string in yr.strings:
print " %s" % (string)
print "Condition: "
for condition in yr.condition:
print " %s" % (condition)
print yr.hash()


rule DebuggerCheck__API : AntiDebug DebuggerCheck {
author = "Some dude or dudette"
weight = 1
$ = "IsDebuggerPresent"
any of them
Name: DebuggerCheck__API, Tags: AntiDebug&DebuggerCheck, Author: "Some dude or dudette"
$ = "IsDebuggerPresent"
any of them

# Detecting Duplicate Rules

The following code iterates through all the files specified on the command line and counts the number of rules and duplicate rules. It will display the normalized versions of any duplicate rules.

import yaratool
import sys

if __name__ == "__main__":
count = 0
duplicates = 0
drf = yaratool.DuplicateDetector()
for filename in sys.argv[1:]:
fh = open(filename, 'r')
sigrules =
rules = yaratool.split(sigrules)
for rule in rules:
ynhash = rule.hash()
res = drf.check(rule)
if res:
duplicates += 1
for r in res:
print r.normalize()
print rule.normalize()
count += len(rules)
print "Count: %d, Duplicates: %d" % (count, duplicates)

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
yaratool-0.0.7-py2-none-any.whl (8.5 kB) Copy SHA256 hash SHA256 Wheel py2
yaratool-0.0.7-py3-none-any.whl (8.5 kB) Copy SHA256 hash SHA256 Wheel py3
yaratool-0.0.7.tar.gz (6.4 kB) Copy SHA256 hash SHA256 Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page