[Possible bug] Is it possible to compile more than one rule at once?
Ana06 opened this issue · comments
I have the following two rules, in different files, where the second reference the first one :
rule Rule1
{
strings:
$a = "Hello"
condition:
$a
}
rule Rule2
{
strings:
$a = "World"
condition:
$a and Rule1
}
and the file text.txt
:
Hello World
With yara (64 windows, version 4.1.3) I am able to load both rules and match them:
yara64.exe rule1.yara rule2.yara test.txt
Rule1 test.txt
Rule2 test.txt
In yara-python (also version 4.1.3), the documentation doesn't mention explicitly how to compile more than one rule, but I was expecting the following to work:
>>> rules = yara.compile('rule1.yara', 'rule2.yara')
>>> rules.match('test.txt')
[Rule1]
As you see, only the first rule is matched. In fact, it seems the second rule is completely ignored as compile('rule1.yara', 'rule2.yara')
still works if rule2.yara
has syntax errors.
This is a confusing behavior. Is this a bug? How can I compile more than one rule at once where one reference another one (same namespace)?
yara-python
doesn't offer a way for compiling multiple files within the same namespace, you can compile multiple files but each on a different namespace.
I think the argument validation for the compile
function should be improved, your example should have failed with some error.