search

VirusTotal / yara-python

The Python interface for YARA
http://virustotal.github.io/yara/
Apache License 2.0
646 stars 179 forks source link

yara-python <-> yara inconsistent handling of metadata #205

Closed tlansec closed 2 years ago

tlansec commented 2 years ago

If I have the following rule foo.yar:

rule my_metadata_rule
{
    meta:
        foo = "bar"
        foo = "rae"

    condition:
        true
}

And I use yara:

yara -m foo.yar foo.yar 

my_metadata_rule [foo="bar",foo="rae"] foo.yar

I get the expected output where both metadata values are printed, but if using yara-python and inspecting a matches metadata, only the last value of "foo" is returned. I know in some older version of YARA duplicate metadata fields were not allowed and I suspect that this was never considered for YARA-python.

I am unsure what the best fix (or even if one is required) is, as potentially changing the match.meta object from a dictionary would likely break any existing integrations.

Cheers, Tom

wxsBSD commented 2 years ago

There are a couple of open PRs for this:

https://github.com/VirusTotal/yara-python/pull/74

https://github.com/VirusTotal/yara-python/pull/201

But yes, you are right that this is a known issue. The problem is fixing it without breaking existing scripts that expect scalar values and not lists.

cccs-rs commented 2 years ago

Should now be resolved in: https://github.com/VirusTotal/yara-python/commit/d29ca083f4cb25ea52988314b844bb7cf8594b5b