search

VirusTotal / yara-x

A rewrite of YARA in Rust.
https://virustotal.github.io/yara-x/
BSD 3-Clause "New" or "Revised" License
635 stars 49 forks source link

yara-python rule save like functionality #155

Closed dadokkio closed 3 months ago

dadokkio commented 3 months ago

Hi, I was using the rule save functionality in order to merge multiple yara rules in a single file. Something like:

def merge_rule(rules, outputfile):
    rules_file = {
        rule['name']: rule['path']
        for rule in rules
        if Path(rule['path']).exists()
    }
    rules = yara.compile(filepaths=rules_file)
    rules.save(outputfile)

I was looking for something similar in yara-x but the only save related functionality is the rule serialize_info function but the generated file is different for the old save one. Will the save option be added to rule? There is another way to obtain same functionality?

plusvic commented 3 months ago

serialize_into is the way for saving compiled rules to a file, the file format is different from the one used in yara. You can't load a file generated by yara with yara-x or viceversa.

dadokkio commented 3 months ago

Ok, that's what I thought. My workflow is to generate a single yara rule to be used in volatility3 for some plugins (eg. yarascan). So for now I cannot replace rule generation because it's not compatible, but I'll try to add support for serialized yara-x rule there.

dadokkio commented 2 months ago

Sorry to add other question to this closed topic but not sure if this requires a dedicated ones. In yara-python the matched object had also a matched_data attribute with the string value that matched in addition to the identifier. Now that seems to be not available anymore so I'm obtaining it slicing data using offset and length. It's this correct?