Lib.rs

Parser implementationsBoreal
#yara #parser #boreal

boreal-parser

A parser library for YARA files, intended for use with the boreal library

by Vincent Thiberville

7 releases (1 stable)

new 1.0.0 May 17, 2025
0.6.0 Jun 9, 2024
0.5.0 Feb 16, 2024
0.4.0 Feb 11, 2024
0.1.0 Dec 4, 2022

#1158 in Parser implementations

Download history 48/week @ 2025-01-27 63/week @ 2025-02-03 67/week @ 2025-02-10 25/week @ 2025-02-17 36/week @ 2025-02-24 54/week @ 2025-03-03 15/week @ 2025-03-10 111/week @ 2025-03-17 100/week @ 2025-03-24 45/week @ 2025-03-31 6/week @ 2025-04-07 3/week @ 2025-04-14 2/week @ 2025-04-21 2/week @ 2025-04-28 11/week @ 2025-05-05 132/week @ 2025-05-12

148 downloads per month
Used in 2 crates (via boreal)

MIT/Apache

300KB
8K SLoC

Parser for YARA rules.

This crate is designed to be used by the boreal crate.

It exposes a main entrypoint function, parse, which parses the contents of a YARA file.

use boreal_parser::*;
use boreal_parser::expression::*;
use boreal_parser::file::*;
use boreal_parser::rule::*;

let file = parse(r#"
import "pe"

private rule b : tag1 {
    meta:
        a = true
    strings:
        $b = "\\mspaint.exe" wide
    condition:
        pe.is_dll() and all of them
}"#)?;

assert_eq!(
    file.components[0],
    YaraFileComponent::Import(Import {
        name: "pe".to_owned(),
        span: 1..12,
    })
);
assert_eq!(
    file.components[1],
    YaraFileComponent::Rule(Box::new(Rule {
        name: "b".to_owned(),
        name_span: 27..28,
        tags: vec![RuleTag {
            tag: "tag1".to_owned(),
            span: 31..35
        }],
        metadatas: vec![Metadata {
            name: "a".to_owned(),
            value: MetadataValue::Boolean(true)
        }],
        variables: vec![VariableDeclaration {
            name: "b".to_owned(),
            value: VariableDeclarationValue::Bytes(b"\\mspaint.exe".to_vec()),
            modifiers: VariableModifiers {
                wide: true,
                ..Default::default()
            },
            span: 86..111,
        }],

        condition: Expression {
            expr: ExpressionKind::And(vec![
                Expression {
                    expr: ExpressionKind::Identifier(Identifier {
                        name: "pe".to_owned(),
                        name_span: 135..137,
                        operations: vec![
                            IdentifierOperation {
                                op: IdentifierOperationType::Subfield(
                                    "is_dll".to_owned()
                                ),
                                span: 137..144,
                            },
                            IdentifierOperation {
                                op: IdentifierOperationType::FunctionCall(vec![]),
                                span: 144..146,
                            }
                        ],
                    }),
                    span: 135..146,
                },
                Expression {
                    expr: ExpressionKind::For {
                        selection: ForSelection::All,
                        set: VariableSet { elements: vec![] },

                        body: None,
                    },
                    span: 151..162,
                }
            ]),
            span: 135..162
        },
        is_private: true,
        is_global: false,
    }))
);

boreal-parser

This crate provides a parser for YARA files.

Build status Crates.io Documentation

Overview

This crate is designed to be used by the boreal crate, which implements evaluation of YARA rules.

YARA version supported

All features available in the 4.5 version of YARA are handled.

Dependencies

~2.4–9MB
~73K SLoC