def test_detect_imports(self): for imp in ('androguard', 'cuckoo', 'dotnet', 'elf', 'hash', 'magic', 'math', 'pe'): with open('tests/data/import_ruleset_{}.yar'.format(imp), 'r') as f: inputString = f.read() results = Plyara().parse_string(inputString) for rule in results: self.assertEqual(Plyara.detect_imports(rule), [imp])
def test_detect_imports(self): for imp in ('androguard', 'cuckoo', 'dotnet', 'elf', 'hash', 'magic', 'math', 'pe'): with data_dir.joinpath( 'import_ruleset_{}.yar'.format(imp)).open('r') as fh: inputString = fh.read() results = Plyara().parse_string(inputString) with self.assertWarns(DeprecationWarning): for rule in results: self.assertEqual(Plyara.detect_imports(rule), [imp])
def generate_kwargs_from_parsed_rule(parsed_rule): # Generate parsed rule kwargs for saving a rule name = parsed_rule['rule_name'] tags = parsed_rule.get('tags', []) scopes = parsed_rule.get('scopes', []) # TODO : Update when Plyara moves to clean Python types metadata = parsed_rule.get('metadata', {}) for key, value in metadata.items(): if value not in ('true', 'false'): try: value = int(value) except ValueError: metadata[key] = '"' + value + '"' strings = parsed_rule.get('strings', []) condition = parsed_rule['condition_terms'] # TODO : Update when Plyara moves to stripping quotes from detect_imports module imports = [imp.strip('"') for imp in Plyara.detect_imports(parsed_rule)] comments = parsed_rule.get('comments', []) dependencies = Plyara.detect_dependencies(parsed_rule) # Calculate hash value of rule strings and condition logic_hash = Plyara.generate_logic_hash(parsed_rule) # TEMP FIX - Use only a single instance of a metakey # until YaraGuardian models and functions can be updated for key, value in metadata.items(): if isinstance(value, list): metadata[key] = value[0] return { 'name': name, 'tags': list(set(tags)), 'scopes': list(set(scopes)), 'imports': list(set(imports)), 'comments': list(set(comments)), 'metadata': metadata, 'strings': strings, 'condition': condition, 'dependencies': dependencies, 'logic_hash': logic_hash }