Class: Yara::Rules

Inherits:

Object

• Object
• Yara::Rules

Defined in:

ext/yara_native/Rules.c,
lib/yara.rb,
ext/yara_native/Rules.c

Overview

Encapsulates a Yara context against which you can compile rules and scan inputs.

Instance Method Summary

• #compile_file(rb_fname) ⇒ Object

  call-seq: rules.compile_file(filename) -> nil.

• #compile_string(rb_rules) ⇒ Object

  call-seq: rules.compile_string(rules_string) -> nil.

• #current_namespace ⇒ Object

  call-seq: rules.current_namespace() -> String.

• #namespaces ⇒ String

  call-seq: rules.namespaces() -> Array.

• #scan_file(rb_fname) ⇒ Yara::Match

  call-seq: rules.scan_file(filename) -> Array.

• #scan_string(rb_dat) ⇒ Yara::Match

  call-seq: rules.scan_string(buf) -> Array.

• #set_namespace(rb_namespace) ⇒ Object

  call-seq: rules.set_namespace(name) -> nil.

• #weight ⇒ Object

  call-seq: rules.weight() -> Fixnum.

Instance Method Details

#compile_file(rb_fname) ⇒ Object

call-seq:

rules.compile_file(filename) -> nil

Compiles rules taken from a file by its filename. This method can be called more than once using multiple rules strings and can be used in combination with compile_file.

To avoid namespace conflicts, you can use set_namespace before compiling rules.

Parameters:

• String —

  filename The name of a yara rules file to compile.

Raises:

• Yara::CompileError An exception is raised if a compile error occurs.

# File 'ext/yara_native/Rules.c', line 56

VALUE rules_compile_file(VALUE self, VALUE rb_fname) {
  FILE * file;
  char * fname;
  YARA_CONTEXT *ctx;
  char error_message[256];

  Check_Type(rb_fname, T_STRING);
  fname = RSTRING_PTR(rb_fname);

  if( !(file=fopen(fname, "r")) ) {
    rb_raise(error_CompileError, "No such file: %s", fname);
  } else {
    Data_Get_Struct(self, YARA_CONTEXT, ctx);

    if( yr_compile_file(file, ctx) != 0 ) {
      yr_get_error_message(ctx, error_message, sizeof(error_message));
      fclose(file);
      rb_raise(error_CompileError, "Syntax Error - %s(%d): %s", fname, ctx->last_error_line, error_message);
    }

    yr_push_file_name(ctx, fname);
    fclose(file);
    return Qtrue;
  }
}

#compile_string(rb_rules) ⇒ Object

call-seq:

rules.compile_string(rules_string) -> nil

Compiles rules taken from a ruby string. This method can be called more than once using multiple rules strings and can be used in combination with compile_file.

To avoid namespace conflicts, you can use set_namespace before compiling rules.

Parameters:

• String —

  rules_string A string containing yara rules text.

Raises:

• Yara::CompileError An exception is raised if a compile error occurs.

# File 'ext/yara_native/Rules.c', line 99

VALUE rules_compile_string(VALUE self, VALUE rb_rules) {
  YARA_CONTEXT *ctx;
  char *rules;
  char error_message[256];

  Check_Type(rb_rules, T_STRING);
  rules = RSTRING_PTR(rb_rules);
  Data_Get_Struct(self, YARA_CONTEXT, ctx);

  if( yr_compile_string(rules, ctx) != 0) {
      yr_get_error_message(ctx, error_message, sizeof(error_message));
      rb_raise(error_CompileError, "Syntax Error - line(%d): %s", ctx->last_error_line, error_message);
  }

  return Qtrue;
}

#current_namespace ⇒ Object

call-seq:

rules.current_namespace() -> String

Returns:

• String Returns the name of the currently active namespace.

# File 'ext/yara_native/Rules.c', line 140

VALUE rules_current_namespace(VALUE self) {
  YARA_CONTEXT *ctx;
  Data_Get_Struct(self, YARA_CONTEXT, ctx);
  if(ctx->current_namespace && ctx->current_namespace->name)
    return rb_str_new2(ctx->current_namespace->name);
  else
    return Qnil;
}

#namespaces ⇒ String

call-seq:

rules.namespaces() -> Array

Returns:

• (String) —

  Returns the namespaces available in this rules context.

