plyara icon indicating copy to clipboard operation
plyara copied to clipboard
verified publisher icon plyara

Support for new operators introduced in 4.1.0

Open jgrunzweig opened this issue 4 years ago • 3 comments

With the release of 4.1.0, a number of new operators were introduced (https://github.com/VirusTotal/yara/releases/tag/v4.1.0). At present, these operators do not appear to be supported in plyara:

> cat test.yar
import "vt"

rule test
{
    condition: 
        file_name contains "something" or 
        file_name icontains "something else"
}

>>> import plyara
>>> from plyara.utils import rebuild_yara_rule
>>> p = plyara.Plyara()
>>> parsed_rule = p.parse_string(open('test.yar', 'r').read())
>>> print(rebuild_yara_rule(parsed_rule[0]))
import "vt"

rule test
{
	condition:
		file_name contains "something" or file_nameicontains"something else"
}

I humbly request support for the icontains, endswith, iendswith, startswith, and istartswith operators that were introduced in 4.1.0.

My understanding is that it would simply required adding them to the keywords in https://github.com/plyara/plyara/blob/master/plyara/core.py#L79, but on the off chance more is required, I figured I'd raise an issue.

Appreciate any help you can provide.

Thanks

jgrunzweig avatar May 18 '21 23:05 jgrunzweig

@jgrunzweig Thanks for the heads up! I'll get this done as soon as possible. If you have a PR for this, I can take a look. There are a couple more places than that one location where these operators will need to be implemented, and then a test case added. But it doesn't look too complicated.

utkonos avatar May 20 '21 23:05 utkonos

I've took the liberty of creating a PR for this issue. PR #121

robert-phe avatar Oct 21 '21 10:10 robert-phe

@utkonos ćould you please have a look at this PR? I just ran into the same problem.

ruppde avatar Mar 04 '24 13:03 ruppde