GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Northern-Lights → yara-parser

Northern-Lights / yara-parser

Licence: MIT license
Tools for parsing rulesets using the exact grammar as YARA. Written in Go.

Programming Languages

go
31211 projects - #10 most used programming language
Yacc
648 projects
Lex
420 projects
YARA
70 projects

Labels

securityjsondetectionlexerrulesetsignaturesyarasecurity-toolsyara-rulesetyara-parser

Projects that are alternatives of or similar to yara-parser

detection
Detection in the form of Yara, Snort and ClamAV signatures.
Stars: ✭ 70 (+1.45%)
Mutual labels:  detection, signatures, yara
Plyara
Parse YARA rules and operate over them more easily.
Stars: ✭ 108 (+56.52%)
Mutual labels:  lexer, yara
apooxml
Generate YARA rules for OOXML documents.
Stars: ✭ 34 (-50.72%)
Mutual labels:  detection, yara
Strelka
Real-time, container-based file scanning at enterprise scale
Stars: ✭ 387 (+460.87%)
Mutual labels:  detection, yara
SwiLex
A universal lexer library in Swift.
Stars: ✭ 29 (-57.97%)
Mutual labels:  lexer
colorchecker-detection
Multiple ColorChecker Detection. This code implements a multiple colorChecker detection method, as described in the paper Fast and Robust Multiple ColorChecker Detection.
Stars: ✭ 51 (-26.09%)
Mutual labels:  detection
nnDetection
nnDetection is a self-configuring framework for 3D (volumetric) medical object detection which can be applied to new data sets without manual intervention. It includes guides for 12 data sets that were used to develop and evaluate the performance of the proposed method.
Stars: ✭ 355 (+414.49%)
Mutual labels:  detection
gradle-cpd-plugin
Gradle plugin to find duplicate code using PMDs copy/paste detection (= CPD).
Stars: ✭ 88 (+27.54%)
Mutual labels:  detection
lexer
Hackable Lexer with UTF-8 support
Stars: ✭ 19 (-72.46%)
Mutual labels:  lexer
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (+224.64%)
Mutual labels:  detection
sb-dynlex
Configurable lexer for PHP featuring a fluid API.
Stars: ✭ 27 (-60.87%)
Mutual labels:  lexer
hand detector.d2
Hand detection models trained on 100DOH (100 Days of Hands) dataset.
Stars: ✭ 60 (-13.04%)
Mutual labels:  detection
compiler lab
Some toy labs for compiler course
Stars: ✭ 49 (-28.99%)
Mutual labels:  lexer
VideoRecognitionTracking
Real time object or face detection recognition and tracking in video. The Full end-to-end project.
Stars: ✭ 36 (-47.83%)
Mutual labels:  detection
binlex
A Binary Genetic Traits Lexer Framework
Stars: ✭ 303 (+339.13%)
Mutual labels:  yara
HTTPSignatures
A Burp Suite extension implementing the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 draft.
Stars: ✭ 38 (-44.93%)
Mutual labels:  signatures
powerai-vision-object-detection
Use deep learning to create a model and a REST endpoint to allow your app to detect, locate and count your product on store shelves
Stars: ✭ 93 (+34.78%)
Mutual labels:  detection
ImHex-Patterns
Hex patterns, include patterns and magic files for the use with the ImHex Hex Editor
Stars: ✭ 192 (+178.26%)
Mutual labels:  yara
AnticheatJS
Javascript Anti Cheats 101
Stars: ✭ 81 (+17.39%)
Mutual labels:  detection
R-CNN LIGHT
Regional-Convolution Neural Network for blink detection based on contouring.
Stars: ✭ 66 (-4.35%)
Mutual labels:  detection
View All Similar Projects ➔

yara-parser

yara-parser is a Go library for manipulating YARA rulesets. Its key feature is that it uses the same grammar and lexer files as the original libyara to ensure that lexing and parsing work exactly like YARA. The grammar and lexer files have been modified to fill Go data structures for ruleset manipulation instead of compiling rulesets for data matching.

Using yara-parser, one will be able to read YARA rulesets to programatically change metadata, rule names, rule modifiers, tags, strings, and more.

The ability to serialize rulesets to JSON for rule manipulation in other languages is provided with the y2j tool. Similarly, j2y provides JSON-to-YARA conversion, but do see Limitations below.

Installation

For the following go get commands, if you experience any issues, they are likely due to outdated versions of Go. The project uses features introduced in Go 1.10. Installation should proceed normally after an update.

