Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
rebuild_yara_rule does not return rule comments
See original GitHub issueHi. The method rebuild_yara_rule() seems to be striping off rule comments. For example, the following rule:
rule sample
{
strings:
$ = { 01 02 03 04 } // string 1
$ = { 01 02 03 05 } // string 2
condition:
all of ($) // condition
}
Is correctly parsed (including comments):
[{'condition_terms': ['all', 'of', '(', '$', ')'], 'raw_strings': 'strings:\n $ = { 01 02 03 04 } // string 1\n $ = { 01 02 03 05 } // string 2\n ', 'raw_condition': 'condition:\n all of ($) // condition\n', 'comments': ['// condition', '// string 2', '// string 1'], 'rule_name': 'sample', 'stop_line': 8, 'start_line': 1, 'strings': [{'name': '$', 'value': '{ 01 02 03 04 }'}, {'name': '$', 'value': '{ 01 02 03 05 }'}]}]
But then rebuild_yara_rule() ignores comments:
rule sample {
strings:
$ = { 01 02 03 04 }
$ = { 01 02 03 05 }
condition:
all of ($)
}
Is this intentional? On the one hand this is not an issue if the rebuild rule is passed to yara for scanning. On the other hand, if you are rebuilding a rule for intel sharing, the rebuilder should preserve the rule comments.
Thanks in advance! RD
Issue Analytics
- State:
- Created 5 years ago
- Comments:8 (7 by maintainers)
Top Results From Across the Web
DIR Return to Work regulations
The division's contact person must receive all written comments concerning the proposed modifications to the regulations no later than 5:00 p.m. on Dec....
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
This is intentional. The comments key in the dictionary representation of the rule that plyara returns is just a list of comments. It doesn’t return positional information, so the data for where to put them is not available during the rebuild process.
Line numbers are available during the parsing process, so this is definitely a do-able enhancement. It would break the schema of the resulting data, so it’s a breaking change compatibility-wise.
This feature can be added as an option, or it can be added as a full feature with a new major version. I’ll see what the other maintainers have to say.
I’ve opened a separate issue for the change in 3.0