# File 'ext/yara_native/Rules.c', line 157

VALUE rules_namespaces(VALUE self) {
  YARA_CONTEXT *ctx;
  NAMESPACE *ns;
  VALUE ary = rb_ary_new();

  Data_Get_Struct(self, YARA_CONTEXT, ctx);
  ns = ctx->namespaces;
  while(ns && ns->name) {
    rb_ary_push(ary, rb_str_new2(ns->name));
    ns = ns->next;
  }
  return ary;
}

#scan_file(rb_fname) ⇒ Yara::Match

call-seq:

rules.scan_file(filename) -> Array

Scans a file using the compiled rules supplied with either compile_file or compile_string (or both).

Parameters:

• String —

  filename The name of a file to scan with yara.

Returns:

• (Yara::Match) —

  An array of Yara::Match objects found in the file.

Raises:

• Yara::ScanError Raised if an error occurs while scanning the file.

# File 'ext/yara_native/Rules.c', line 250

VALUE rules_scan_file(VALUE self, VALUE rb_fname) {
  YARA_CONTEXT *ctx;
  VALUE results;
  unsigned int ret;
  char *fname;

  Check_Type(rb_fname, T_STRING);
  results = rb_ary_new();
  Data_Get_Struct(self, YARA_CONTEXT, ctx);
  fname = RSTRING_PTR(rb_fname);

  ret = yr_scan_file(fname, ctx, scan_callback, &results);
  if (ret == ERROR_COULD_NOT_OPEN_FILE)
    rb_raise(error_ScanError, "Could not open file: '%s'", fname);
  else if (ret != 0)
    rb_raise(error_ScanError, "A error occurred while scanning: %s", 
        ((ret > MAX_SCAN_ERROR)? "unknown error" : SCAN_ERRORS[ret]));

  return results;
}

#scan_string(rb_dat) ⇒ Yara::Match

call-seq:

rules.scan_string(buf) -> Array

Scans a ruby string using the compiled rules supplied with either compile_file or compile_string (or both).

Parameters:

• String —

  buf The string buffer to scan with yara.

Returns:

• (Yara::Match) —

  An array of Yara::Match objects found in the string.

Raises:

• Yara::ScanError Raised if an error occurs while scanning the string.

# File 'ext/yara_native/Rules.c', line 287

VALUE rules_scan_string(VALUE self, VALUE rb_dat) {
  YARA_CONTEXT *ctx;
  VALUE results;
  char *buf;
  long buflen;
  int ret;

  Check_Type(rb_dat, T_STRING);
  buf = RSTRING_PTR(rb_dat);
  buflen = RSTRING_LEN(rb_dat);

  results = rb_ary_new();

  Data_Get_Struct(self, YARA_CONTEXT, ctx);

  ret = yr_scan_mem(buf, buflen, ctx, scan_callback, &results);
  if (ret != 0)
    rb_raise(error_ScanError, "A error occurred while scanning: %s", 
        ((ret > MAX_SCAN_ERROR)? "unknown error" : SCAN_ERRORS[ret]));

  return results;
}

#set_namespace(rb_namespace) ⇒ Object

call-seq:

rules.set_namespace(name) -> nil

Sets the current namespace to the given name. If the namespace does not yet exist it is added.

To avoid namespace conflicts, you can use set_namespace before compiling rules.

Parameters:

• String —

  name The namespace to set.

# File 'ext/yara_native/Rules.c', line 197

VALUE rules_set_namespace(VALUE self, VALUE rb_namespace) {
  YARA_CONTEXT *ctx;
  NAMESPACE *ns = NULL;
  const char *name;

  Check_Type(rb_namespace, T_STRING);
  name = RSTRING_PTR(rb_namespace);

  Data_Get_Struct(self, YARA_CONTEXT, ctx);

  if (!(ns = find_namespace(ctx, name)))
      ns = yr_create_namespace(ctx, name);

  if (ns) {
    ctx->current_namespace = ns;
    return rb_namespace;
  } else {
    return Qnil;
  }

}

#weight ⇒ Object

call-seq:

rules.weight() -> Fixnum

Returns:

• Fixnum returns a weight value for the compiled rules.

# File 'ext/yara_native/Rules.c', line 126

VALUE rules_weight(VALUE self) {
  YARA_CONTEXT *ctx;
  Data_Get_Struct(self, YARA_CONTEXT, ctx);
  return INT2NUM(yr_calculate_rules_weight(ctx));
}