Crate boreal

boreal is a YARA rules evaluator, used to search for textual and binary patterns.

This crate is a reimplementation of the YARA library. It aims to provide the same set of functionalities, and be fully compatible with all existing YARA rules.

Here is an example on how to use the library.

use boreal::Compiler;

// Rules must first be added to a compiler.
let mut compiler = Compiler::new();
compiler.add_rules_str(r#"
rule example {
    meta:
        description = "This is an YARA rule example"
        date = "2022-11-11"
    strings:
        $s1 = { 78 6d 6c 68 74 74 70 2e 73 65 6e 64 28 29 }
        $s2 = "tmp.dat" fullword wide
    condition:
        any of them
}
"#)?;

// Then, all added rules are compiled into a scanner object.
let scanner = compiler.into_scanner();

// Use this object to scan strings or files.
let res = scanner.scan_mem(b"<\0t\0m\0p\0.\0d\0a\0t\0>\0").unwrap();
assert!(res.matched_rules.iter().any(|rule| rule.name == "example"));

Re-exports

• pub use compiler::Compiler;
• pub use scanner::Scanner;

Modules

• compiler
  Provides the Compiler object used to compile YARA rules.
• memory
  Describe the different types of objects that can be scanned.
• module
  Modules that can be imported and used in rules.
• regex
  YARA regex handling
• scanner
  Provides the Scanner object used to scan bytes against a set of compiled rules.
• statistics
  Statistics used to investigate performance of rules.

Structs

• Metadata
  A metadata key-value, associated with a rule.

Enums

• MetadataValue
  Value associated with a metadata key.