`yara.rules` — YARA namespaces, compilation, and matching¶

Compiles a YARA rules files into a thread safe Rules object ready for matching.

Features:

Provides a thread safe yara context manager.
Detailed control over the loading of multiple YARA rules files into a
single context.
A C-like preprocessor for yar files. Allows for #ifdef #ifndef etc.

Key differences to yara-python.c:

Results returned from a Rules.match(_??) function are stored in a dict of {namespace:[match,...]}...
When a callback hander is passed into a Rules.match(_??) function, the match function will return an empty dict. It is assumed that the callback handler will retain the match objects that it cares about.
The match dict inside of a dict returned from a Rules.match(_??) function no longer contain the namespace (namespace is the key used to reference the match dict).

Compatibility with yara-python.c

This module contains an equivalent compile() function
The Rules object contains an equivalent match() function
Match objects passed into the registered callback handler are the equivalent

`Rules`¶

`yara.rules.load_rules()`¶

`yara.rules.compile()`¶

Table Of Contents

yara.rules — YARA namespaces, compilation, and matching

Previous topic

yara.cli — A command line YARA rules scanning utility

Next topic

yara.libyara_wrapper — ctypes wrapper for libyara

This Page