[Forensics-changes] [yara] 42/415: Documentation updated to v1.3
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:42:41 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit 2de6acd55825a31b70095d250065d4804be53091
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Mon Oct 26 11:31:59 2009 +0000
Documentation updated to v1.3
---
ChangeLog | 2 +-
doc/YARA User's Manual.pdf | Bin 153412 -> 215048 bytes
libyara/libyara.tmproj | 495 ---------------------------------------------
yara-python/README | 111 ++++++++--
yara.c | 2 +-
5 files changed, 98 insertions(+), 512 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 3087076..5e27ee1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -35,7 +35,7 @@ version 1.2.1 (14/04/2009)
* BUGFIX: Memory leak
* BUGFIX: Access violation on xxcompare functions
-version 1.3
+version 1.3
* added a C-like "include" directive
* added support for multi-sources compilation in yara-python
* added support for metadata declaration in rules
diff --git a/doc/YARA User's Manual.pdf b/doc/YARA User's Manual.pdf
index 55241c3..c67d03e 100644
Binary files a/doc/YARA User's Manual.pdf and b/doc/YARA User's Manual.pdf differ
diff --git a/libyara/libyara.tmproj b/libyara/libyara.tmproj
deleted file mode 100644
index 5d6d9a5..0000000
--- a/libyara/libyara.tmproj
+++ /dev/null
@@ -1,495 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>currentDocument</key>
- <string>../yara.c</string>
- <key>documents</key>
- <array>
- <dict>
- <key>children</key>
- <array>
- <dict>
- <key>filename</key>
- <string>scan.c</string>
- <key>lastUsed</key>
- <date>2009-10-24T20:43:08Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>pefile.c</string>
- <key>lastUsed</key>
- <date>2009-10-24T20:35:58Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>filemap.c</string>
- <key>lastUsed</key>
- <date>2009-10-24T20:36:02Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>eval.c</string>
- <key>lastUsed</key>
- <date>2009-10-24T19:10:43Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>ast.c</string>
- <key>lastUsed</key>
- <date>2009-10-24T20:52:56Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>lex.l</string>
- <key>lastUsed</key>
- <date>2009-10-24T22:47:38Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>grammar.y</string>
- <key>lastUsed</key>
- <date>2009-10-24T22:50:49Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>../yara.c</string>
- <key>lastUsed</key>
- <date>2009-10-24T22:50:49Z</date>
- <key>selected</key>
- <true/>
- </dict>
- <dict>
- <key>filename</key>
- <string>mem.c</string>
- <key>lastUsed</key>
- <date>2009-10-24T20:52:59Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>libyara.c</string>
- <key>lastUsed</key>
- <date>2009-10-24T22:50:36Z</date>
- </dict>
- </array>
- <key>expanded</key>
- <true/>
- <key>name</key>
- <string>Sources</string>
- </dict>
- <dict>
- <key>children</key>
- <array>
- <dict>
- <key>filename</key>
- <string>yara.h</string>
- <key>lastUsed</key>
- <date>2009-10-24T22:49:55Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>pefile.h</string>
- <key>lastUsed</key>
- <date>2009-10-24T19:55:29Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>pe.h</string>
- <key>lastUsed</key>
- <date>2009-10-24T21:05:01Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>filemap.h</string>
- <key>lastUsed</key>
- <date>2009-10-23T14:24:21Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>eval.h</string>
- <key>lastUsed</key>
- <date>2009-10-24T20:32:38Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>ast.h</string>
- <key>lastUsed</key>
- <date>2009-10-24T21:01:57Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>sizedstr.h</string>
- <key>lastUsed</key>
- <date>2009-10-24T21:02:00Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>mem.h</string>
- <key>lastUsed</key>
- <date>2009-10-24T21:04:57Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>scan.h</string>
- <key>lastUsed</key>
- <date>2009-10-24T20:32:40Z</date>
- </dict>
- <dict>
- <key>filename</key>
- <string>lex.h</string>
- <key>lastUsed</key>
- <date>2009-10-22T14:32:32Z</date>
- </dict>
- </array>
- <key>expanded</key>
- <true/>
- <key>name</key>
- <string>Includes</string>
- </dict>
- </array>
- <key>fileHierarchyDrawerWidth</key>
- <integer>131</integer>
- <key>metaData</key>
- <dict>
- <key>../yara.c</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>80</integer>
- <key>line</key>
- <integer>308</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>293</integer>
- </dict>
- <key>ast.c</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>34</integer>
- <key>line</key>
- <integer>154</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>136</integer>
- </dict>
- <key>ast.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>124</integer>
- <key>line</key>
- <integer>132</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>16</integer>
- </dict>
- <key>eval.c</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>0</integer>
- <key>line</key>
- <integer>124</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>272</integer>
- </dict>
- <key>eval.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>21</integer>
- <key>line</key>
- <integer>30</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>1</integer>
- </dict>
- <key>filemap.c</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>5</integer>
- <key>line</key>
- <integer>41</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>83</integer>
- </dict>
- <key>filemap.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>0</integer>
- <key>line</key>
- <integer>8</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>5</integer>
- </dict>
- <key>grammar.y</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>25</integer>
- <key>line</key>
- <integer>748</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>730</integer>
- </dict>
- <key>lex.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>0</integer>
- <key>line</key>
- <integer>25</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>0</integer>
- </dict>
- <key>lex.l</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>40</integer>
- <key>line</key>
- <integer>57</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>140</integer>
- </dict>
- <key>libyara.c</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>52</integer>
- <key>line</key>
- <integer>403</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>116</integer>
- </dict>
- <key>mem.c</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>28</integer>
- <key>line</key>
- <integer>73</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>1</integer>
- </dict>
- <key>mem.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>0</integer>
- <key>line</key>
- <integer>16</integer>
- </dict>
- <key>columnSelection</key>
- <false/>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>0</integer>
- <key>selectFrom</key>
- <dict>
- <key>column</key>
- <integer>14</integer>
- <key>line</key>
- <integer>17</integer>
- </dict>
- <key>selectTo</key>
- <dict>
- <key>column</key>
- <integer>0</integer>
- <key>line</key>
- <integer>16</integer>
- </dict>
- </dict>
- <key>pe.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>0</integer>
- <key>line</key>
- <integer>0</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>117</integer>
- </dict>
- <key>pefile.c</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>0</integer>
- <key>line</key>
- <integer>0</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>74</integer>
- </dict>
- <key>pefile.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>11</integer>
- <key>line</key>
- <integer>16</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>0</integer>
- </dict>
- <key>scan.c</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>1</integer>
- <key>line</key>
- <integer>721</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>338</integer>
- </dict>
- <key>scan.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>16</integer>
- <key>line</key>
- <integer>19</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>0</integer>
- </dict>
- <key>sizedstr.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>25</integer>
- <key>line</key>
- <integer>25</integer>
- </dict>
- <key>columnSelection</key>
- <false/>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>0</integer>
- <key>selectFrom</key>
- <dict>
- <key>column</key>
- <integer>16</integer>
- <key>line</key>
- <integer>25</integer>
- </dict>
- <key>selectTo</key>
- <dict>
- <key>column</key>
- <integer>25</integer>
- <key>line</key>
- <integer>25</integer>
- </dict>
- </dict>
- <key>yara.h</key>
- <dict>
- <key>caret</key>
- <dict>
- <key>column</key>
- <integer>24</integer>
- <key>line</key>
- <integer>169</integer>
- </dict>
- <key>firstVisibleColumn</key>
- <integer>0</integer>
- <key>firstVisibleLine</key>
- <integer>153</integer>
- </dict>
- </dict>
- <key>openDocuments</key>
- <array>
- <string>filemap.c</string>
- <string>filemap.h</string>
- <string>pe.h</string>
- <string>yara.h</string>
- <string>scan.h</string>
- <string>sizedstr.h</string>
- <string>pefile.h</string>
- <string>pefile.c</string>
- <string>eval.c</string>
- <string>../yara.c</string>
- <string>libyara.c</string>
- <string>grammar.y</string>
- <string>lex.l</string>
- <string>lex.h</string>
- <string>scan.c</string>
- <string>eval.h</string>
- <string>mem.h</string>
- <string>mem.c</string>
- <string>ast.c</string>
- <string>ast.h</string>
- </array>
- <key>showFileHierarchyDrawer</key>
- <true/>
- <key>windowFrame</key>
- <string>{{159, 51}, {1112, 727}}</string>
-</dict>
-</plist>
diff --git a/yara-python/README b/yara-python/README
index d76d361..506d024 100644
--- a/yara-python/README
+++ b/yara-python/README
@@ -14,13 +14,13 @@ yara-python depends on libyara, a library that implements YARA's core functions.
must build and install YARA in your system before building yara-python. The latest
YARA version can be downloaded from:
-http://yara.googlecode.com/files/yara-1.2.1.tar.gz
+http://yara.googlecode.com/files/yara-1.3.tar.gz
After installing YARA you can build yara-python this way:
-$ tar xzvf yara-python-1.2.1.tar.gz
-$ cd yara-python-1.2.1
+$ tar xzvf yara-python-1.3.tar.gz
+$ cd yara-python-1.3
$ python setup.py build
$ sudo python setup.py install
@@ -33,7 +33,6 @@ Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>>
-
In some operating systems (e.g: Ubuntu) you can get an error message like this one:
Traceback (most recent call last):
@@ -44,7 +43,8 @@ ImportError: libyara.so.0: cannot open shared object file: No such file or direc
If you get the previous error you should add the path /usr/local/lib to the loader
configuration file:
-$ sudo echo "/usr/local/lib" >> /etc/ld.so.conf
+$ sudo su
+$ echo "/usr/local/lib" >> /etc/ld.so.conf
$ ldconfig
@@ -52,15 +52,96 @@ HOW TO USE
==========
YARA can be also invoked from your own Python scripts. The yara-python extension is
-provided in order to make YARA functionality available to Python users. Once yara-python
-is built and installed on your system you can use it as shown below:
import yara
Then you will need to compile your YARA rules before applying them to your data, the
-rules can be compiled from a file path:
rules = yara.compile(filepath='/foo/bar/myrules')
The default argument is filepath, so you don't need to explicitly specify its name:
rules = yara.compile('/foo/bar/myrules')
You can also compile your rules from a file object:
fh = open('/foo/bar/myrules')
rules = yara.compile(file=fh)
fh.close()
Or you can compile them from a Python string:
rules = yara.compile(source='rule dummy { condition: true }')
In the three cases compile returns an instance of the class Rules, which in turn has
-a match method:
matches = rules.match('/foo/bar/myfile')
But you can also apply he rules to a Python string:
f = fopen('/foo/bar/myfile', 'rb')
matches = rules.match(data=f.read())
Both in both cases a list of instances of the class Match is returned. The instances
-of this class can be treated as text strings containing the name of the matching rule.
