Improve YARA plugin - Githubissues

fox-it / dissect.target

The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets).

GNU Affero General Public License v3.0

38 stars 42 forks source link

Improve YARA plugin #646

Open JSCU-CNI opened 3 months ago

JSCU-CNI commented 3 months ago

This PR aims to improve the YARA plugin.

dissect.target.plugins.filesystem.yara is now an InternalPlugin
target-yara is now a command which calls the filesystem.yara plugin
it is now possible to run compiled YARA rules with the YARA plugin
provided rules can be compiled together which improves scan speed
provided rules can be checked on validity before compiling them together
arguments aim to be fully backwards compatible
target-query -f yara will no longer work as it is replaced by target-yara
added tests for filesystem.yara and target-yara

JSCU-CNI commented 3 months ago

Can you also elaborate the reasoning for moving this towards target-yara and removing the functionality from target-query? On the one hand I can understand that it's nice to be able to run target-yara, but I don't understand the reasoning for completely walling it off from target-query. Is it a design choice?

target.yara() is still accessible programmatically and for cli invocations we now have target-yara. It's a design choice. Initially both still worked, but with a very elaborate method on defining argparse arguments. Decided against that and now we're here.

JSCU-CNI commented 1 month ago

~Is YARA-X integration welcome in this PR, or should we wait until this has been merged in main?~ We will push this to a separate PR.

JSCU-CNI commented 2 weeks ago

It seems like that was all feedback, apologies for the delay @Schamper. Is this good to go now?