yara-x 1.15.0

A pure Rust implementation of YARA.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT.
// LINT: LEGACY_NAMES

syntax = "proto3";

package vt.titan;

import "vt/analysis.proto";
import "vt/filetypes.proto";
import "vt/hunting_gti_score.proto";
import "vt/sandbox.proto";
import "vt/submitter.proto";
import "vt/vtnet.proto";
import "yara.proto";

option (yara.module_options) = {
  name: "vt"
  root_message: "vt.titan.LiveHuntData"
  rust_module: "vt"
  cargo_feature: "vt-module"
};

message LiveHuntData {
  FileMetadata meta = 1 [(yara.field_options) = {
    name: "metadata"
    acl: [ {
      error_title: "vt.metadata is supported only in rulesets matching against files"
      error_label: "this field is supported for files only"
      accept_if: [ "file" ]
    } ]
  }];
  vt.fileanalysis.BehaviourSummary behaviour = 2 [(yara.field_options) = {
    acl: [ {
      error_title: "vt.behaviour is supported only in rulesets matching against files"
      error_label: "this field is supported for files only"
      accept_if: [ "file" ]
    } ]
  }];
  vt.net.EnrichedNetloc net = 3 [(yara.field_options) = {
    acl: [ {
      error_title: "vt.net is not supported in rulesets matching against files"
      error_label: "this field is not supported for files, consider using `vt.metadata.itw`"
      accept_if: [ "url", "domain", "ip_address" ]
    } ]
  }];
}

message MainIcon {
  string dhash = 1;
  string raw_md5 = 2;
}

message GoReSym {
  message BuildInfo {
    string path = 1;
    map<string, string> dependencies = 2;
    map<string, string> settings = 3;
  }

  message Summary {
    int64 num_user_functions = 1;
    int64 num_std_functions = 2;
    int64 num_interfaces = 3;
    int64 num_types = 4;
    int64 num_dependencies = 5;
  }

  string version = 1;
  string arch = 2;
  string os = 3;
  string build_id = 4;
  vt.titan.GoReSym.BuildInfo build_info = 5;
  vt.titan.GoReSym.Summary summary = 6;
}

message FileMetadata {
  string sha256 = 1 [(yara.field_options) = { lowercase: true }];
  string sha1 = 2 [(yara.field_options) = { lowercase: true }];
  string md5 = 3 [(yara.field_options) = { lowercase: true }];
  string ssdeep = 4;
  string imphash = 5 [(yara.field_options) = { lowercase: true }];
  string vhash = 6 [(yara.field_options) = { lowercase: true }];
  string telfhash = 27 [(yara.field_options) = { lowercase: true }];
  string file_name = 7;
  vt.fileanalysis.FileType file_type = 8;
  int64 file_size = 9;
  int32 times_submitted = 10;
  bool new_file = 11;
  repeated string tags = 12;
  map<string, string> signatures = 13;
  vt.submitter.Submitter submitter = 15 [(yara.field_options) = {
    acl: [ {
      error_title: "vt.metadata.submitter is not supported in Retrohunt"
      error_label: "this field is not supported in Retrohunt"
      reject_if: [ "retrohunt" ]
    } ]
  }];
  bool subfile = 16;
  int32 unique_sources = 17;
  vt.analysis.AnalysisStats analysis_stats = 18;
  string magic = 19;
  repeated string file_type_tags = 20;
  int64 first_submission_date = 22;
  map<string, string> exiftool = 25;
  MainIcon main_icon = 26;
  GoReSym goresym = 28;
  repeated string malware_families = 30;
  string tlsh = 31;
  vt.net.EnrichedNetloc itw = 32;
  vt.hunting_gti_score.HuntingGtiScore gti_assessment = 36
      [(yara.field_options) = {
        acl: [ {
          error_title: "unknown field or method `gti_assessment`"
          error_label: "this field or method doesn't exist"
          accept_if: [ "gti", "staff" ]
        } ]
      }];
}