def generate_kwargs_from_parsed_rule(parsed_rule):
# Generate parsed rule kwargs for saving a rule
name = parsed_rule['rule_name']
tags = parsed_rule.get('tags', [])
scopes = parsed_rule.get('scopes', [])
# TODO : Update when Plyara moves to clean Python types
metadata = parsed_rule.get('metadata', {})
for key, value in metadata.items():
if value not in ('true', 'false'):
try:
value = int(value)
except ValueError:
metadata[key] = '"' + value + '"'
strings = parsed_rule.get('strings', [])
condition = parsed_rule['condition_terms']
# TODO : Update when Plyara moves to stripping quotes from detect_imports module
imports = [imp.strip('"') for imp in Plyara.detect_imports(parsed_rule)]
comments = parsed_rule.get('comments', [])
dependencies = Plyara.detect_dependencies(parsed_rule)
# Calculate hash value of rule strings and condition
logic_hash = Plyara.generate_logic_hash(parsed_rule)
# TEMP FIX - Use only a single instance of a metakey
# until YaraGuardian models and functions can be updated
for key, value in metadata.items():
if isinstance(value, list):
metadata[key] = value[0]
return {
'name': name,
'tags': list(set(tags)),
'scopes': list(set(scopes)),
'imports': list(set(imports)),
'comments': list(set(comments)),
'metadata': metadata,
'strings': strings,
'condition': condition,
'dependencies': dependencies,
'logic_hash': logic_hash
}
def test_detect_dependencies(self):
with open('tests/data/detect_dependencies_ruleset.yar', 'r') as f:
inputString = f.read()
result = Plyara().parse_string(inputString)
self.assertEqual(Plyara.detect_dependencies(result[0]), [])
self.assertEqual(Plyara.detect_dependencies(result[1]), [])
self.assertEqual(Plyara.detect_dependencies(result[2]), [])
self.assertEqual(Plyara.detect_dependencies(result[3]),
['is__osx', 'priv01', 'priv02', 'priv03', 'priv04'])
self.assertEqual(Plyara.detect_dependencies(result[4]),
['is__elf', 'priv01', 'priv02', 'priv03', 'priv04'])
self.assertEqual(Plyara.detect_dependencies(result[5]),
['is__elf', 'is__osx', 'priv01', 'priv02'])
self.assertEqual(Plyara.detect_dependencies(result[6]),
['is__elf', 'is__osx', 'priv01'])
self.assertEqual(Plyara.detect_dependencies(result[7]), ['is__elf'])
self.assertEqual(Plyara.detect_dependencies(result[8]),
['is__osx', 'is__elf'])
self.assertEqual(Plyara.detect_dependencies(result[9]), ['is__osx'])
self.assertEqual(Plyara.detect_dependencies(result[10]),
['is__elf', 'is__osx'])
def test_detect_dependencies(self):
with data_dir.joinpath('detect_dependencies_ruleset.yar').open(
'r') as fh:
inputString = fh.read()
result = Plyara().parse_string(inputString)
with self.assertWarns(DeprecationWarning):
self.assertEqual(Plyara.detect_dependencies(result[0]), list())
self.assertEqual(Plyara.detect_dependencies(result[1]), list())
self.assertEqual(Plyara.detect_dependencies(result[2]), list())
self.assertEqual(
Plyara.detect_dependencies(result[3]),
['is__osx', 'priv01', 'priv02', 'priv03', 'priv04'])
self.assertEqual(
Plyara.detect_dependencies(result[4]),
['is__elf', 'priv01', 'priv02', 'priv03', 'priv04'])
self.assertEqual(Plyara.detect_dependencies(result[5]),
['is__elf', 'is__osx', 'priv01', 'priv02'])
self.assertEqual(Plyara.detect_dependencies(result[6]),
['is__elf', 'is__osx', 'priv01'])
self.assertEqual(Plyara.detect_dependencies(result[7]),
['is__elf'])
self.assertEqual(Plyara.detect_dependencies(result[8]),
['is__osx', 'is__elf'])
self.assertEqual(Plyara.detect_dependencies(result[9]),
['is__osx'])
self.assertEqual(Plyara.detect_dependencies(result[10]),
['is__elf', 'is__osx'])
