1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
//! **boreal** is a YARA rules evaluator, used to search for textual and binary patterns.
//!
//! This crate is a reimplementation of the [YARA library](https://github.com/VirusTotal/yara).
//! It aims to provide the same set of functionalities, and be fully compatible with all existing
//! YARA rules.
//!
//! Here is an example on how to use the library.
//!
//! ```
//! use boreal::Compiler;
//!
//! // Rules must first be added to a compiler.
//! let mut compiler = Compiler::new();
//! compiler.add_rules_str(r#"
//! rule example {
//! meta:
//! description = "This is an YARA rule example"
//! date = "2022-11-11"
//! strings:
//! $s1 = { 78 6d 6c 68 74 74 70 2e 73 65 6e 64 28 29 }
//! $s2 = "tmp.dat" fullword wide
//! condition:
//! any of them
//! }
//! "#)?;
//!
//! // Then, all added rules are compiled into a scanner object.
//! let scanner = compiler.finalize();
//!
//! // Use this object to scan strings or files.
//! let res = scanner.scan_mem(b"<\0t\0m\0p\0.\0d\0a\0t\0>\0").unwrap();
//! assert!(res.rules.iter().any(|rule| rule.name == "example"));
//!
//! # Ok::<(), boreal::compiler::AddRuleError>(())
//! ```
// Used in integration tests, not in the library.
// This is to remove the "unused_crate_dependencies" warning, maybe a better solution
// could be found.
use base64 as _;
use glob as _;
use tempfile as _;
use yara as _;
// If the "hash" feature is enabled but not the "object" feature, the tlsh2 crate
// is added but unused, Since it depends on both being enabled. I don't think
// there is a way to express this in the cargo dependencies, and this dependency
// is extremely light, so it is just ignored in this case.
use tlsh2 as _;
pub
pub use ;
pub use ;
pub use Compiler;
pub use Scanner;