vyre 0.1.0

GPU bytecode condition engine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

use rulefire::{
    yara::{compiler::compile_rule, parser::parse_source},
    CompiledRuleIndex, PatternMapping,
};

#[test]
fn parity_integer_at() {
    let source = r#"
        rule test_int16 {
            condition:
                int16(0) == 0x5a4d
        }
        
        rule test_uint32be {
            condition:
                uint32be(4) == 0x01020304
        }
    "#;
    let rules = parse_source(source, "test.yar").unwrap();
    let entries: Vec<_> = rules
        .iter()
        .map(|rule| rulefire::RuleEntry {
            name: rule.name.clone(),
            tags: rule.tags.clone(),
            strings: rule.strings.iter().map(|s| s.identifier.clone()).collect(),
        })
        .collect();

    let programs: Vec<_> = rules
        .iter()
        .map(compile_rule)
        .collect::<Result<Vec<_>, _>>()
        .unwrap();
    let ps = warpstate::PatternSet::builder()
        .literal("dummy")
        .build()
        .unwrap();
    let index = CompiledRuleIndex::build(
        entries,
        vec![],
        PatternMapping {
            pattern_to_rules: vec![],
            rule_list: vec![],
            string_local_ids: vec![],
        },
        programs,
        ps,
    );

    let file_bytes = b"MZ\x00\x00\x01\x02\x03\x04\x00";

    // CPU Eval
    let cpu_hits = index.scan_cpu(file_bytes).unwrap();
    assert_eq!(cpu_hits.len(), 2, "CPU should hit both rules");

    // GPU Eval
    let gpu_hits = index.scan(file_bytes).unwrap();
    assert_eq!(gpu_hits.len(), 2, "GPU should hit both rules");
    assert_eq!(cpu_hits, gpu_hits, "CPU and GPU results must match");
}