Python yara.SyntaxError() Examples
The following are 18
code examples of yara.SyntaxError().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
yara
, or try the search function
.
.
Example #1
| Source File: fileparser.py From RATDecoders with MIT License | 6 votes |
|
def dotnet_resource_names(self):
"""
Read .NET Resources and return a list of resource names
:return: list
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
resource_list = []
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
resource_list.append(resource['name'])
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return resource_list
Example #2
| Source File: fileparser.py From RATDecoders with MIT License | 6 votes |
|
def dotnet_resource_by_name(self, resource_name):
"""
Extract a .NET Resource by name
:param resource_name:
:return:
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
if resource['name'] == resource_name:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example #3
| Source File: fileparser.py From RATDecoders with MIT License | 6 votes |
|
def dotnet_guids(self):
"""
Exrtract GUIDS from a .NET Binary
:return: list of guids
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
guid_list = []
def modules_callback(data):
for i, guid in enumerate(data.get('guids', [])):
guid_list.append(guid.decode('utf-8'))
# Type lib is also valid as a GUID for nanocore so lets add that.
guid_list.append(data.get('typelib').decode('utf-8'))
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return guid_list
Example #4
| Source File: fileparser.py From RATDecoders with MIT License | 6 votes |
|
def elf_section_by_name(self, resource_name):
"""
Extract an elf section by name
:param resource_name:
:return:
"""
try:
rules = yara.compile(source='import "elf" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara ELF did you enable it?")
def modules_callback(data):
for i, section in enumerate(data.get('sections', [])):
if section['name'].decode('utf-8') == resource_name:
offset = section['offset']
length = section['size']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example #5
| Source File: yara_binary_search.py From FACT_core with GNU General Public License v3.0 | 6 votes |
|
def get_binary_search_result(self, task: Tuple[bytes, Optional[str]]):
'''
:param task: tuple containing the yara_rules (byte string with the contents of the yara rule file) and optionally a firmware uid if only the contents
of a single firmware are to be scanned
:return: dict of matching rules with lists of (unique) matched UIDs as values
'''
with NamedTemporaryFile() as temp_rule_file:
yara_rules, firmware_uid = task
try:
self._prepare_temp_rule_file(temp_rule_file, yara_rules)
raw_result = self._get_raw_result(firmware_uid, temp_rule_file)
results = self._parse_raw_result(raw_result)
self._eliminate_duplicates(results)
return results
except yara.SyntaxError as yara_error:
return 'There seems to be an error in the rule file:\n{}'.format(yara_error)
except CalledProcessError as process_error:
return 'Error when calling YARA:\n{}'.format(process_error.output.decode())
Example #6
| Source File: dispositioner.py From laikaboss with Apache License 2.0 | 5 votes |
|
def _run(self, scanObject, result, depth, args):
#Initialization
moduleResult = []
verbose = False
resultDict = {}
strMatches = ""
#Read arguments
if 'verbose' in args:
verbose = True
#Populate static metadata
resultDict['Disposition_File'] = config.yaradispositionrules
resultDict['Result'] = "Disposition Not Initialized"
#Get scanObject uID for flag_rollup and rollup flags
myUID = get_scanObjectUID(scanObject)
flag_rollup = self._rollupToMe(result, myUID )
resultDict['Input_Flags'] = flag_rollup
if verbose: log_module("MSG", self.module_name, 0, scanObject, result, msg="dispositon_email: flag rollup: %s" % flag_rollup)
try:
matches = yara_on_demand(config.yaradispositionrules, ' '.join(flag_rollup))
lstStrMatches = [str(match) for match in matches]
resultDict['Matches'] = lstStrMatches
if matches:
strMatches = ' '.join(lstStrMatches)
except SyntaxError:
log_module_error(self.module_name, scanObject, result, "Error Compiling YARA rules file at: "+config.yaradispositionrules)
resultDict['Result'] = "YARA RULE SYNTAX ERROR"
resultDict['Result'] = "Accept"
for match in resultDict['Matches']:
if match.startswith("Deny"):
resultDict['Result'] = "Deny"
scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
return moduleResult
Example #7
| Source File: fileparser.py From RATDecoders with MIT License | 5 votes |
|
def pe_resource_id(self, res_id):
"""
Read resource by its ID. Useful where normal pe file fails.
