Get compiled rule names

[vasily-kirichenko]

It would be awesome to have the ability to get names of all compiled rules to check if there are duplicates.

I have a directory containing a lot of *.rule files, each of which contains a single rule. I want to compile all of them to a single Rules object:

rules_dir = ...
rule_file_paths = []

for i, (root, _, files) in enumerate(os.walk(rules_dir)):
  for file in files:
    rule_file_paths.append(os.path.join(root, file))

rules = yara.compile(filepaths={
  f'ns{i}': rule for i, rule in enumerate(rule_file_paths)
})

I have to provide a unique namespace for every rule because compile accepts a dictionary, so all the keys must be unique.

Now I need to check if there are rule name duplicates, but the Rules object that compile function returns is opaque, it provides match and save methods only. I'd like to iterate over the compiled rules and get name attribute of each, something like this:

for rule in rules:
  print(rule.name)

However, everything I need is to check that there are no duplicates by name (as I use names as a unique identifier for reliable tracking matched rules), maybe a simpler approach is available?

[plusvic]

What about using this? https://github.com/Northern-Lights/yara-parser

[wxsBSD]

If I'm understanding your request correctly, you can do what you want:

wxs@wxs-mbp yara-python % cat foo
rule a { condition: true }
wxs@wxs-mbp yara-python % cat bar
rule a { condition: true }
wxs@wxs-mbp yara-python % PYTHONPATH=./build/lib.macosx-10.14-x86_64-3.7 python3
Python 3.7.3 (default, Dec 13 2019, 19:58:14)
[Clang 11.0.0 (clang-1100.0.33.17)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>> rules = yara.compile(filepaths={f'ns{i}': rule for i, rule in enumerate(['foo', 'bar'])})
>>> for rule in rules:
...     print(rule.identifier)
...
a
a
>>> ^D
wxs@wxs-mbp yara-python %