Follow include index files to load all YARA rulesets ?

[wesinator]

It's common for yara ruleset collections to have 'index' rule files so one file can be referenced to load all the rulesets (especially useful when compiling programmatically like from yara-python), e.g. https://github.com/Yara-Rules/rules/blob/a1005b743c44e144e3f04cf152d0a8998d9a9811/malware_index.yar

Would it make sense for plyara to handle this by checking if a ruleset only has includes, and then following the include files and loading them all as rulesets in the raw_input ?
Currently you'd have to load each ruleset individually from your code into plyara
(could traverse directory of files in python, but it may make more sense to use the feature of the language to do this)

p.s. Thanks for the work being done on this, I've been looking at the code and realised recently this is pretty much the only Python library of its kind

[utkonos]

This is doable. I am including this as a feature for the 3.0.0 release that I'm working on currently. I think the best way to implement this is actually to have a utility. I'm building the new version nearly from scratch. The idea is to follow closely the best practices for building a compiler. Therefore, there will be a data model object at the end of a parsing session.

To implement this enhancement properly, there will be a utility that is given the path to a YARA file. From the path, it will walk the file system and replace all includes failing if something is missing.

Does this sound like it would work for your use case?

[utkonos]

This may fit best as a flag on the CLI which then uses said utility.

[wesinator]

sweet. I was thinking exactly the same thing following a compiler logic for parsing and resolution.