Compiled YARA Signature Support

[c3rb3ru5d3d53c]

Added support to use compiled YARA signatures

See Enhancement: https://github.com/CERT-Polska/karton-yaramatcher/issues/9

[chivay]

Hi, thanks for the PR! Do you have any specific use case for this feature? Are you experiencing some performance issues? We're already compiling rules on karton startup and from our experience this shouldn't take a lot of time.

[nazywam]

cc @c3rb3ru5d3d53c

[rakovskij-stanislav]

@c3rb3ru5d3d53c & @chivay

As I can see, there are 2 cases to use precompiled rules:

• a bit speedup of starting yaramatcher.
• binding compiled rules on certain platform, a bit minimization of troubles connected with rules leak. SO the trouble of non-cross-platformity is an advantage :)

But there is a problem: compiled yara rules will take up more disk space -> will be loaded to memory slowlier -> speedup of this solution may decrease.

I'm not a maintainer, but if this code does not complicate current use case of yaramatcher, it can be considered as ok :)

[TheDuchy]

bumping this pull req as I would also love to see it merged. :)

In our case it would help us import rules with ... difficult dependencies that fail to compile under Karton.

[c3rb3ru5d3d53c]

Hey guys, I'm willing to help get this merged, I'll be testing here again soon!

I had life stuff going when i made the PR last and had many other things on the go.

I'm back now and re-building a mwdb environment :pray:

The usecase I have is that I have a yara CI/CD pipeline that compiles our signatures and it's much easier to deliver a pre-compiled blob. I don't see any problem adding it as the code I have allows you to do both options, the user can decide :smile: