def create_rule(self, rule_name):
"""
Create a new YaraRule object in the YaraBuilder
Args:
rule_name (str): the name of the rule to create
"""
if rule_name in self.yara_rules:
raise KeyError('Rule with name "{0}" already exists'.format(rule_name))
self.logger.debug("Creating %s...", rule_name)
self.yara_rules[rule_name] = YaraRule(rule_name, whitespace=self.whitespace)
def set_yara_rules(self, yara_rules):
"""
Set up a YaraBuilder object from a list of YaraRules
Args:
yara_rules (list): a list of the YaraRules
"""
for yara_rule in yara_rules:
self.logger.debug("Setting %s...", yara_rule["rule_name"])
self.yara_rules[yara_rule["rule_name"]] = YaraRule(None)
self.yara_rules[yara_rule["rule_name"]].set_yara_rule(yara_rule)
def test_yara_rule_init_custom_logger(self):
logger = logging.getLogger("test")
yara_rule = YaraRule(self.test_rule_name, logger=logger)
self.assertEqual(yara_rule.logger, logger)
def setUp(self):
self.test_rule_name = "test_rule"
self.test_condition = "filesize > 0"
self.yara_rule = YaraRule(self.test_rule_name)
self.raw_rule = ""
class TestYaraRule(unittest.TestCase):
def setUp(self):
self.test_rule_name = "test_rule"
self.test_condition = "filesize > 0"
self.yara_rule = YaraRule(self.test_rule_name)
self.raw_rule = ""
def test_yara_rule_init(self):
self.assertEqual(self.test_rule_name, self.yara_rule.rule_name)
self.assertEqual(" ", self.yara_rule.whitespace)
def test_yara_rule_init_custom_logger(self):
logger = logging.getLogger("test")
yara_rule = YaraRule(self.test_rule_name, logger=logger)
self.assertEqual(yara_rule.logger, logger)
def test_build_rule_no_condition(self):
self.assertRaises(KeyError, self.yara_rule.build_rule)
def test_build_rule_header(self):
self.yara_rule.condition.add_raw_condition(self.test_condition)
self.raw_rule = self.yara_rule.build_rule_header(self.raw_rule)
self.assertEqual(self.raw_rule, "rule %s {\n" % self.test_rule_name)
def test_build_rule_header_w_tags(self):
self.yara_rule.condition.add_raw_condition(self.test_condition)
self.yara_rule.tags.add_tag("test1")
self.yara_rule.tags.add_tag("test2")
self.raw_rule = self.yara_rule.build_rule_header(self.raw_rule)
self.assertEqual(self.raw_rule,
"rule %s : test1 test2 {\n" % self.test_rule_name)
def test_build_rule_header_w_imports(self):
self.yara_rule.condition.add_raw_condition(self.test_condition)
self.yara_rule.imports.add_import("pe")
self.yara_rule.imports.add_import("math")
self.raw_rule = self.yara_rule.build_rule_header(self.raw_rule)
self.assertEqual(
self.raw_rule,
'import "pe"\nimport "math"\n\nrule %s {\n' % self.test_rule_name,
)
def test_build_rule_strings_section(self):
self.yara_rule.strings.add_anonymous_string("anon_test")
self.yara_rule.strings.add_string("test_name1", "test_value1")
self.yara_rule.strings.add_modifier("test_name1", "ascii")
self.yara_rule.strings.add_modifier("test_name1", "wide")
self.yara_rule.strings.add_string("test_name2", "test_value2")
self.yara_rule.strings.add_modifier("test_name2", "nocase")
self.raw_rule = self.yara_rule.build_rule_strings_section(
self.raw_rule)
self.assertEqual(
self.raw_rule,
' strings:\n $ = "anon_test"\n '
'$test_name1 = "test_value1" ascii wide\n $test_name2 = "test_value2" nocase\n\n',
)
def test_build_rule_condition_section(self):
self.yara_rule.condition.raw_condition = "any of them"
self.raw_rule = self.yara_rule.build_rule_condition_section(
self.raw_rule)
self.assertEqual(self.raw_rule,
" condition:\n any of them\n}")
def test_build_rule_meta_section(self):
self.yara_rule.meta.add_meta("test_name1", "test_value1")
self.yara_rule.meta.add_meta("test_name2", 10, meta_type="int")
self.raw_rule = self.yara_rule.build_rule_meta_section(self.raw_rule)
self.assertEqual(
self.raw_rule,
" meta:\n "
'test_name1 = "test_value1"\n '
"test_name2 = 10\n\n",
)
def test_build_rule(self):
self.yara_rule.meta.add_meta("description", "Generated by yarabuilder")
self.yara_rule.strings.add_string("test_name", "test_value")
self.yara_rule.condition.add_raw_condition("any of them")
rule = self.yara_rule.build_rule()
self.assertEqual(
rule,
"rule test_rule {\n meta:\n "
'description = "Generated by yarabuilder"\n\n '
'strings:\n $test_name = "test_value"\n\n '
"condition:\n any of them\n}",
)
def test_build_rule_twice(self):
self.yara_rule.meta.add_meta("description", "Generated by yarabuilder")
self.yara_rule.strings.add_string("test_name", "test_value")
self.yara_rule.condition.add_raw_condition("any of them")
rule = self.yara_rule.build_rule()
rule = self.yara_rule.build_rule()
self.assertEqual(
rule,
"rule test_rule {\n meta:\n "
'description = "Generated by yarabuilder"\n\n '
'strings:\n $test_name = "test_value"\n\n '
"condition:\n any of them\n}",
)
def test_get_yara_rule_no_condition(self):
self.assertRaises(KeyError, self.yara_rule.get_yara_rule)
def test_get_yara_rule(self):
self.yara_rule.meta.add_meta("description", "Generated by yarabuilder")
self.yara_rule.strings.add_string("test_name", "test_value")
self.yara_rule.condition.add_raw_condition("any of them")
self.yara_rule.imports.add_import("pe")
self.yara_rule.tags.add_tag("test_tag")
yara_rule = self.yara_rule.get_yara_rule()
self.assertEqual(yara_rule["rule_name"], "test_rule")
self.assertEqual(yara_rule["meta"]["description"][0]["value"],
"Generated by yarabuilder")
self.assertEqual(yara_rule["strings"]["test_name"]["value"],
"test_value")
self.assertEqual(yara_rule["condition"], "any of them")
self.assertEqual(yara_rule["imports"][0], "pe")
self.assertEqual(yara_rule["tags"][0], "test_tag")
def test_set_yara_rule(self):
self.yara_rule.set_yara_rule({
"condition":
"any of them",
"imports": ["pe"],
"meta":
collections.OrderedDict([(
"description",
[{
"meta_type": "text",
"name": "description",
"position": 0,
"value": "Generated by yarabuilder",
}],
)]),
"rule_name":
"my_rule",
"strings":
collections.OrderedDict([
(
"@anon0",
{
"is_anonymous": True,
"name": "@anon0",
"str_type": "text",
"value": "Anonymous string",
},
),
(
"str",
{
"comment": {
"inline": "example comment"
},
"is_anonymous": False,
"modifiers": ["ascii", "wide"],
"name": "str",
"str_type": "text",
"value": "Named string",
},
),
(
"@anon1",
{
"is_anonymous": True,
"name": "@anon1",
"str_type": "hex",
"value": "DE AD BE EF",
},
),
(
"@anon2",
{
"is_anonymous": True,
"name": "@anon2",
"str_type": "regex",
"value": "regex[0-9]{2}",
},
),
]),
"tags": ["yarabuilder"],
})
self.assertEqual(self.yara_rule.rule_name, "my_rule")
self.assertEqual(self.yara_rule.imports.imports, ["pe"])
self.assertEqual(self.yara_rule.tags.tags, ["yarabuilder"])
self.assertEqual(self.yara_rule.meta.meta["description"][0].value,
"Generated by yarabuilder")
self.assertEqual(self.yara_rule.strings.strings["str"].value,
"Named string")
self.assertEqual(self.yara_rule.condition.raw_condition, "any of them")