# Import

In [1]:
import yara

In [2]:
def yara_syntax_checker(yara_rule: str) -> dict:
    result = {
        "status": True,
        "error_comment": "No syntax errors detected."
    }

    try:
        # Attempt to compile the YARA rule from the string
        yara.compile(source=yara_rule)
    except yara.SyntaxError as e:
        # Syntax error detected
        result["status"] = False
        result["error_comment"] = f"Syntax error: {str(e)}"
    except yara.Error as e:
        # Catch any other YARA-related error
        result["status"] = False
        result["error_comment"] = f"YARA error: {str(e)}"
    except Exception as e:
        # Catch any other general error
        result["status"] = False
        result["error_comment"] = f"General error: {str(e)}"

    return result

In [3]:
yara_rule = """
rule is__Mirai_gen7 {
        meta:
                description = "Generic detection for MiraiX version 7"
                reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html"
                author = "unixfreaxjp"
                org = "MalwareMustDie"
                date = "2018-01-05"

        strings:
                $st01 = "/bin/busybox rm" fullword nocase wide ascii
                $st02 = "/bin/busybox echo" fullword nocase wide ascii
                $st03 = "/bin/busybox wget" fullword nocase wide ascii
                $st04 = "/bin/busybox tftp" fullword nocase wide ascii
                $st05 = "/bin/busybox cp" fullword nocase wide ascii
                $st06 = "/bin/busybox chmod" fullword nocase wide ascii
                $st07 = "/bin/busybox cat" fullword nocase wide ascii

        condition:
                5 of them
}
"""

print(yara_syntax_checker(yara_rule))


{'status': True, 'error_comment': 'No syntax errors detected.'}


In [4]:
yara_rule = """
rule is__Mirai_gen7 {
        meta:
                description = "Generic detection for MiraiX version 7"
                reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html"
                author = "unixfreaxjp"
                org = "MalwareMustDie"
                date =

        strings:
                $st01 = "/bin/busybox rm" fullword nocase wide ascii
                $st02 = "/bin/busybox echo" fullword nocase wide ascii
                $st03 = "/bin/busybox wget" fullword nocase wide ascii
                $st04 = "/bin/busybox tftp" fullword nocase wide ascii
                $st05 = "/bin/busybox cp" fullword nocase wide ascii
                $st06 = "/bin/busybox chmod" fullword nocase wide ascii
                $st07 = "/bin/busybox cat" fullword nocase wide ascii

        condition:
                5 of them
}
"""

print(yara_syntax_checker(yara_rule))


{'status': False, 'error_comment': 'Syntax error: line 10: syntax error, unexpected <strings>'}
