yara-rust
Bindings for the Yara library from VirusTotal.
More documentation can be found on the Yara's documentation.
Example
The implementation is inspired from yara-python.
const RULES: &str = r#"
rule contains_rust {
strings:
$rust = "rust" nocase
condition:
$rust
}
"#;
fn main() {
let compiler = Compiler::new().unwrap();
compiler.add_rules_str(RULES)
.expect("Should have parsed rule");
let rules = compiler.compile_rules()
.expect("Should have compiled rules");
let results = rules.scan_mem("I love Rust!".as_bytes(), 5)
.expect("Should have scanned");
assert!(results.iter().any(|r| r.identifier == "contains_rust"));
}
Features
- Support from Yara v4.1.
- Compile rules from strings or files.
- Save and load compiled rules.
- Scan byte arrays (
&[u8]
) or files.
Feature flags and Yara linking.
Look at the yara-sys crate documentation for a list of feature flags and how to link to your Yara crate.
TODO
- Remove some
unwrap
on string conversions (currently this crate assume the rules, meta and namespace identifier are valid Rust'sstr
). - Accept
AsRef<Path>
instead of&str
on multiple functions. - Implement the scanner API.
- Add process scanning.
- Report the warnings to the user.
License
Licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Contributing
Please follow the conventional commit rules when committing to this repository.
If you add any new feature, add the corresponding unit/doc tests.