Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/frosit/yar-parser

An experimental .yar file parser for PHP compatibility
https://github.com/frosit/yar-parser

Last synced: 3 months ago
JSON representation

An experimental .yar file parser for PHP compatibility

Host: GitHub
URL: https://github.com/frosit/yar-parser
Owner: frosit
License: gpl-3.0
Created: 2017-02-26T03:54:52.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2017-02-26T03:59:00.000Z (over 7 years ago)
Last Synced: 2024-07-19T03:50:35.812Z (4 months ago)
Language: PHP
Size: 28.3 KB
Stars: 6
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        Yar Component

==============

> An experimental yara file parser for php compatibility

This repository contains an experimental parser for yara's .yar format.

It's meant to support at least the magento-malware-repository and tries to support as much as possible from the yara spec.

Complimentary PHP based scanners are available.

__note:__ unstable / unfinished

## Example

a default .yar example to parse

```

rule silent_banker : banker

{

    meta:

        description = "This is just an example"

        thread_level = 3

        in_the_wild = true

    strings:

        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}

        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}

        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:

        $a or $b or $c

}

```

### output in Json

```json

[

  {

    "name": "silent_banker",

    "tags": {

      "1": "banker"

    },

    "meta": {

      "description": "This is just an example",

      "thread_level": "3",

      "in_the_wild": "true"

    },

    "strings": [

      {

        "value": "{6A 40 68 00 30 00 00 6A 14 8D 91}",

        "name": "a",

        "type": "hex",

        "tags": null

      },

      {

        "value": "{8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}",

        "name": "b",

        "type": "hex",

        "tags": null

      },

      {

        "value": "UVODFRYSIHLNWPEJXQZAKCBGMT",

        "name": "c",

        "type": "string",

        "tags": null

      }

    ],

    "conditions": [

      "$a or $b or $c"

    ]

  }

]

```

### Yaml

_note:_ Somehow Symfony\yaml dumps it like this, it could be formatted way better

```yaml

name: silent_banker

tags: { 1: banker }

meta: { description: 'This is just an example', thread_level: '3', in_the_wild: 'true' }

strings: [{ value: '{6A 40 68 00 30 00 00 6A 14 8D 91}', name: a, type: hex, tags: null }, { value: '{8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}', name: b, type: hex, tags: null }, { value: UVODFRYSIHLNWPEJXQZAKCBGMT, name: c, type: string, tags: null }]

conditions: ['$a or $b or $c']

```

### XML

```xml

    

        silent_banker

        banker

        

            This is just an example

            3

            true

        

        

            {6A 40 68 00 30 00 00 6A 14 8D 91}

            a

            hex

            

        

        

            {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}

            b

            hex

            

        

        

            UVODFRYSIHLNWPEJXQZAKCBGMT

            c

            string

            

        

        $a or $b or $c

    

```

### Author

This library is part of a collection of Magento security solutions created by Fabio Ros (FROSIT).

### License

This software is licensed under the [AGPL-v3.0 License](http://www.gnu.org/licenses/agpl-3.0.html)