search

VirusTotal / yara-python

The Python interface for YARA
http://virustotal.github.io/yara/
Apache License 2.0
646 stars 179 forks source link

Merged code in the issue #157 does not work #174

Open rakovskij-stanislav opened 3 years ago

rakovskij-stanislav commented 3 years ago

Summary: the Issue #157 was about printing all the warnings with "error_on_warning" enabled. But at the example below we can see that it does not work at the newest version of yara-python.

Yara ruleset:

rule bad_rule1
{
    meta:
        author = "Rakovskij Stanislav / disasm.me"
        date = "01.03.2021"
        description = "Rule that uses bad wilecards to raise yara warning"
    strings:
        $ = {00 [32] 00}
    condition:
        any of them
}

rule bad_rule2
{
    meta:
        author = "Rakovskij Stanislav / disasm.me"
        date = "01.03.2021"
        description = "Rule that uses bad wilecards to raise yara warning"
    strings:
        $ = {00 [32] 00}
    condition:
        any of them
}

Output:

/m/d/test_yara_speed> ./yara64.exe bad_rule.yar random_100Mb.bin
bad_rule.yar(8): warning in rule "bad_rule1": $ is slowing down scanning
bad_rule.yar(20): warning in rule "bad_rule2": $ is slowing down scanning
bad_rule1 random_100Mb.bin
bad_rule2 random_100Mb.bin
/m/d/test_yara_speed> python3 -c "import yara; yara.compile('bad_rule.yar', error_on_warning=True)"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
yara.WarningError: bad_rule.yar(20): $ is slowing down scanning  // <- expected two warnings - on lines 8 and 20, got only the last one. 
/m/d/test_yara_speed [1]> ./yara64.exe -v
4.0.5
/m/d/test_yara_speed> python3 -m pip install yara-python
Requirement already satisfied: yara-python in /home/user/.local/lib/python3.8/site-packages (4.0.5)
regeciovad commented 3 years ago

Thank you for testing. For some reason, my changes are not present in the current release. If you install v4.0.5 locally from the repository, your example works fine. @plusvic, @wxsBSD could you please check this out? It seems that the file yara-python.c is the same in all releases from 4.0.3 up.

wxsBSD commented 3 years ago

There is a v4.0.x branch in both repositories, where the latest 4.0.x releases have been coming from. What is in master now will eventually become 4.1.0 (most likely). When that will happen is unknown to me right now.