def create_rule(self, rule_name): """ Create a new YaraRule object in the YaraBuilder Args: rule_name (str): the name of the rule to create """ if rule_name in self.yara_rules: raise KeyError('Rule with name "{0}" already exists'.format(rule_name)) self.logger.debug("Creating %s...", rule_name) self.yara_rules[rule_name] = YaraRule(rule_name, whitespace=self.whitespace)
def set_yara_rules(self, yara_rules): """ Set up a YaraBuilder object from a list of YaraRules Args: yara_rules (list): a list of the YaraRules """ for yara_rule in yara_rules: self.logger.debug("Setting %s...", yara_rule["rule_name"]) self.yara_rules[yara_rule["rule_name"]] = YaraRule(None) self.yara_rules[yara_rule["rule_name"]].set_yara_rule(yara_rule)
def test_yara_rule_init_custom_logger(self): logger = logging.getLogger("test") yara_rule = YaraRule(self.test_rule_name, logger=logger) self.assertEqual(yara_rule.logger, logger)
def setUp(self): self.test_rule_name = "test_rule" self.test_condition = "filesize > 0" self.yara_rule = YaraRule(self.test_rule_name) self.raw_rule = ""
class TestYaraRule(unittest.TestCase): def setUp(self): self.test_rule_name = "test_rule" self.test_condition = "filesize > 0" self.yara_rule = YaraRule(self.test_rule_name) self.raw_rule = "" def test_yara_rule_init(self): self.assertEqual(self.test_rule_name, self.yara_rule.rule_name) self.assertEqual(" ", self.yara_rule.whitespace) def test_yara_rule_init_custom_logger(self): logger = logging.getLogger("test") yara_rule = YaraRule(self.test_rule_name, logger=logger) self.assertEqual(yara_rule.logger, logger) def test_build_rule_no_condition(self): self.assertRaises(KeyError, self.yara_rule.build_rule) def test_build_rule_header(self): self.yara_rule.condition.add_raw_condition(self.test_condition) self.raw_rule = self.yara_rule.build_rule_header(self.raw_rule) self.assertEqual(self.raw_rule, "rule %s {\n" % self.test_rule_name) def test_build_rule_header_w_tags(self): self.yara_rule.condition.add_raw_condition(self.test_condition) self.yara_rule.tags.add_tag("test1") self.yara_rule.tags.add_tag("test2") self.raw_rule = self.yara_rule.build_rule_header(self.raw_rule) self.assertEqual(self.raw_rule, "rule %s : test1 test2 {\n" % self.test_rule_name) def test_build_rule_header_w_imports(self): self.yara_rule.condition.add_raw_condition(self.test_condition) self.yara_rule.imports.add_import("pe") self.yara_rule.imports.add_import("math") self.raw_rule = self.yara_rule.build_rule_header(self.raw_rule) self.assertEqual( self.raw_rule, 'import "pe"\nimport "math"\n\nrule %s {\n' % self.test_rule_name, ) def test_build_rule_strings_section(self): self.yara_rule.strings.add_anonymous_string("anon_test") self.yara_rule.strings.add_string("test_name1", "test_value1") self.yara_rule.strings.add_modifier("test_name1", "ascii") self.yara_rule.strings.add_modifier("test_name1", "wide") self.yara_rule.strings.add_string("test_name2", "test_value2") self.yara_rule.strings.add_modifier("test_name2", "nocase") self.raw_rule = self.yara_rule.build_rule_strings_section( self.raw_rule) self.assertEqual( self.raw_rule, ' strings:\n $ = "anon_test"\n ' '$test_name1 = "test_value1" ascii wide\n $test_name2 = "test_value2" nocase\n\n', ) def test_build_rule_condition_section(self): self.yara_rule.condition.raw_condition = "any of them" self.raw_rule = self.yara_rule.build_rule_condition_section( self.raw_rule) self.assertEqual(self.raw_rule, " condition:\n