tlansec
commented
4 years ago Apologies if I should have submitted this to the base YARA repo instead - please migrate it if necessary, or I can recreate there.
Open tlansec opened 4 years ago
tlansec
commented
4 years ago Apologies if I should have submitted this to the base YARA repo instead - please migrate it if necessary, or I can recreate there.
tlansec
commented
3 years ago This has come up again in a discussion at $dayjob, I was wondering if this feature is possible/desirable or if there's some aspect of it that means its unlikely to ever be done (e.g. it is in conflict with the core way that the externals work).
plusvic
commented
3 years ago This is doable but not easy. The reason is that external variables and variables defined by modules are not implemented in the same way, and they have different requirements. I'm leaving this issue open because it would be a nice addition, but I don't think I'm implementing it soon.
tlansec
commented
3 years ago OK - thanks for the heads up 👍
Hello,
TLDR; Would it be possible to add Lists & Dictionaries as allowed types for Yara-python externals?
--
I've recently been looking at various ways to use the rich pattern matching and conditions from YARA to non-file use cases (e.g. where you just have metadata about a file, or an event, or anything really).
One thing that would be useful in my work is that sometimes I'm taking output from a tool which is by default a dictionary.
Since other native modules to YARA (such as PE) appear to effectively have dictionary structures available, would it be possible to allow use of dictionaries/lists in externals?
Then I could have say:
Where each entry in Events is a dictionary, and then rules that look like this:
Or a simpler case:
And then rules like:
--
Im not sure how plausible these suggestions are, or if they would be easier to implement in yara 4?
Cheers, Tom