To install (or update) everything at once, the following command can be used:

go get -u github.com/Northern-Lights/yara-parser/...

y2j: YARA to JSON

Use the following command to install the y2j command for converting YARA rulesets to JSON.

go get -u github.com/Northern-Lights/yara-parser/cmd/y2j

Of course, this will install y2j to $GOPATH/bin, so ensure that the latter is in your $PATH.

The grammar and lexer files are frozen so that building them with goyacc and flexgo are not necessary.

j2y: JSON to YARA

Use the following command to install the j2y command for converting JSON to YARA rulesets.

go get -u github.com/Northern-Lights/yara-parser/cmd/j2y

Grammar Library

Use the following command to install the grammar library for deserializing YARA rulesets without installing y2j.

go get -u github.com/Northern-Lights/yara-parser/grammar

y2j Usage

Command line usage for y2j looks like the following:

$ y2j --help            
Usage of y2j: y2j [options] file.yar

options:
  -indent int
        Set number of indent spaces (default 2)
  -o string               
        JSON output file

In action, y2j would convert the following ruleset:

import "pe"
import "cuckoo"

include "other.yar"

global rule demo : tag1 {
meta:
    description = "This is a demo rule"
    version = 1
    production = false
    description = "because we can"
strings:
    $string = "this is a string" nocase wide
    $regex = /this is a regex/i ascii fullword
    $hex = { 01 23 45 67 89 ab cd ef [0-5] ?1 ?2 ?3 }
condition:
    $string or $regex or $hex
}

to this JSON output:

{
   "file": "sample.yar",
   "imports": [
      "pe",
      "cuckoo"
   ],
   "includes": [
      "other.yar"
   ],
   "rules": [
      {
         "modifiers": {
            "global": true,
            "private": false
         },
         "identifier": "demo",
         "tags": [
            "tag1"
         ],
         "meta": [
            {
               "Key": "description",
               "Val": "This is a demo rule"
            },
            {
               "Key": "version",
               "Val": 1
            },
            {
               "Key": "production",
               "Val": false
            },
            {
               "Key": "description",
               "Val": "because we can"
            }
         ],
         "strings": [
            {
               "id": "$string",
               "type": 0,
               "text": "this is a string",
               "modifiers": {
                  "nocase": true,
                  "ascii": false,
                  "wide": true,
                  "fullword": false,
		  "xor": false,
                  "i": false,
                  "s": false
               }
            },
            {
               "id": "$regex",
               "type": 2,
               "text": "this is a regex",
               "modifiers": {
                  "nocase": false,
                  "ascii": true,
                  "wide": false,
                  "fullword": true,
		  "xor": false,
                  "i": true,
                  "s": false
               }
            },
            {
               "id": "$hex",
               "type": 1,
               "text": " 01 23 45 67 89 ab cd ef [0-5] ?1 ?2 ?3 ",
               "modifiers": {
                  "nocase": false,
                  "ascii": false,
                  "wide": false,
                  "fullword": false,
		  "xor": false,
                  "i": false,
                  "s": false
               }
            }
         ],
         "condition": "$string or $regex or $hex"
      }
   ]
}

Note that the string types are as follows:

String type int code Designation
0 string
1 hex pair bytes
2 regex

Go Usage

Sample usage for working with rulesets in Go looks like the following:

package main

import (
	"fmt"
	"log"
	"os"

	"github.com/Northern-Lights/yara-parser/grammar"
)

func main() {
	input, err := os.Open(os.Args[1])   // Single argument: path to your file
	if err != nil {
		log.Fatalf("Error: %s\n", err)
	}

	ruleset, err := grammar.Parse(input, os.Stdout)
	if err != nil {
		log.Fatalf(`Parsing failed: "%s"`, err)
	}

    fmt.Printf("Ruleset:\n%v\n", ruleset)
    
    // Manipulate the first rule
    rule := ruleset.Rules[0]
    rule.Identifier = "new_rule_name"
    rule.Modifiers.Global = true
    rule.Modifiers.Private = false
}

Development

The included Dockerfile will build an image suitable for producing the parser and lexer using goyacc and flexgo. There is a builder target in the Makefile to help you quickly get started with this. Run the following to build the builder image:

make builder

This will provide you with a Docker image called yara-parser-builder.

As you make changes to the grammar, you can then run make grammar. The .go files will be output in the grammar/ directory.

Limitations

Currently, there are no guarantees with the library that modified rules will serialize back into a valid YARA ruleset. For example, you can set rule.Identifier = "123", but this would be invalid YARA. Additionally, adding or removing strings may cause a condition to become invalid, and conditions are currently treated only as text. Comments also cannot be retained.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].