Lib.rs

Template engine
#malware #yara #rules #detection #security #builder-pattern

bin+lib yara-forge

A powerful Rust library for crafting, validating, and managing YARA rules

Owned by ahsentekd.

1 unstable release

0.1.0 Dec 26, 2024

#159 in Template engine

Download history 61/week @ 2024-12-20 69/week @ 2024-12-27

130 downloads per month

MIT license

32KB
721 lines

YARA Forge 🛠️

A powerful Rust library for crafting, validating, and managing YARA rules. YARA Forge provides a comprehensive set of tools for creating sophisticated malware detection rules with an intuitive builder pattern interface.

Crates.io Documentation License: MIT CI

Features

  • 🏗️ Rule Builder Pattern: Intuitive interface for creating YARA rules
  • 📚 Pre-built Templates: Common templates for malware detection
  • 🔍 Pattern Library: Extensive collection of malware detection patterns
  • Validation: Built-in rule validation and testing
  • 🚀 Performance: Parallel scanning capabilities
  • 🔄 Import/Export: Support for JSON and other formats
  • 📋 Documentation: Comprehensive documentation and examples

Installation

Add this to your Cargo.toml:

[dependencies]
yara-forge = "0.1.0"

Quick Start

use yara_forge::{RuleBuilder, ValidationOptions};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Create a simple rule
    let rule = RuleBuilder::new("detect_suspicious")
        .with_metadata("author", "YARA Forge")
        .with_string("$suspicious_api", "CreateRemoteThread")
        .with_condition("$suspicious_api")
        .build()?;

    // Validate the rule
    let options = ValidationOptions {
        syntax_only: true,
        test_against_samples: false,
        max_file_size: 10 * 1024 * 1024,
        timeout: 30,
    };

    // Save the rule
    rule.save("detect_suspicious.yar")?;

    Ok(())
}

Advanced Usage

Using Templates

use yara_forge::templates::ransomware_template;

let rule = ransomware_template("detect_ransomware")
    .with_metadata("severity", "high")
    .build()?;

Pattern Matching

use yara_forge::patterns::{ENCRYPTION_APIS, PROCESS_INJECTION};

let rule = RuleBuilder::new("detect_malware")
    .with_patterns(ENCRYPTION_APIS)
    .with_patterns(PROCESS_INJECTION)
    .with_condition("2 of them")
    .build()?;

Parallel Scanning

use yara_forge::validation::parallel_scan;

let matches = parallel_scan("rules/malware.yar", "samples/", &options)?;

Development

# Run tests
cargo test

# Run benchmarks
cargo bench

# Build documentation
cargo doc --no-deps --open

# Format code
cargo fmt

# Run lints
cargo clippy

Docker Support

Build the Docker image:

docker build -t yara-forge .

Run with Docker Compose:

docker-compose up

Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

Security

For security issues, please open issue on GitHub.

Dependencies

~7–18MB
~272K SLoC