Keep yara comments

[nbareil]

Would it be possible to keep Yara comments please?

I guess it would require to "attach" each comment to a string/meta/condition (to reattach the comment at the Serialization stage).

Thank you very much for your very valuable project!

[Northern-Lights]

Thanks for bringing this up. I am not exactly sure how to do this yet, as I believe even libyara does not consider a way to store comments (it only does rule compilation, and then the textual ruleset does not matter afterwards). My vague ideas involve somehow tracking the state (as you mentioned: whether we're in the strings/meta/condition, etc.) and attaching to the comment to the most recent object.

Some challenges I see are considering where exactly a comment should belong. For example, if you put a comment in between 2 separate rules, what object does the comment belong to?

[nbareil]

Some challenges I see are considering where exactly a comment should belong. For example, if you put a comment in between 2 separate rules, what object does the comment belong to?

I guess you will have to stick to arbitrary rules like "a line only containing a comment applies to the next object below, an inline comment applies to the previous object on the same line".

Using GitHub|BigQuery, I dumped all yara rules stored on Github, all-yara.tar.gz (17MB) is attached to this ticket. Maybe it might help you to iterate and validate your assumptions?

[Northern-Lights]

Thanks, that will definitely be helpful.