This project looks like a solid start at solving this problem: https://github.com/usualsuspect/yara_vt_mock
On Wednesday, May 17, 2023 at 3:41:57 PM UTC-5 Derek Thomas wrote: > Necroing this thread to ask if anyone found a solution to this? I can pass > "externals" to the yara.compile in python, but am limited to integer, > string or boolean, most yara rules for VT reference layered objects such as > `vt.metadata.main_icon.dhash == "002323332b2b0b0b"`. As far as I know, VT > hasn't made the VT module public so we can't use their protobuf/structure > without some guesswork? > > On Thursday, September 3, 2020 at 3:16:01 PM UTC-5 [email protected] > wrote: > >> Thank you for the response, >> >> 1) Yes, validation that rules compile is the primary request. >> 1a) Validation that a rule that uses the"vt" module matches a local file >> would be useful, but that does not seem reasonable. >> >> 2) Yes, a REST API to validate that a rule compiles would work, since the >> module is not going to be available. >> 2a) Having feedback about what errors is preferred, similar to the >> current feedback when compiling rules locally. >> >> Please let me know if clarification is needed for any of those answers. >> On Thursday, September 3, 2020 at 7:54:42 PM UTC+2 [email protected] >> wrote: >> >>> Hi, >>> >>> I have two questions about your issue: >>> >>> 1) You only want to make sure that the rules compile, right? You don't >>> want to be able to control the values of variables like >>> vt.metadata.new_file, is that correct? >>> 2) A REST API that you could call for checking the syntax would work >>> for you? >>> >>> Regards, >>> Víctor >>> >>> >>> On Wed, Sep 2, 2020 at 10:30 PM [email protected] <[email protected]> >>> wrote: >>> >>>> Is there a way to test VirusTotal Livehunt rules that use the new >>>> import "vt" module instead of the deprecated externals? >>>> >>>> I was using a CI runner to compile YARA rules with yara-python before >>>> deployment to ensure that the rules compile before deploying them to >>>> VirusTotal LiveHunt. >>>> >>>> For example, I often use this rule to only match on new files. >>>> global private rule new_files_only { condition: new_file } >>>> >>>> Unfortunately, I have found no way to test rules when the "vt" module >>>> is used, like this rule, which also only filters to only match new files. >>>> >>>> import "vt" >>>> global private rule new_files_only { condition: vt.metadata.new_file } >>>> >>>> There may be similar issues where other rules that use the "vt" module >>>> will not match the intended files, because there was no way to test the >>>> rule effectively. >>>> >>>> I asked technical support, and they responded that "vt" is an internal >>>> module that cannot be used. >>>> >>>> Can a dummy version be provided? The documentation appears to provide >>>> a definition of all of the data types that are exposed for use in Livehunt >>>> rules. >>>> >>>> >>>> https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "YARA" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/yara-project/d27462db-eef7-4ada-a149-5f25a9ab52afn%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/yara-project/d27462db-eef7-4ada-a149-5f25a9ab52afn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/92fd9b75-8119-4ad3-8dde-9b5986ca3cbbn%40googlegroups.com.
