Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow iterating over compiled ruleset before scanning #136

Merged
merged 6 commits into from
Nov 28, 2023
Merged

Allow iterating over compiled ruleset before scanning #136

merged 6 commits into from
Nov 28, 2023

Conversation

jpohls1
Copy link
Contributor

@jpohls1 jpohls1 commented Nov 26, 2023

This PR fixes #135. It includes an updated tutorial.rs showcasing how to iterate over the compiled ruleset and disabling certain rules. This feature is crucial for implementing custom rule filters in client-side applications.

Please let me know any feedback and thanks for creating these bindings!

Implementation details

On the new get_rules.c file

The approach taken by existing iterators such as TagIterator is difficult to apply, because the rules_table is not properly exposed via bindgen. We just have a binary blob to work with:

pub struct YR_RULES {
    pub _bindgen_opaque_blob: [u64; 10usize],
}

Therefore, I created a new file get_rules.c which uses the yr_rules_foreach macro to retrieve the rules from the ruleset. This is inspired by the Go bindings.

Since we need to compile this file in any case, the cc build-dependency is now mandatory, hence the changes in the Cargo.toml and build.rs.

On the new RulesetRule struct

The existing Rule struct represents a rule that matched during a scan. It would have involved some more refactoring to lift this assumption. I went with the less invasive change here and created a new RulesetRule struct.

@vthib
Copy link
Contributor

vthib commented Nov 26, 2023

The YR_RULES type is opaque since 43d0be1

It was made opaque mostly for codegen size reasons, so we can totally decide to expand it once again. This would give access to the rules_table field, which would be imho preferred, as it avoids adding C code for the bindings.

@Hugal31
Copy link
Owner

Hugal31 commented Nov 27, 2023

I am not a big fan of adding a mandatory dependence to cc. Is yr_rules_foreach the only public interface we got or can we safely re-implement it in Rust?

@jpohls1
Copy link
Contributor Author

jpohls1 commented Nov 27, 2023

Cool, didn't know about 43d0be1, thanks @vthib. Removed the line that made YR_RULES opaque from build.rs and implemented a RuleIterator in the same spirit as the existing Iterators in the code.

@Hugal31 please let me know whether further changes are required.

Hugal31
Hugal31 requested changes Nov 27, 2023
View reviewed changes
Copy link
Owner

@Hugal31 Hugal31 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll have to include the generated binding files (look at the bindings Github action).

I will probably rename Rule to MatchingRule later (with a deprecation period for Rule).

src/internals/rules.rs Outdated Show resolved Hide resolved
yara-sys/src/lib.rs Outdated Show resolved Hide resolved
src/internals/rules.rs Show resolved Hide resolved
@jpohls1 jpohls1 requested a review from Hugal31 November 27, 2023 17:54
@Hugal31 Hugal31 merged commit e62b7c6 into Hugal31:master Nov 28, 2023
28 checks passed
@jpohls1
Copy link
Contributor Author

jpohls1 commented Nov 29, 2023

@Hugal31 could you please release a new version that includes this change?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Hugal31 Hugal31 Hugal31 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for iterating over the compiled ruleset
3 participants
@jpohls1 @vthib @Hugal31