Lib.rs

Parser implementationsBoreal
#parser #yara #pattern-matching #boreal #yara-parser #yara-scanner

boreal-parser

A parser library for YARA files, intended for use with the boreal library

by Vincent Thiberville

6 releases (breaking)

0.6.0 Jun 9, 2024
0.5.0 Feb 16, 2024
0.4.0 Feb 11, 2024
0.3.0 Sep 12, 2023
0.1.0 Dec 4, 2022

#1616 in Parser implementations

Download history 20/week @ 2024-12-19 1/week @ 2025-01-16 17/week @ 2025-01-23 83/week @ 2025-01-30 52/week @ 2025-02-06 40/week @ 2025-02-13 47/week @ 2025-02-20 13/week @ 2025-02-27 49/week @ 2025-03-06 22/week @ 2025-03-13 158/week @ 2025-03-20 80/week @ 2025-03-27 11/week @ 2025-04-03

273 downloads per month
Used in 2 crates (via boreal)

MIT/Apache

295KB
8K SLoC

Parser for YARA rules.

This crate is designed to be used by the boreal crate.

It exposes a main entrypoint function, parse, which parses the contents of a YARA file.

use boreal_parser::*;
use boreal_parser::expression::*;
use boreal_parser::file::*;
use boreal_parser::rule::*;

let file = parse(r#"
import "pe"

private rule b : tag1 {
    meta:
        a = true
    strings:
        $b = "\\mspaint.exe" wide
    condition:
        pe.is_dll() and all of them
}"#)?;

assert_eq!(
    file.components[0],
    YaraFileComponent::Import(Import {
        name: "pe".to_owned(),
        span: 1..12,
    })
);
assert_eq!(
    file.components[1],
    YaraFileComponent::Rule(Box::new(Rule {
        name: "b".to_owned(),
        name_span: 27..28,
        tags: vec![RuleTag {
            tag: "tag1".to_owned(),
            span: 31..35
        }],
        metadatas: vec![Metadata {
            name: "a".to_owned(),
            value: MetadataValue::Boolean(true)
        }],
        variables: vec![VariableDeclaration {
            name: "b".to_owned(),
            value: VariableDeclarationValue::Bytes(b"\\mspaint.exe".to_vec()),
            modifiers: VariableModifiers {
                wide: true,
                ..Default::default()
            },
            span: 86..111,
        }],

        condition: Expression {
            expr: ExpressionKind::And(vec![
                Expression {
                    expr: ExpressionKind::Identifier(Identifier {
                        name: "pe".to_owned(),
                        name_span: 135..137,
                        operations: vec![
                            IdentifierOperation {
                                op: IdentifierOperationType::Subfield(
                                    "is_dll".to_owned()
                                ),
                                span: 137..144,
                            },
                            IdentifierOperation {
                                op: IdentifierOperationType::FunctionCall(vec![]),
                                span: 144..146,
                            }
                        ],
                    }),
                    span: 135..146,
                },
                Expression {
                    expr: ExpressionKind::For {
                        selection: ForSelection::All,
                        set: VariableSet { elements: vec![] },

                        body: None,
                    },
                    span: 151..162,
                }
            ]),
            span: 135..162
        },
        is_private: true,
        is_global: false,
    }))
);

boreal-parser

This crate provides a parser for YARA files.

Build status Crates.io Documentation

Overview

This crate is designed to be used by the boreal crate, which implements evaluation of YARA rules.

YARA version supported

All features available in the 4.5 version of YARA are handled.

Dependencies

~2.1–9MB
~72K SLoC