yaraQA: YARA rule analyzer

yaraQA

YARA rule Analyzer to improve rule quality and performance

Why?

YARA rules can be syntactically correct but still dysfunctional. yaraQA tries to find and report these issues to the author or maintainer of a YARA rule set.

The issues yaraQA tries to detect are e.g.:

• rules that are syntactically correct but never match due to errors in the condition (e.g. rule with one string and 2 of them in the condition)
• rules that use string and modifier combinations that are probably wrong (e.g. $ = “\\Debug\\” fullword)
• performance issues caused by short atoms, repeating characters, or loops (e.g. $ = “AA”; can be excluded from the analysis using –ignore-performance)

Install

git clone https://github.com/Neo23x0/yaraQA.git
cd yaraQA
pip install -r requirements.txt

Use

usage: yaraQA.py [-h] [-f yara files [yara files ...]] [-d yara files [yara files ...]] [-o outfile] [-b baseline] [-l level]

                 [--ignore-performance] [--debug]



YARA RULE ANALYZER



optional arguments:

  -h, --help            show this help message and exit

  -f yara files [yara files ...]

                        Path to input files (one or more YARA rules, separated by space)

  -d yara files [yara files ...]

                        Path to input directory (YARA rules folders, separated by space)

  -o outfile            Output file that lists the issues

  -b baseline           Use a issues baseline (issues found and reviewed before) to filter issues

  -l level              Minium level to show (1=informational, 2=warning, 3=critical)

  --ignore-performance  Suppress performance-related rule issues

  --debug               Debug output

Example

Suppress all performance issues and only show detection / logic issues.

Suppress all issues of informational character

Use a baseline to only see new issues (not the ones that you’ve already reviewed). The baseline file is an old JSON output of a reviewed state.

Copyright (C) 2023 Neo23x0 

Source: https://github.com/Neo23x0/