Modifying/removing all linked condition terms using current form ?

[wesinator]

Hi,

I wanted to write a converter that will take rules that use a superset addition of YARA (such as VT hunting syntax) and convert to a local-only rule that works in regular YARA.

To do this, I need to remove the conditions that don't work in regular YARA.
The way plyara currently parses and structures condition terms makes it difficult to do this, because each individual element is separated individually, and there is no link of related/dependent condition terms (e.g. booleans and new_file, signatures contains "blah").

Not sure how to represent this without using a graph/tree structure, but I think it would make more sense to parse dependent conditions together, such as the case of X contains "y"

Thoughts?

Thanks,

[utkonos]

This would be powerful. Do you have an idea of how to implement?

[utkonos]

This will be part of 3.0.0. The new vt module that replaces the legacy VT-only conditions will be supported as well as granular parsing of the old legacy conditions.