-For example you can print them:
foreach m in matches:
print "%s" % m
In some circumstances you may need to explicitly convert the instance of Match to string,
-for example when comparing it with another string:
if str(matches[0]) == 'SomeRuleName':
...
The Match class have another two attributes: tags and strings. The tags attribute is a
-list of strings containing the tags associated to the rule. The strings attribute is a
-dictionary whose values are those strings within the data that made the YARA rule match,
-and the keys are the offsets where those strings were found.
+provided in order to make YARA functionality available to Python users. Once yara-python
+is built and installed on your system you can use it as shown below:
+
+import yara
+
+Then you will need to compile your YARA rules before applying them to your data, the
+rules can be compiled from a file path:
+
+rules = yara.compile(filepath='/foo/bar/myrules')
+
+The default argument is filepath, so you don't need to explicitly specify its name:
+
+rules = yara.compile('/foo/bar/myrules')
+
+You can also compile your rules from a file object:
+
+fh = open('/foo/bar/myrules')
+rules = yara.compile(file=fh)
+fh.close()
+
+Or you can compile them directly from a Python string:
+
+rules = yara.compile(source='rule dummy { condition: true }')
+
+If you want to compile a group of files or strings at the same time you can do it by
+using the filepaths or sources named arguments:
+
+rules = yara.compile(filepaths={
+
+ 'namespace1':'/my/path/rules1',
+ 'namespace2':'/my/path/rules2'
+})
+
+rules = yara.compile(sources={
+
+ 'namespace1':'rule dummy { condition: true }',
+ 'namespace2':'rule dummy { condition: false }'
+})
+
+Notice that both filepaths and sources must be dictionaries with keys of string type.
+The dictionary keys are used as a namespace identifier, allowing to differentiate between
+rules with the same name in different sources, as occurs in the second example with the
+�dummy� name.
+
+The compile method also have an optional boolean parameter named includes which allows
+you to control whether or not the include directive should be accepted in the source files,
+for example:
+
+rules = yara.compile('/foo/bar/myrules', includes=False)
+
+If the source file contains include directives the previous line would raise an exception.
+
+In all cases compile returns an instance of the class Rules, which in turn has a match method:
+
+matches = rules.match('/foo/bar/myfile')
+
+But you can also apply he rules to a Python string:
+
+f = fopen('/foo/bar/myfile', 'rb')
+
+matches = rules.match(data=f.read())
+
+The match method returns a list of instances of the class Match. The instances of this
+class can be treated as text strings containing the name of the matching rule. For example
+you can print them:
+
+foreach m in matches:
+ print "%s" % m
+
+In some circumstances you may need to explicitly convert the instance of Match to string,
+for example when comparing it with another string:
+
+if str(matches[0]) == 'SomeRuleName':
+ ...
+
+The Match class have the following attributes:
+
+rule
+namespace
+meta
+tags
+strings
+
+The rule and namespace attributes are the names of the matching rule and its namespace
+respectively.
+
+The meta attribute is a dictionary containing the metadata associated to the rule, where
+the metadata identifiers are the dictionary keys.
+The tags attribute is a list of strings containing the tags associated to the rule, and
+the strings attribute is a dictionary whose values are those strings within the data that
+made the YARA rule match, and the keys are the offsets where those strings were found.
diff --git a/yara.c b/yara.c
index c6db30d..fb62f33 100644
--- a/yara.c
+++ b/yara.c
@@ -56,7 +56,7 @@ IDENTIFIER* specified_rules_list = NULL;
void show_help()
{
- printf("usage: yara [ -t tag ] [ -i identifier ] [ -n ] [ -g ] [ -s ] [ -r ] [ -v ] [RULEFILE...] FILE\n");
+ printf("usage: yara [ -t tag ] [ -i identifier ] [ -n ] [ -g ] [ -m ] [ -s ] [ -r ] [ -v ] [RULEFILE...] FILE\n");
printf("options:\n");
printf(" -t <tag> print rules tagged as <tag> and ignore the rest. Can be used more than once.\n");
printf(" -i <identifier> print rules named <identifier> and ignore the rest. Can be used more than once.\n");
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list