yallback enables you to handle YARA rule matches with simple shell function callbacks.
Here's a very basic example, building on YARA's own ~hello-world example:
echo rule dummy { condition: true } > my_first_rule
echo 'yallback:rule:dummy:each(){ echo no, _you_ are the dummy! $@ ; }' > my_first_rodeo
yara my_first_rule my_first_rule | yallback my_first_rodeo
This example emits: no, _you_ are the dummy! dummy my_first_rule
For now, yallback
is pretty simple:
-
pipe/redirect output from yara to
yallback
on stdin. don't use any fancy output options; yallback doesn't (and may not) support them -
yallback
directly handles a single argument for now--a y'all-file. This is just a shell (bash) file that tellsyallback
which information you'd like to receive by defining functions to receive them:yallback:rule:<rulename>:all
- receive all rule matches in a single call$1
==<rulename>
(this is a convenience, in case you want a single function to handle multiple rules)- matching files are passed on stdin, one per line
yallback:rule:<rulename>:each
- receive one call per rule match$1
==<rulename>
$2
==<file>
yallback:done
called to return control to your script after calling the last callback
-
Any additional arguments passed when invoking
yallback
will be passed to your y'all-file when it is sourced.