yara-rust

Bindings for the Yara library from VirusTotal.

More documentation can be found on the Yara's documentation.

Example

The implementation is inspired from yara-python.

let mut yara = Yara::create().unwrap();
let mut compiler = yara.new_compiler().unwrap();
compiler.add_rules_str("rule contains_rust {
  strings:
    $rust = \"rust\" nocase
  condition:
    $rust
}").expect("Should have parsed rule");
let mut rules = compiler.compile_rules().expect("Should have compiled rules");
let results = rules.scan_mem("I love Rust!".as_bytes(), 5).expect("Should have scanned");
assert!(results.iter().find(|r| r.identifier == "contains_rust").is_some());

Features

• Support from Yara 3.7 to 3.11.0.
• Compile rules from strings or files.
• Save and load compiled rules.
• Scan byte arrays (&[u8]) or files.

Feature flags and Yara linking.

Look at the yara-sys crate documentation for a list of feature flags and how to link to your Yara crate.

TODO

• Remove some unwrap on string conversions (currently this crate assume the rules, meta and namespace identifier are valid Rust's str).
• Implement the scanner API.
• Look at the source code of Yara (or in documentation if specified) to assess thread safety.
• Look at the source code of Yara (or in documentation if specified) to see if we can remove some mut in some functions (as Yara::new_compiler and Yara::load_rules).

License

Licensed under either of

• Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.