search

Northern-Lights / yara-parser

Tools for parsing rulesets using the exact grammar as YARA. Written in Go.
MIT License
80 stars 9 forks source link

No Serialize function #6

Closed nbareil closed 6 years ago

nbareil commented 6 years ago

Would you consider a PR adding a serialize function to Rule?

Something like:

func serialize(output io.Writer, rule data.Rule) {
    fmt.Fprintf(output, "rule %s ", rule.Identifier)
    if len(rule.Tags) > 0 {
        fmt.Fprintf(output, ": %s ", strings.Join(rule.Tags, " "))
    }

    fmt.Fprintf(output, "{ \n")
    if len(rule.Meta) > 0 {
        fmt.Fprintf(output, "  meta:\n")
        for _, meta := range rule.Meta {
            if _, ok := meta.Val.(string); ok {
                fmt.Fprintf(output, "    %s = \"%s\"\n", meta.Key, meta.Val)
            }
            if _, ok := meta.Val.(int64); ok {
                fmt.Fprintf(output, "    %s = %d\n", meta.Key, meta.Val)
            }
            if val, ok := meta.Val.(bool); ok {
                if val {
                    fmt.Fprintf(output, "    %s = true\n", meta.Key)
                } else {
                    fmt.Fprintf(output, "    %s = false\n", meta.Key)
                }
            }
        }
        fmt.Fprintf(output, "\n")
    }

    if len(rule.Strings) > 0 {
        fmt.Fprintf(output, "  strings:\n")
        for _, s := range rule.Strings {
            if s.Type == data.TypeString {
                fmt.Fprintf(output, "    %s = \"%s\"", s.ID, s.Text)
            } else if s.Type == data.TypeRegex {
                fmt.Fprintf(output, "    %s = /%s/", s.ID, s.Text)
            } else if s.Type == data.TypeHexString {
                fmt.Fprintf(output, "    %s = { %s }", s.ID, s.Text)
            }
            if s.Modifiers.ASCII {
                fmt.Fprintf(output, " ascii")
            }
            if s.Modifiers.Wide {
                fmt.Fprintf(output, " wide")
            }
            if s.Modifiers.Nocase {
                fmt.Fprintf(output, " nocase")
            }
            if s.Modifiers.Fullword {
                fmt.Fprintf(output, " fullword")
            }

            if s.Modifiers.I {
                fmt.Fprintf(output, "i")
            }
            if s.Modifiers.S {
                fmt.Fprintf(output, "s")
            }

            fmt.Fprintf(output, "\n")
        }
        fmt.Fprintf(output, "\n")
    }

    fmt.Fprintf(output, "  condition:\n    %s\n}\n\n", rule.Condition)
}
Northern-Lights commented 6 years ago

Yes, absolutely. That would be great. I'd imagine we would also want the private and global modifiers.

Northern-Lights commented 6 years ago

Implemented in #13