Skip to content

BitsOfBinary/yarabuilder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
examples
examples
 
 
tests
tests
 
 
yarabuilder
yarabuilder
 
 
.gitignore
.gitignore
 
 
.readthedocs.yml
.readthedocs.yml
 
 
LICENSE
LICENSE
 
 
README.rst
README.rst
 
 
setup.py
setup.py
 
 

Repository files navigation

yarabuilder

Documentation Status PyPi Version

Python module to create Yara rules.

Installation

yarabuilder requires Python 3+:

pip install yarabuilder

Usage

Creating and printing a rule

>>> import yarabuilder
>>> import pprint
>>>
>>> yara_builder = yarabuilder.YaraBuilder()
>>>
>>> yara_builder.create_rule("my_rule")
>>> yara_builder.add_meta("my_rule", "description", "Generated by yarabuilder")
>>> yara_builder.add_import("my_rule", "pe")
>>> yara_builder.add_tag("my_rule", "yarabuilder")
>>> yara_builder.add_text_string("my_rule", "Anonymous string")
>>> yara_builder.add_text_string("my_rule", "Named string", name="str", modifiers=["ascii", "wide"])
>>> yara_builder.add_string_comment("my_rule", "str", "example comment")
>>> yara_builder.add_hex_string("my_rule", "DE AD BE EF")
>>> yara_builder.add_regex_string("my_rule", "regex[0-9]{2}")
>>> yara_builder.add_regex_string("my_rule", "/regex_with_flags/i")
>>> yara_builder.add_condition("my_rule", "any of them")
>>>
>>> rule = yara_builder.build_rules()
>>> print(rule)
import "pe"

rule my_rule : yarabuilder {
    meta:
        description = "Generated by yarabuilder"

    strings:
        $ = "Anonymous string"
        $str = "Named string" ascii wide // example comment
        $ = {DE AD BE EF}
        $ = /regex[0-9]{2}/
        $ = /regex_with_flags/i

    condition:
        any of them
}
>>>

Converting a YaraBuilder object to lists and dictionaries (and back again)

>>> dict_yara_rules = yara_builder.get_yara_rules()
>>> pprint.pprint(dict_yara_rules)
[{'condition': 'any of them',
'imports': ['pe'],
'meta': OrderedDict([('description',
                        [{'meta_type': 'text',
                        'name': 'description',
                        'position': 0,
                        'value': 'Generated by yarabuilder'}])]),
'rule_name': 'my_rule',
'strings': OrderedDict([('@anon0',
                        {'is_anonymous': True,
                            'name': '@anon0',
                            'str_type': 'text',
                            'value': 'Anonymous string'}),
                        ('str',
                        {'comment': {'inline': 'example comment'},
                            'is_anonymous': False,
                            'modifiers': ['ascii', 'wide'],
                            'name': 'str',
                            'str_type': 'text',
                            'value': 'Named string'}),
                        ('@anon1',
                        {'is_anonymous': True,
                            'name': '@anon1',
                            'str_type': 'hex',
                            'value': 'DE AD BE EF'}),
                        ('@anon2',
                        {'is_anonymous': True,
                            'name': '@anon2',
                            'str_type': 'regex',
                            'value': 'regex[0-9]{2}'}),
                        ('@anon3',
                        {'is_anonymous': True,
                            'name': '@anon3',
                            'regex_flags': 'i',
                            'str_type': 'regex',
                            'value': 'regex_with_flags'})]),
'tags': ['yarabuilder']}]
>>>
>>> new_builder = yarabuilder.YaraBuilder()
>>> new_builder.set_yara_rules(dict_yara_rules)
>>>

TODO

  • More logging in the classes
  • Add optional validation for building YARA rules (e.g. checking imports are valid, and more longer term check the condition is valid)

About

Python 3 library to build YARA rules.

yarabuilder.readthedocs.io/

Topics

python yara yara-rules

Resources

Readme

License

MIT license
Activity

Stars

13 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases 6

yarabuilder v0.0.6 Latest
Apr 5, 2021
+ 5 releases

Packages

No packages published

Languages