Necroing this thread to ask if anyone found a solution to this? I can pass "externals" to the yara.compile in python, but am limited to integer, string or boolean, most yara rules for VT reference layered objects such as `vt.metadata.main_icon.dhash == "002323332b2b0b0b"`. As far as I know, VT hasn't made the VT module public so we can't use their protobuf/structure without some guesswork?
On Thursday, September 3, 2020 at 3:16:01 PM UTC-5 [email protected] wrote: > Thank you for the response, > > 1) Yes, validation that rules compile is the primary request. > 1a) Validation that a rule that uses the"vt" module matches a local file > would be useful, but that does not seem reasonable. > > 2) Yes, a REST API to validate that a rule compiles would work, since the > module is not going to be available. > 2a) Having feedback about what errors is preferred, similar to the current > feedback when compiling rules locally. > > Please let me know if clarification is needed for any of those answers. > On Thursday, September 3, 2020 at 7:54:42 PM UTC+2 [email protected] wrote: > >> Hi, >> >> I have two questions about your issue: >> >> 1) You only want to make sure that the rules compile, right? You don't >> want to be able to control the values of variables like >> vt.metadata.new_file, is that correct? >> 2) A REST API that you could call for checking the syntax would work for >> you? >> >> Regards, >> Víctor >> >> >> On Wed, Sep 2, 2020 at 10:30 PM [email protected] <[email protected]> >> wrote: >> >>> Is there a way to test VirusTotal Livehunt rules that use the new import >>> "vt" module instead of the deprecated externals? >>> >>> I was using a CI runner to compile YARA rules with yara-python before >>> deployment to ensure that the rules compile before deploying them to >>> VirusTotal LiveHunt. >>> >>> For example, I often use this rule to only match on new files. >>> global private rule new_files_only { condition: new_file } >>> >>> Unfortunately, I have found no way to test rules when the "vt" module is >>> used, like this rule, which also only filters to only match new files. >>> >>> import "vt" >>> global private rule new_files_only { condition: vt.metadata.new_file } >>> >>> There may be similar issues where other rules that use the "vt" module >>> will not match the intended files, because there was no way to test the >>> rule effectively. >>> >>> I asked technical support, and they responded that "vt" is an internal >>> module that cannot be used. >>> >>> Can a dummy version be provided? The documentation appears to provide a >>> definition of all of the data types that are exposed for use in Livehunt >>> rules. >>> >>> >>> https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "YARA" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/yara-project/d27462db-eef7-4ada-a149-5f25a9ab52afn%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/yara-project/d27462db-eef7-4ada-a149-5f25a9ab52afn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/b07f30f1-cf74-4277-acfc-9f2d80a94748n%40googlegroups.com.
