{"id":13706157,"url":"https://github.com/CIRCL/yara-validator","last_synced_at":"2025-05-05T19:34:38.761Z","repository":{"id":139221796,"uuid":"101896514","full_name":"CIRCL/yara-validator","owner":"CIRCL","description":"Validates yara rules and tries to repair the broken ones.","archived":false,"fork":false,"pushed_at":"2020-09-05T04:57:43.000Z","size":30,"stargazers_count":39,"open_issues_count":0,"forks_count":7,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-05-01T10:11:30.984Z","etag":null,"topics":["dfir","yara","yara-rules"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CIRCL.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-08-30T15:12:33.000Z","updated_at":"2024-09-21T12:42:41.000Z","dependencies_parsed_at":"2024-01-21T20:48:46.729Z","dependency_job_id":"1ffab747-fe43-4dd5-9280-012b6c9b1123","html_url":"https://github.com/CIRCL/yara-validator","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Fyara-validator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Fyara-validator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Fyara-validator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Fyara-validator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CIRCL","download_url":"https://codeload.github.com/CIRCL/yara-validator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252563161,"owners_count":21768413,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","yara","yara-rules"],"created_at":"2024-08-02T22:00:52.668Z","updated_at":"2025-05-05T19:34:38.484Z","avatar_url":"https://github.com/CIRCL.png","language":"Python","readme":"# yara-validator\n\nValidates yara rules and tries to repair the broken ones.\n\n## Requirements\n  * Python 2.7+ or 3.3+\n  * yara and yara-python (PR [VirusTotal/yara-python#58](https://github.com/VirusTotal/yara-python/pull/58) and [VirusTotal/yara#727](https://github.com/VirusTotal/yara/pull/727) are recommended because they support include_callback, allowing use without requiring disk write access)\n\n## Installation\n\n### Python3 \n\n```bash\nsudo python3 setup.py install\n```\n### Python2\n\n```bash\nsudo python setup.py install\n```\n\n## Usage\n```python\nimport yara_validator\n\nvalidator = yara_validator.YaraValidator(auto_clear=False)\nvalidator.add_rule_source(u'rule FirstRule{condition: true}', 'namespace_1','first.yara')\nvalidator.add_rule_source(u'include \"first.yara\" rule SecondRule{condition: true}')\nvalidator.add_rule_file('/path/to/third.yara','namespace_1')\nvalid, broken, repaired = validator.check_all()\n\nprint(===== VALID RULES =====)\nfor rule in valid:\n    print(u'{}'.format(rule.source))\nprint(===== BROKEN RULES =====)\nfor rule in broken:\n    print(u'{}'.format(rule.source))\nprint(===== REPAIRED RULES =====)\nfor rule in repaired:\n    print(u'{}'.format(rule.source))\n    \nvalidator.clear_tmp()\n```\nOptional parameters for `YaraValidator.__init__()`:\n * `disk_buffering`: if set to True, allows the tool to use a temporary directory to copy sources and files before validation (requires write access to that directory). If set to False, nothing will be written to disk (requires a yara version supporting include_callback). If not set, will default to False if your yara version supports it, True otherwise.\n * `tmp_dir`: if `disk_buffering` is activated, forces the location of the temporary directory. Defaults to OS's temp.\n * `auto_clear`: if `disk_buffering` is activated, deletes the temporary directory once the `YaraValidator` object is destroyed. Defaults to False. Manual deletion can be done with clear_tmp().\n\n`check_all()` can take one optional boolean parameter. If set to `True`, the suggested repairs will be automatically accepted: the repaired sources will be used instead of the original ones if any other rules includes them. **Setting this parameter to True may lead to rules not behaving as expected.**.\nThis function returns three lists: the valid rules, the broken rules and the repaired rules.\nRules in the list are instances of `YaraRule` with the following properties:\n * `source`: source code\n * `namespace`: rules namespace\n * `include_name`: name usable in Yara `include` directives\n * `status`: `YaraRule.STATUS_UNKNOWN`, `YaraRule.STATUS_VALID`, `YaraRule.STATUS_BROKEN` or `YaraRule.STATUS_REPAIRED`\n * `error_data`: if `STATUS_BROKEN` or `STATUS_REPAIRED`, contains the error message\n * `repaired_source`: if `STATUS_REPAIRED`, contains a YaraRule with the repaired `source` and `STATUS_VALID`\n","funding_links":[],"categories":["Tools","Reverse Engineering"],"sub_categories":["Yara"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCIRCL%2Fyara-validator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCIRCL%2Fyara-validator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCIRCL%2Fyara-validator/lists"}