Skip to content

module yara_rule_builder

Builds bare bones YARA rules to match strings and regex patterns.

Example rule string: 

rule Just_A_Piano_Man {
     meta:
         author           = "Tim"
     strings:
         $hilton_producer = /Scott.*Storch/
     condition:
         $hilton_producer
}

Global Variables

  • YARALYZE
  • HEX
  • PATTERN
  • REGEX
  • RULE
  • UNDERSCORE
  • YARA_REGEX_MODIFIERS
  • SAFE_LABEL_REPLACEMENTS
  • RULE_TEMPLATE
  • BYTES_RULE_TEMPLATE

function yara_rule_string

yara_rule_string(
    pattern: str,
    pattern_type: Literal['hex', 'regex'] = 'regex',
    rule_name: str = 'yaralyze',
    pattern_label: Optional[str] = 'pattern',
    modifier: Optional[Literal['ascii', 'fullword', 'nocase', 'wide']] = None
) → str

Build a YARA rule string for a given pattern.

Args:

  • pattern (str): The string or regex pattern to match.
  • pattern_type (str): Either "regex" or "hex". Default is "regex".
  • rule_name (str): The name of the YARA rule. Default is "YARALYZE".
  • pattern_label (Optional[str]): The label for the pattern in the YARA rule. Default is "pattern".
  • modifier (Optional[str]): Optional regex modifier (e.g. 'nocase', 'ascii', 'wide', 'fullword'). Only valid if pattern_type is "regex".

Returns:

  • str: The constructed YARA rule as a string.

function build_yara_rule

build_yara_rule(
    pattern: str,
    pattern_type: Literal['hex', 'regex'] = 'regex',
    rule_name: str = 'yaralyze',
    pattern_label: Optional[str] = 'pattern',
    modifier: Optional[Literal['ascii', 'fullword', 'nocase', 'wide']] = None
) → Rule

Build a compiled yara.Rule object.

Args:

  • pattern (str): The string or regex pattern to match.
  • pattern_type (str): Either "regex" or "hex". Default is "regex".
  • rule_name (str): The name of the YARA rule. Default is "YARALYZE".
  • pattern_label (Optional[str]): The label for the pattern in the YARA rule. Default is "pattern".
  • modifier (Optional[str]): Optional regex modifier (e.g. 'nocase', 'ascii', 'wide', 'fullword'). Only valid if pattern_type is "regex".

Returns:

  • yara.Rule: Compiled YARA rule object.

function safe_label

safe_label(_label: str) → str

YARA rule and pattern names can only contain alphanumeric chars.

Args:

  • _label (str): The label to sanitize.

Returns:

  • str: A sanitized label safe for use in YARA rules.

This file was automatically generated via lazydocs.