open-detect 0.1.1

Static malware detection engine with YARA rule support and automatic archive extraction for security researchers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

type Detections = Vec<Detection>;

/// Result of a malware scan operation.
///
/// Represents whether the scanned content is clean or contains detected threats.
///
/// # Examples
///
/// ```
/// use open_detect::ScanResult;
///
/// let clean = ScanResult::Clean;
/// assert_eq!(clean, ScanResult::Clean);
/// ```
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum ScanResult {
    /// No threats detected - the content is clean.
    Clean,
    /// One or more threats detected, with details about each detection.
    Malicious(Detections),
}

impl From<yara_x::ScanResults<'_, '_>> for ScanResult {
    fn from(results: yara_x::ScanResults) -> Self {
        if results.matching_rules().len() == 0 {
            ScanResult::Clean
        } else {
            let detections = results
                .matching_rules()
                .map(|rule| rule.identifier().into())
                .collect();

            ScanResult::Malicious(detections)
        }
    }
}

impl From<String> for ScanResult {
    fn from(name: String) -> Self {
        ScanResult::Malicious(vec![Detection { name }])
    }
}

impl From<&str> for ScanResult {
    fn from(name: &str) -> Self {
        ScanResult::Malicious(vec![Detection {
            name: name.to_string(),
        }])
    }
}

impl From<Vec<&str>> for ScanResult {
    fn from(names: Vec<&str>) -> Self {
        let detections = names
            .into_iter()
            .map(|name| Detection { name: name.into() })
            .collect();
        ScanResult::Malicious(detections)
    }
}

/// Details about a detected threat.
///
/// Contains information about a YARA rule that matched during scanning.
///
/// # Examples
///
/// ```
/// use open_detect::Detection;
///
/// let detection = Detection {
///     name: "MalwareRule".to_string(),
/// };
/// assert_eq!(detection.name, "MalwareRule");
/// ```
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct Detection {
    /// The name/identifier of the YARA rule that matched.
    pub name: String,
}

impl From<&str> for Detection {
    fn from(name: &str) -> Self {
        Detection {
            name: name.to_string(),
        }
    }
}