:py:mod:`dissect.target.plugins.filesystem.yara` ================================================ .. py:module:: dissect.target.plugins.filesystem.yara Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.filesystem.yara.YaraPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.filesystem.yara.process_rules dissect.target.plugins.filesystem.yara.compile_yara dissect.target.plugins.filesystem.yara.is_valid_yara Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.filesystem.yara.HAS_YARA dissect.target.plugins.filesystem.yara.log dissect.target.plugins.filesystem.yara.YaraMatchRecord dissect.target.plugins.filesystem.yara.DEFAULT_MAX_SCAN_SIZE .. py:data:: HAS_YARA :value: True .. py:data:: log .. py:data:: YaraMatchRecord .. py:data:: DEFAULT_MAX_SCAN_SIZE :value: 10485760 .. py:class:: YaraPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Plugin to scan files against a local YARA rules file. .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: yara(rules: list[str | pathlib.Path], path: str = '/', max_size: int = DEFAULT_MAX_SCAN_SIZE, check: bool = False, no_decompress: bool = False) -> collections.abc.Iterator[YaraMatchRecord] Scan files inside the target up to a given maximum size with YARA rule file(s). :param rules: ``list`` of strings or ``Path`` objects pointing to rule files to use. :param path: ``string`` of absolute target path to scan. :param max_size: Files larger than this size will not be scanned. :param check: Check if provided rules are valid, only compiles valid rules. :param no_decompress: Do not automatically decompress compressed files before scanning. :returns: Iterator yields ``YaraMatchRecord``. .. py:function:: process_rules(paths: list[str | pathlib.Path], check: bool = False) -> yara.Rules | None Generate compiled YARA rules from the given path(s). Provide path to one (compiled) YARA file or directory containing YARA files. :param paths: Path to file(s) or folder(s) containing YARA files. :param check: Attempt to compile every rule file before appending to rules. :returns: Compiled YARA rules or None. .. py:function:: compile_yara(files: dict[str, pathlib.Path] | pathlib.Path, is_compiled: bool = False) -> yara.Rules | None Compile or load the given YARA file(s) to rules. .. py:function:: is_valid_yara(files: dict[str, pathlib.Path] | pathlib.Path, is_compiled: bool = False) -> bool Determine if the given YARA file(s) compile without errors or warnings.