Hi, I have two questions about your issue:
1) You only want to make sure that the rules compile, right? You don't want to be able to control the values of variables like vt.metadata.new_file, is that correct? 2) A REST API that you could call for checking the syntax would work for you? Regards, Víctor On Wed, Sep 2, 2020 at 10:30 PM [email protected] <[email protected]> wrote: > Is there a way to test VirusTotal Livehunt rules that use the new import > "vt" module instead of the deprecated externals? > > I was using a CI runner to compile YARA rules with yara-python before > deployment to ensure that the rules compile before deploying them to > VirusTotal LiveHunt. > > For example, I often use this rule to only match on new files. > global private rule new_files_only { condition: new_file } > > Unfortunately, I have found no way to test rules when the "vt" module is > used, like this rule, which also only filters to only match new files. > > import "vt" > global private rule new_files_only { condition: vt.metadata.new_file } > > There may be similar issues where other rules that use the "vt" module > will not match the intended files, because there was no way to test the > rule effectively. > > I asked technical support, and they responded that "vt" is an internal > module that cannot be used. > > Can a dummy version be provided? The documentation appears to provide a > definition of all of the data types that are exposed for use in Livehunt > rules. > > > https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt > > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/d27462db-eef7-4ada-a149-5f25a9ab52afn%40googlegroups.com > <https://groups.google.com/d/msgid/yara-project/d27462db-eef7-4ada-a149-5f25a9ab52afn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAD7Y4L4rnER40pqerPoMwy3KDuEUY5bTWvPiypEfrayAe%2BQm0w%40mail.gmail.com.
