YARA Forge 🛠️

A powerful Rust library for crafting, validating, and managing YARA rules. YARA Forge provides a comprehensive set of tools for creating sophisticated malware detection rules with an intuitive builder pattern interface.

Features

🏗️ Rule Builder Pattern: Intuitive interface for creating YARA rules
📚 Pre-built Templates: Common templates for malware detection
🔍 Pattern Library: Extensive collection of malware detection patterns
✅ Validation: Built-in rule validation and testing
🚀 Performance: Parallel scanning capabilities
🔄 Import/Export: Support for JSON and other formats
📋 Documentation: Comprehensive documentation and examples

Installation

Add this to your Cargo.toml:

[dependencies]
yara-forge = "0.1.0"

Quick Start

use yara_forge::{RuleBuilder, ValidationOptions};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Create a simple rule
    let rule = RuleBuilder::new("detect_suspicious")
        .with_metadata("author", "YARA Forge")
        .with_string("$suspicious_api", "CreateRemoteThread")
        .with_condition("$suspicious_api")
        .build()?;

    // Validate the rule
    let options = ValidationOptions {
        syntax_only: true,
        test_against_samples: false,
        max_file_size: 10 * 1024 * 1024,
        timeout: 30,
    };

    // Save the rule
    rule.save("detect_suspicious.yar")?;

    Ok(())
}

Advanced Usage

Using Templates

use yara_forge::templates::ransomware_template;

let rule = ransomware_template("detect_ransomware")
    .with_metadata("severity", "high")
    .build()?;

Pattern Matching

use yara_forge::patterns::{ENCRYPTION_APIS, PROCESS_INJECTION};

let rule = RuleBuilder::new("detect_malware")
    .with_patterns(ENCRYPTION_APIS)
    .with_patterns(PROCESS_INJECTION)
    .with_condition("2 of them")
    .build()?;

Parallel Scanning

use yara_forge::validation::parallel_scan;

let matches = parallel_scan("rules/malware.yar", "samples/", &options)?;

Development

# Run tests
cargo test

# Run benchmarks
cargo bench

# Build documentation
cargo doc --no-deps --open

# Format code
cargo fmt

# Run lints
cargo clippy

Docker Support

Build the Docker image:

docker build -t yara-forge .

Run with Docker Compose:

docker-compose up

Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

YARA Project: https://virustotal.github.io/yara/
Rust Community
All Contributors

Security

For security issues, please open issue on GitHub.

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
.github		.github
benches		benches
examples		examples
src		src
.commitlintrc.json		.commitlintrc.json
.gitignore		.gitignore
Cargo.toml		Cargo.toml
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
cliff.toml		cliff.toml
docker-compose.yml		docker-compose.yml
release-plz.toml		release-plz.toml
rustfmt.toml		rustfmt.toml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

YARA Forge 🛠️

Features

Installation

Quick Start

Advanced Usage

Using Templates

Pattern Matching

Parallel Scanning

Development

Docker Support

Contributing

License

Acknowledgments

Security

About

Releases

Packages

Languages

License

ahsentekd/Yara-Forge

Folders and files

Latest commit

History

Repository files navigation

YARA Forge 🛠️

Features

Installation

Quick Start

Advanced Usage

Using Templates

Pattern Matching

Parallel Scanning

Development

Docker Support

Contributing

License

Acknowledgments

Security

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages