Crate boreal

boreal is a YARA rules evaluator, used to search for textual and binary patterns.

This crate is a reimplementation of the YARA library. It aims to provide the same set of functionalities, and be fully compatible with all existing YARA rules.

Here is an example on how to use the library.

use boreal::Compiler;

// Rules must first be added to a compiler.
let mut compiler = Compiler::new();
compiler.add_rules_str(r#"
rule example {
    meta:
        description = "This is an YARA rule example"
        date = "2022-11-11"
    strings:
        $s1 = { 78 6d 6c 68 74 74 70 2e 73 65 6e 64 28 29 }
        $s2 = "tmp.dat" fullword wide
    condition:
        any of them
}
"#)?;

// Then, all added rules are compiled into a scanner object.
let scanner = compiler.finalize();

// Use this object to scan strings or files.
let res = scanner.scan_mem(b"<\0t\0m\0p\0.\0d\0a\0t\0>\0").unwrap();
assert!(res.rules.iter().any(|rule| rule.name == "example"));

Re-exports

pub use compiler::Compiler;

pub use scanner::Scanner;

Modules

compiler

Provides the Compiler object used to compile YARA rules.

memory

Describe the different types of objects that can be scanned.

module

Modules that can be imported and used in rules.

regex

YARA regex handling

scanner

Provides the Scanner object used to scan bytes against a set of compiled rules.

statistics

Statistics used to investigate performance of rules.

Structs

BytesSymbol

Symbol for a bytes string stored in a bytes intern pool.

Metadata

A metadata associated with a rule.

StringSymbol

Symbol for a string stored in a bytes intern pool.

Enums

MetadataValue

Value of a rule metadata.