:return: list
"""
try:
rules = yara.compile(source='import "pe" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
resource_list = []
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
if 'id' in resource:
if resource['id'] == res_id:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
elif 'name_string' in resource:
# Remove null bytes for a better comparison
res_name = resource['name_string'].decode('UTF-8').replace('\x00', '')
# Check both unicode and plain str versions of name
if res_name == res_id or resource['name_string'] == res_id:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example #8
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Scan for unicode strings
if self._config.WIDE: s += "wide"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE:
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))
Example #9
| Source File: casc_plugin.py From CASC with GNU General Public License v2.0 | 5 votes |
|
def compile(self, rule):
try:
return yara.compile(source = rule)
except yara.SyntaxError as err:
print_console(err)
print_console("===============")
print_console(rule)
print_console("===============")
Example #10
| Source File: malfind.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def _compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Scan for unicode strings
if self._config.WIDE: s += "wide"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE:
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))
Example #11
| Source File: malfind.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def _compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Option for case insensitive searches
if self._config.CASE: s += " nocase"
# Scan for unicode and ascii strings
if self._config.WIDE: s += " wide ascii"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE:
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))
Example #12
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Option for case insensitive searches
if self._config.CASE: s += " nocase"
# Scan for unicode and ascii strings
if self._config.WIDE: s += " wide ascii"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE and os.path.isfile(self._config.YARA_FILE):
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))
Example #13
| Source File: test_yara.py From stoq-plugins-public with Apache License 2.0 | 5 votes |
|
def test_scan_invalid_rules(self) -> None:
s = Stoq(
plugin_dir_list=[self.plugin_dir],
plugin_opts={
self.plugin_name: {'worker_rules': f'{self.data_dir}/invalid_rules.yar'}
},
)
with self.assertRaises(yara.SyntaxError):
s.load_plugin(self.plugin_name)
Example #14
| Source File: malpedia_analyzer.py From Cortex-Analyzers with GNU Affero General Public License v3.0 | 5 votes |
|
def check(self, file):
"""
Checks a given file against all available yara rules
:param file: Path to file
:type file:str
:returns: Python list with matched rules info
:rtype: list
"""
result = []
all_matches = []
for filerules in os.listdir(self.rulepaths):
try:
rule = yara.compile(os.path.join(self.rulepaths, filerules))
except yara.SyntaxError:
continue
matches = rule.match(file)
if len(matches) > 0:
for rulem in matches:
rule_family = "_".join([x for x in rulem.rule.replace("_", ".", 1).split("_")[:-1]])
if rule_family not in all_matches:
all_matches.append(rule_family)
for rule_family in all_matches:
rules_info_txt = requests.get('{}/family/{}'.format(self.baseurl, rule_family),
auth=HTTPBasicAuth(self.user, self.pwd))
rules_info_json = json.loads(rules_info_txt.text)
result.append({
'family': rule_family,
'common_name': rules_info_json['common_name'],
'description': rules_info_json['description'],
'attribution': rules_info_json['attribution'],
'alt_names': rules_info_json['alt_names'],
'urls': rules_info_json['urls']
})
return result
Example #15
| Source File: yara_rules.py From yeti with Apache License 2.0 | 5 votes |
|
def clean(self):
try:
yara.compile(source=self.pattern)
except (yara.SyntaxError, yara.Error) as e:
raise IndicatorValidationError(
"Yara compilation error: {}".format(e))
Example #16
| Source File: malfind.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def _compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Option for case insensitive searches
if self._config.CASE: s += " nocase"
# Scan for unicode and ascii strings
if self._config.WIDE: s += " wide ascii"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE and os.path.isfile(self._config.YARA_FILE):
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))
Example #17
| Source File: yarascanner.py From RATDecoders with MIT License | 5 votes |
|
def __init__(self):
# Create the list of rules
try:
yara_path = os.path.join(os.path.dirname(__file__), 'yaraRules')
self.yara_rules = os.listdir(yara_path)
self.rule_file = os.path.join(yara_path, 'yaraRules.yar')
self.compiled_rules = yara.compile(self.rule_file)
self.rule_list = []
except yara.SyntaxError as e:
print("Unable to compile rules. Do you have dotnet enabled")
# Yara Scanner Returns the Rule Name
Example #18
| Source File: fileparser.py From RATDecoders with MIT License | 5 votes |
|
def dotnet_user_strings(self):
"""
Parse a list of User Strings from a .NET Binary file
:return: list of strings
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
user_strings = []
def modules_callback(data):
for i, userstring in enumerate(data.get('user_strings', [])):
# Remove null bytes
userstring = userstring.replace(b'\x00', b'')
# Add string to list
try:
user_strings.append(userstring.decode('utf-8'))
except UnicodeDecodeError:
pass
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return user_strings
