Skip to content

Commit

Permalink
Fix key substitution conflicts in YARA rule translation by sorting ke…
Browse files Browse the repository at this point in the history 
…ys by length, closes #10
  • Loading branch information
@mtnmunuklu
mtnmunuklu committed Jan 18, 2025
1 parent 528b058 commit dae56b3
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 11 deletions.
26 changes: 20 additions & 6 deletions yara/yevaluator/evaluate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package yevaluator

import (
"fmt"
"sort"
"strings"

"github.com/VirusTotal/gyp/ast"
Expand Down Expand Up @@ -68,14 +69,27 @@ func (rule RuleEvaluator) Alters() (Result, error) {
return Result{}, fmt.Errorf("error evaluating expression: %w", err)
}

result.ConditionResult = condition.String()
for key, value := range result.StringsResults {
if strings.Contains(result.ConditionResult, "$"+key) {
result.ConditionResult = strings.ReplaceAll(result.ConditionResult, "$"+key, value)
}
}
result.ConditionResult = processConditionResult(condition.String(), result.StringsResults)

result.QueryResult = "sourcetype='*' eql select * from _source_ where " + result.ConditionResult

return result, nil
}

func processConditionResult(condition string, stringsResults map[string]string) string {
keys := make([]string, 0, len(stringsResults))
for key := range stringsResults {
keys = append(keys, key)
}
sort.Slice(keys, func(i, j int) bool {
return len(keys[i]) > len(keys[j]) // Uzunluk sırasına göre azalan.
})

for _, key := range keys {
if strings.Contains(condition, "$"+key) {
condition = strings.ReplaceAll(condition, "$"+key, stringsResults[key])
}
}

return condition
}
10 changes: 5 additions & 5 deletions yara/yevaluator/evaluate_strings.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -359,7 +359,7 @@ func (rule RuleEvaluator) serializeJump(filter *strings.Builder, jump *pb.Jump)

// Serializes HexAlternative and appends the result to the filter
func (rule RuleEvaluator) serializeHexAlternative(filter *strings.Builder, alt *pb.HexAlternative) error {
if _, err := filter.WriteString("( "); err != nil {
if _, err := filter.WriteString("("); err != nil {
return err
}

Expand All @@ -374,7 +374,7 @@ func (rule RuleEvaluator) serializeHexAlternative(filter *strings.Builder, alt *
}
}

if _, err := filter.WriteString(") "); err != nil {
if _, err := filter.WriteString(")"); err != nil {
return err
}

Expand Down Expand Up @@ -619,9 +619,9 @@ func (rule RuleEvaluator) serializeAndExpression(condition *strings.Builder, exp

func (rule RuleEvaluator) serializeTerms(condition *strings.Builder, terms []*pb.Expression, joinStr string, precedence int8) error {
for i, term := range terms {
addParens := getExpressionPrecedence(term) < precedenceAndExpression
addParens := getExpressionPrecedence(term) < precedence
if addParens {
if _, err := condition.WriteString("( "); err != nil {
if _, err := condition.WriteString("("); err != nil {
return err
}
}
Expand All @@ -631,7 +631,7 @@ func (rule RuleEvaluator) serializeTerms(condition *strings.Builder, terms []*pb
}

if addParens {
if _, err := condition.WriteString(" )"); err != nil {
if _, err := condition.WriteString(")"); err != nil {
return err
}
}
Expand Down

0 comments on commit dae56b3

Please sign in to comment.