{"id":13706025,"url":"https://github.com/nccgroup/yaml2yara","last_synced_at":"2025-08-03T04:14:45.109Z","repository":{"id":70903547,"uuid":"120642291","full_name":"nccgroup/yaml2yara","owner":"nccgroup","description":"Generate bulk YARA rules from YAML input","archived":false,"fork":false,"pushed_at":"2020-02-03T13:21:42.000Z","size":39,"stargazers_count":22,"open_issues_count":0,"forks_count":5,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-04T07:51:09.614Z","etag":null,"topics":["yaml","yara","yara-signatures"],"latest_commit_sha":null,"homepage":"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/tool-release-yaml2yara/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nccgroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-07T16:40:55.000Z","updated_at":"2024-10-16T02:19:28.000Z","dependencies_parsed_at":"2023-02-21T23:15:45.000Z","dependency_job_id":null,"html_url":"https://github.com/nccgroup/yaml2yara","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fyaml2yara","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fyaml2yara/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fyaml2yara/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fyaml2yara/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nccgroup","download_url":"https://codeload.github.com/nccgroup/yaml2yara/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250931004,"owners_count":21509796,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["yaml","yara","yara-signatures"],"created_at":"2024-08-02T22:00:51.462Z","updated_at":"2025-04-26T04:31:10.218Z","avatar_url":"https://github.com/nccgroup.png","language":"HTML","funding_links":[],"categories":["Tools"],"sub_categories":[],"readme":"# Introduction\n\nReleased as open source by NCC Group Plc - http://www.nccgroup.com/\n\nDeveloped by David Cannings (@edeca) \u003cdavid.cannings@nccgroup.com\u003e\n\nhttp://www.github.com/nccgroup/yaml2yara\n\nThis project is released under the AGPL license.  Please see LICENSE for more information.\n\n# Overview\n\nThis repository contains a script that will create custom detection rules from YAML input.\n\nIt is used to automatically generate the same rule for multiple pieces of input data, for example:\n\n * Rules to detect stolen code signing certificates.\n * Rules to detect known vulnerable OLE components in exploit documents.\n * Rules to detect known bad resources (icons, dialogs etc).\n\nThis decouples the rule logic and data to match, meaning that bulk rules can be updated easily to optimise them or take advantage of new YARA features.\n\nIt was initially designed to generate Yara rules.  However this could easily be expanded to any other format (MAEC, Suricata rules) with new templates.\n\n# Aims\n\nThe aims are to:\n\n * Store useful data in a human readable format.\n * Generate rules with minimal fuss.\n * Produce output which can be fed into your favourite source code management tool (Git, mercurial, etc.).\n\n# Dependencies\n\nAll required dependencies can be installed using pip:\n\n     pip install -r Requirements.txt\n\n# Usage\n\nSome sample data files and templates are included in the repository.  Example usage:\n\n    ./generate.py --template authenticode --input sample_data/authenticode/stolen_certs.yaml\n    ./generate.py --template office_exploits --input sample_data/office_exploits/ole.yaml\n    ./generate.py --template resources --input sample_data/resources/malware.yaml\n\nThe output can also be modified with `--tag`, which will add [rule tags](http://yara.readthedocs.io/en/latest/writingrules.html#rule-tags) to each generated rule:\n\n    ./generate.py --template authenticode --tag authenticode --input sample_data/authenticode/stolen_certs.yaml\n\nA `--prefix` option is also available, which will name all rules:\n\n    ./generate.py --template office_exploits --prefix exploit --input sample_data/office_exploits/ole.yaml\n\nHelp is available, see `./generate.py --help`.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fyaml2yara","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnccgroup%2Fyaml2yara","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fyaml2yara/lists"}