def test_compilation(self):
"""Ensure all real YARA rules compile correctly."""
compile_rules.compile_rules('compiled_yara_rules.bin')
rules = yara.load('compiled_yara_rules.bin')
num_rules_files = sum(1 for _ in compile_rules._find_yara_files())
# The number of compiled YARA rules should be >= the number of YARA rule files.
self.assertGreaterEqual(sum(1 for _ in rules), num_rules_files)
def _build_analyzer(target_directory: str) -> None:
"""Build the YARA analyzer Lambda deployment package."""
print('Creating analyzer deploy package...')
pathlib.Path(os.path.join(ANALYZE_SOURCE, 'main.py')).touch()
# Create a new copy of the core lambda directory to avoid cluttering the original.
temp_package_dir = os.path.join(tempfile.gettempdir(), 'tmp_yara_analyzer.pkg')
if os.path.exists(temp_package_dir):
shutil.rmtree(temp_package_dir)
os.mkdir(temp_package_dir)
for py_file in glob.glob(os.path.join(ANALYZE_SOURCE, '*.py')):
shutil.copy(py_file, temp_package_dir)
# Compile the YARA rules.
compile_rules(os.path.join(temp_package_dir, COMPILED_RULES_FILENAME))
# Extract the AWS-native dependencies into the package.
with zipfile.ZipFile(ANALYZE_DEPENDENCIES, 'r') as deps:
deps.extractall(temp_package_dir)
# Make UPX and yextend executable for everyone.
for executable in ['pdftotext', 'upx', 'yextend']:
path = os.path.join(temp_package_dir, executable)
os.chmod(path, os.stat(path).st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
# Zip up the package and remove temporary directory.
shutil.make_archive(os.path.join(target_directory, ANALYZE_ZIPFILE), 'zip', temp_package_dir)
shutil.rmtree(temp_package_dir)
def _build_analyzer_callback(temp_package_dir: str) -> None:
"""Custom routine to execute before zipping up the analyzer package."""
compile_rules(
os.path.join(temp_package_dir, 'lambda_functions', 'analyzer',
COMPILED_RULES_FILENAME))
# Make UPX and yextend executable for everyone.
for executable in ['pdftotext', 'upx', 'yextend']:
path = os.path.join(temp_package_dir, executable)
os.chmod(
path,
os.stat(path).st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
def _build_analyzer():
"""Build the YARA analyzer Lambda deployment package."""
# Create a new copy of the core lambda directory to avoid cluttering the original.
temp_package_dir = os.path.join(tempfile.gettempdir(),
'tmp_yara_analyzer.pkg')
if os.path.exists(temp_package_dir):
shutil.rmtree(temp_package_dir)
os.mkdir(temp_package_dir)
for py_file in glob.glob(os.path.join(ANALYZE_LAMBDA_SOURCE, '*.py')):
shutil.copy(py_file, temp_package_dir)
# Clone the YARA-rules repo and compile the YARA rules.
compile_rules(os.path.join(temp_package_dir, COMPILED_RULES_FILENAME))
# Extract the AWS-native Python deps into the package.
print('Creating analyzer deploy package...')
with zipfile.ZipFile(ANALYZE_LAMBDA_DEPENDENCIES, 'r') as deps:
deps.extractall(temp_package_dir)
# Zip up the package and remove temporary directory.
shutil.make_archive(ANALYZE_LAMBDA_PACKAGE, 'zip', temp_package_dir)
shutil.rmtree(temp_package_dir)
def compile_rules() -> None:
"""Compile all of the YARA rules into a single binary file."""
compile_rules.compile_rules(COMPILED_RULES_FILENAME)
print('Compiled rules saved to {}'.format(COMPILED_RULES_FILENAME))
def init():
global analyzer
compile_rules.compile_rules(COMPILED_RULES_FILENAME)
analyzer = yara_analyzer.YaraAnalyzer(COMPILED_RULES_FILENAME)
return ("OK", 200)
