README
¶
gyp (go-yara-parser)
gyp is a Go library for parsing YARA rules. It uses the same grammar and lexer files as the original libyara to ensure that lexing and parsing work exactly like YARA. This library produces an Abstract Syntax Tree (AST) for the parsed YARA rules. Additionally, the AST can be serialized as a Protocol Buffer, which facilitate its manipulation in other programming languages.
Go Usage
The example below illustrates the usage of gyp, this a simple program that reads a YARA source file from the standard input, creates the corresponding AST, and writes the rules back to the standard output. The resulting output won't be exactly like the input, during the parsing and re-generation of the rules the text is reformatted and comments are lost.
package main
import (
"log"
"os"
"github.com/VirusTotal/gyp"
)
func main() {
ruleset, err := gyp.Parse(os.Stdin)
if err != nil {
log.Fatalf(`Error parsing rules: %v`, err)
}
if err = ruleset.WriteSource(os.Stdout); err != nil {
log.Fatalf(`Error writing rules: %v`, err)
}
}
Development
Setup development environment (Linux)
- Install the required packages using your package manager (
aptis assumed in the following example):
apt update && apt install \
automake \
bison \
help2man \
m4 \
texinfo \
texlive
- Install golang following the provided installation instructions.
- Install golang protobuf package following the provided installation instructions.
- Install the project dependencies:
go get golang.org/x/tools/cmd/goyaccgo get github.com/pebbe/flexgo/...- Add the environment variable
FLEXGO, pointing out to the flexgo folder in your Go workspace (e.g.,$HOME/go/src/github.com/pebbe/flexgo). cd ${FLEXGO} && ./configure && cd -make -C ${FLEXGO} && make -C ${FLEXGO} install
Build project
The Makefile includes targets for quickly building the parser and lexer and the data protocol buffer, as well as the y2j and j2y command-line tools:
- Build rulesets parser and lexer:
make grammar - Build hex strings parser and lexer:
make hexgrammar - Build ruleset protocol buffer:
make proto - Build
y2jtool:make y2j - Build
j2ytool:make j2y
License and third party code
This project uses code from yara-parser by Northern-Lights, which is available under the MIT license (see LICENSES_THIRD_PARTIES).
Documentation
¶
Overview ¶
Package gyp provides a pure Go parser for YARA rules.
For example, you can parse YARA rules from a string:
ruleset, err := gyp.ParseString("rule test { condition: true }")
Or from a io.Reader:
ruleset, err := gyp.Parse(os.Stdin)
The rules can be written to source again:
err := ruleset.WriteSource(os.Stdout)
Or you can iterate over the rules and inspect their attributes:
for _, rule := ruleset.Rules {
fmt.Println(rule.Identifier)
}
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type YaraSerializer ¶
type YaraSerializer struct {
// contains filtered or unexported fields
}
YaraSerializer converts a RuleSet from proto to YARA ruleset. Contains configuration options.
func NewSerializer ¶
func NewSerializer(w io.Writer) *YaraSerializer
NewSerializer returns a YaraSerializer that writes the serialization output to w.
func (*YaraSerializer) Serialize ¶
func (ys *YaraSerializer) Serialize(rs *pb.RuleSet) error
Serialize converts the provided RuleSet proto to a YARA ruleset.
func (*YaraSerializer) SerializeExpression ¶
func (ys *YaraSerializer) SerializeExpression(e *pb.Expression) error
SerializeExpression serializes an Expression in a YARA rule condition.
func (*YaraSerializer) SerializeStringValue ¶
func (ys *YaraSerializer) SerializeStringValue(str *pb.String) error
Serializes the value of a string in a YARA rule.
func (*YaraSerializer) SetIndent ¶
func (ys *YaraSerializer) SetIndent(indent string)
SetIndent sets the indentation string used for each indentation level. Default value: 2 whitespaces.
Source Files
Directories