any of them\n}") def test_build_rule_meta_section(self): self.yara_rule.meta.add_meta("test_name1", "test_value1") self.yara_rule.meta.add_meta("test_name2", 10, meta_type="int") self.raw_rule = self.yara_rule.build_rule_meta_section(self.raw_rule) self.assertEqual( self.raw_rule, " meta:\n " 'test_name1 = "test_value1"\n ' "test_name2 = 10\n\n", ) def test_build_rule(self): self.yara_rule.meta.add_meta("description", "Generated by yarabuilder") self.yara_rule.strings.add_string("test_name", "test_value") self.yara_rule.condition.add_raw_condition("any of them") rule = self.yara_rule.build_rule() self.assertEqual( rule, "rule test_rule {\n meta:\n " 'description = "Generated by yarabuilder"\n\n ' 'strings:\n $test_name = "test_value"\n\n ' "condition:\n any of them\n}", ) def test_build_rule_twice(self): self.yara_rule.meta.add_meta("description", "Generated by yarabuilder") self.yara_rule.strings.add_string("test_name", "test_value") self.yara_rule.condition.add_raw_condition("any of them") rule = self.yara_rule.build_rule() rule = self.yara_rule.build_rule() self.assertEqual( rule, "rule test_rule {\n meta:\n " 'description = "Generated by yarabuilder"\n\n ' 'strings:\n $test_name = "test_value"\n\n ' "condition:\n any of them\n}", ) def test_get_yara_rule_no_condition(self): self.assertRaises(KeyError, self.yara_rule.get_yara_rule) def test_get_yara_rule(self): self.yara_rule.meta.add_meta("description", "Generated by yarabuilder") self.yara_rule.strings.add_string("test_name", "test_value") self.yara_rule.condition.add_raw_condition("any of them") self.yara_rule.imports.add_import("pe") self.yara_rule.tags.add_tag("test_tag") yara_rule = self.yara_rule.get_yara_rule() self.assertEqual(yara_rule["rule_name"], "test_rule") self.assertEqual(yara_rule["meta"]["description"][0]["value"], "Generated by yarabuilder") self.assertEqual(yara_rule["strings"]["test_name"]["value"], "test_value") self.assertEqual(yara_rule["condition"], "any of them") self.assertEqual(yara_rule["imports"][0], "pe") self.assertEqual(yara_rule["tags"][0], "test_tag") def test_set_yara_rule(self): self.yara_rule.set_yara_rule({ "condition": "any of them", "imports": ["pe"], "meta": collections.OrderedDict([( "description", [{ "meta_type": "text", "name": "description", "position": 0, "value": "Generated by yarabuilder", }], )]), "rule_name": "my_rule", "strings": collections.OrderedDict([ ( "@anon0", { "is_anonymous": True, "name": "@anon0", "str_type": "text", "value": "Anonymous string", }, ), ( "str", { "comment": { "inline": "example comment" }, "is_anonymous": False, "modifiers": ["ascii", "wide"], "name": "str", "str_type": "text", "value": "Named string", }, ), ( "@anon1", { "is_anonymous": True, "name": "@anon1", "str_type": "hex", "value": "DE AD BE EF", }, ), ( "@anon2", { "is_anonymous": True, "name": "@anon2", "str_type": "regex", "value": "regex[0-9]{2}", }, ), ]), "tags": ["yarabuilder"], }) self.assertEqual(self.yara_rule.rule_name, "my_rule") self.assertEqual(self.yara_rule.imports.imports, ["pe"]) self.assertEqual(self.yara_rule.tags.tags, ["yarabuilder"]) self.assertEqual(self.yara_rule.meta.meta["description"][0].value, "Generated by yarabuilder") self.assertEqual(self.yara_rule.strings.strings["str"].value, "Named string") self.assertEqual(self.yara_rule.condition.raw_condition, "any of them")