Comments (9)
Hi Tom. This is likely also related to #12 as the rebuilt rule comes from the parsed rule data. I'm not sure that is actually a blocker for this though. Will take a look.
from plyara.
This should be fixed in plyara v1.2.4 with @Taskr's changes (#18).
Thanks for the issue, and let us know if you find any more problems.
from plyara.
Hi,
Yep - this fixes it.
Thanks for the fast turn around!
Tom
from plyara.
Hey,
I found an edge case (possibly more than one) where the current fix will not correctly parse a rule, for example:
rule test
{
meta:
field = "1"
field = "2"
condition:
false
}
Will fail on this check with a TypeError:
# Check for and handle correctly quoting string metadata
for k, v in rule['metadata'].items():
try:
if v in ('true', 'false') or int(v):
pass
except ValueError:
v = '"{}"'.format(v)
An extra try/except would resolve the issue, like this:
except TypeError:
if isinstance(v, list):
v = '"{}"'.format(v)
Cheers,
Tom
from plyara.
Interesting... is a list what you'd expect these fields to be parsed as? This is what our dict looks like now:
"metadata": {
"field": [
"1",
"2"
]
},
Which means if all we do is v = '"{}"'.format(v)
, we'd end up with rebuild
output like this:
field = "[1, 2]"
At the least we'd need to handle splitting that back into
field = 1
field = 2
But more than that, I'm not sure it makes sense to represent this as a list in the parsed dict object. What's the general use case for this? I haven't seen duplicate meta fields used before.
from plyara.
Hi,
Yea good point.
I have a large repository of rules from multiple contributors, some contributors have included a list of hashes in their rules, and define each hash in the metadata using:
hash = "$hash1"
hash = "$hash2"
That's how I came across this case.
I agree it makes more sense to split them back into each line as the original rule had them to stay in the spirit of rebuilding the original rule as it was.
Cheers,
Tom
from plyara.
Got it. In that case, it sounds like using a list internally is OK, since it's meant to be a list of reference hashes.
@Taskr do you want to handle this piece? Or I can probably get to it sometime this week.
from plyara.
@rshipp @tlansec New pull should fix the issue. I completely blanked on the list of same metadata entries. Thanks for the input @tlansec. Also added to test case to verify working correctly. Minimal changes to just the rebuild rule method so it won't impact any other part :)
from plyara.
Pushed as v1.2.5, let us know if you find anything else!
from plyara.
Related Issues (20)
- Add Logic Hash Versioning
- Condition parsing fault HOT 2
- Rule rebuild on plyara.utils.rebuild_yara_rule using external variable as a part of loop condition - bug HOT 1
- Improved Comment Handling
- Mistake with terms parsing in condition. HOT 1
- Bug in plyara.utils.detect_dependencies() with rule reference in last condition HOT 4
- Yet another problem with minuses/dashes parsing in condition terms HOT 2
- Unexpected result when parsing imports HOT 2
- Support for new operators introduced in 4.1.0 HOT 3
- clear problem with lot of rules HOT 1
- Looking for New Maintainer HOT 1
- STRING_ESCAPE_CHARS should contain 'r' HOT 3
- [BUG] plyara parses invalid rule
- Add New PLY as Vendor Directory HOT 2
- Codacy: Parser._add_element is too complex (19) HOT 1
- Windows Newlines Need Improved Unit Test HOT 2
- .clear() does not work to reset start_line and stop_line fields HOT 1
- plyara does not recognise base64 keyword HOT 2
- Follow include index files to load all YARA rulesets ? HOT 3
- parse_string() rules construction causes duplicate results when loading multiple rulesets with one Plyara instance HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from plyara.