Function declaration split up in condition parsing ? #67

wesinator · 2019-12-22T19:52:02Z

https://github.com/plyara/plyara/blob/eb6cbff2f0b603e6fa0d7d721bf425833ba772cf/tests/data/import_ruleset_math.yar

The uint16(0) is split up in the condition parsing:

"condition_terms": [
            "uint16",
            "(",
            "0",
            ")",
            "==",
            "0x5a4d",

should it be

"condition_terms": [
            "uint16(0)",
            "==",
            "0x5a4d",

since uint16(0) is a single atomic statement ?

The text was updated successfully, but these errors were encountered:

utkonos · 2020-01-02T05:34:25Z

Good idea. I'll need to think through how to do this best.

utkonos · 2020-07-17T03:13:08Z

Full granular condition parsing is a feature of 3.0.0. Take a look at the data model and the singledispatch to_yara() function. It already implements a few conditions granularly. The JSON output will have a nested recursive structure and will satisfy this enhancement request.

The new version is being built here:
https://github.com/plyara/plyara/tree/prep-3.0

Comments and feedback are welcome.

utkonos added the enhancement New feature or request label Jan 2, 2020

utkonos self-assigned this Jan 2, 2020

utkonos added this to the 3.0 milestone Jan 4, 2020

utkonos added this to To do in 3.0.0 via automation Jul 17, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Function declaration split up in condition parsing ? #67

Function declaration split up in condition parsing ? #67

wesinator commented Dec 22, 2019

utkonos commented Jan 2, 2020

utkonos commented Jul 17, 2020