VirusTotal / yara-python

The Python interface for YARA

Home Page:http://virustotal.github.io/yara/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Possible bug] Is it possible to compile more than one rule at once?

Ana06 opened this issue · comments

I have the following two rules, in different files, where the second reference the first one :

rule Rule1
{
    strings:
        $a = "Hello"

    condition:
        $a
}
rule Rule2
{
    strings:
        $a = "World"

    condition:
        $a and Rule1
}

and the file text.txt:

Hello World

With yara (64 windows, version 4.1.3) I am able to load both rules and match them:

yara64.exe rule1.yara rule2.yara test.txt
Rule1 test.txt
Rule2 test.txt

In yara-python (also version 4.1.3), the documentation doesn't mention explicitly how to compile more than one rule, but I was expecting the following to work:

>>> rules = yara.compile('rule1.yara', 'rule2.yara')
>>> rules.match('test.txt')
[Rule1]

As you see, only the first rule is matched. In fact, it seems the second rule is completely ignored as compile('rule1.yara', 'rule2.yara') still works if rule2.yara has syntax errors.

This is a confusing behavior. Is this a bug? How can I compile more than one rule at once where one reference another one (same namespace)?

yara-python doesn't offer a way for compiling multiple files within the same namespace, you can compile multiple files but each on a different namespace.

I think the argument validation for the compile function should be improved, your example should have failed with some error.