search

Security-Onion-Solutions / securityonion

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
https://securityonion.net
3.25k stars 505 forks source link

FEATURE: Add linting/lexing when updating YARA rules for Strelka #3419

Open weslambert opened 3 years ago

weslambert commented 3 years ago

Consider using something like plyara: https://github.com/plyara/plyara

weslambert commented 3 years ago

Maybe something like the following as a standalone script, or added to so-yara-update:

#!/usr/bin/python3
import argparse
import yara
from pathlib import Path

parser = argparse.ArgumentParser()
parser.add_argument('--path', '-p', help='Path to YARA rules')
args = parser.parse_args()
rules_dir = args.path

def validate_yar(rules_dir):
  # Check all subdirs for YARA rules
  paths = Path(rules_dir).glob('**/*.yar*')
  for path in paths:
    path_str = str(path)
    if path_str.endswith(".yar"):
        rule = path_str
        print("Validating " + rule + "...")
        # Script will exit upon failed compilation
        yara.compile(filepath=rule)
    else:
        continue

validate_yar(rules_dir)