Add ability to use a dictionary when specifying Externals in yara-python #134
Comments
|
Apologies if I should have submitted this to the base YARA repo instead - please migrate it if necessary, or I can recreate there. |
|
This has come up again in a discussion at $dayjob, I was wondering if this feature is possible/desirable or if there's some aspect of it that means its unlikely to ever be done (e.g. it is in conflict with the core way that the externals work). |
|
This is doable but not easy. The reason is that external variables and variables defined by modules are not implemented in the same way, and they have different requirements. I'm leaving this issue open because it would be a nice addition, but I don't think I'm implementing it soon. |
|
OK - thanks for the heads up 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
TLDR; Would it be possible to add Lists & Dictionaries as allowed types for Yara-python externals?
--
I've recently been looking at various ways to use the rich pattern matching and conditions from YARA to non-file use cases (e.g. where you just have metadata about a file, or an event, or anything really).
One thing that would be useful in my work is that sometimes I'm taking output from a tool which is by default a dictionary.
Since other native modules to YARA (such as PE) appear to effectively have dictionary structures available, would it be possible to allow use of dictionaries/lists in externals?
Then I could have say:
Where each entry in Events is a dictionary, and then rules that look like this:
Or a simpler case:
And then rules like:
--
Im not sure how plausible these suggestions are, or if they would be easier to implement in yara 4?
Cheers,
Tom
The text was updated successfully, but these errors were encountered: