# Imports

In [2]:
import sys
import os
import json

# Add the snort performance evaluator module path
sys.path.insert(0, os.path.abspath(os.path.join(os.getcwd(), '../../../src/validator/performance/yara')))

# YARA Sample Performance Validator Script

In [7]:
# Quick evaluation
from yara_performance_evaluator import evaluate
results = evaluate('''
rule test { strings: $s = "test" condition: $s }
''')
print(json.dumps(results, indent=2))

[
  {
    "rule_name": "test",
    "score": 1,
    "risk_level": "Fast and Efficient",
    "issues": [
      "String without explicit ascii/wide modifier"
    ],
    "suggestions": [
      "Add 'ascii' or 'wide' modifier to optimize string matching"
    ]
  }
]


In [9]:
# Class-based evaluation
from yara_performance_evaluator import YaraPerformanceEvaluator
evaluator = YaraPerformanceEvaluator()
rule_text = '''
rule test_rule {
    strings:
        $s1 = "malware"
        $s2 = /evil[0-9]+/
    condition:
        $s1 or $s2
}
'''
results = evaluator.evaluate_rule(rule_text)
for result in results:
    print(json.dumps(json.loads(result.to_json()), indent=2))

{
  "rule_name": "test_rule",
  "score": 3,
  "risk_level": "Fast and Efficient",
  "issues": [
    "String without explicit ascii/wide modifier",
    "Regex pattern has inherent performance overhead"
  ],
  "suggestions": [
    "Add 'ascii' or 'wide' modifier to optimize string matching",
    "Consider converting to text string with wildcards if possible"
  ]
}


In [10]:
# File evaluation with report (example with inline rules instead)
# Create a sample rules string with multiple rules
rules_text = '''
rule malware_detector {
    strings:
        $s1 = "malicious"
        $s2 = /trojan[0-9]{3}/
    condition:
        $s1 and $s2
}

rule ransomware_check {
    strings:
        $crypto = "encrypt"
        $payment = "bitcoin"
    condition:
        all of them
}
'''
results = evaluator.evaluate_rule(rules_text)
report = evaluator.generate_report(results, 'json')
print(report)

{
  "summary": {
    "total_rules": 2,
    "efficient": 2,
    "moderate": 0,
    "high_risk": 0,
    "average_score": 2.5
  },
  "rules": [
    {
      "rule_name": "malware_detector",
      "score": 3,
      "risk_level": "Fast and Efficient",
      "issues": [
        "String without explicit ascii/wide modifier",
        "Regex pattern has inherent performance overhead"
      ],
      "suggestions": [
        "Add 'ascii' or 'wide' modifier to optimize string matching",
        "Consider converting to text string with wildcards if possible"
      ]
    },
    {
      "rule_name": "ransomware_check",
      "score": 2,
      "risk_level": "Fast and Efficient",
      "issues": [
        "String without explicit ascii/wide modifier",
        "String without explicit ascii/wide modifier"
      ],
      "suggestions": [
        "Add 'ascii' or 'wide' modifier to optimize string matching",
        "Add 'ascii' or 'wide' modifier to optimize string matching"
      ]
    }
  ]
}
