How To Compile YARA Rules & Scan With Files Rust
In this how-to I will show you how to easily compile yara rules and scan files using Rust. While VirusTotal does not have an official Rust implementation there is an experimental project hosted on GitHub. In this how-to we will use he yara-rust crate which provides the bindings around yara inspired by the popular yara-python library maintained by VirusTotal. Using this step-by-step guide we will install the yara-rust crate, compile a yara rule file as well as a yara rule string, and finally we will scan a file using yara-rust. If you’d like to follow along you can clone a copy of this project on GitHub.
Installing the yara-rust Crate
We can install this crate using either of the following methods. The first method using the cargo add command with the following.
cargo add yara@0.21.0
The second way we can install the yara-rust crate is by adding the following line our Cargo.toml file.
yara = "0.21.0"
At the end of either process your Cargo.toml file should look like the following.
Compiling YARA Rules With Rust
In this section we will learn how to compile both a yara file as well as a raw yara rule string.
Compiling a YARA Rule File
With the the yara-rust crate we can use the Compiler implementation to call a new compiler and the pass our yara rule file to that compiler object using the add_rules_file() function. After which we simply call the compile_rules() function to the compile our rules.
Compiling a YARA Rule String
Similar to the compiling a yara file example, we use the Compiler implementation to call a new compiler and the pass our yara rule string to that compiler object. With the yara rule string however we will use the add_rules_str() function to pass a string to the compiler. After which we call the call the compile_rules() function to the compile our string.
Scanning Files with Rust
Once we have the logic to compile yara we can use the Scanner wrapper around our compiled rules. To scan using yara-rust we can call the scanner method which creates a Scanner object for us. Multiple Scanners can be created with different timeout values and external variables. Once our Scanner object is created we can call the scan_file() function which points to the file we want to scan with our compiled rules.
Putting it all Together
Using the Rust functions above we can incorporate the entirety into a main.rs file. By putting all the pieces together we can demo how to compile yara rules and scan files using Rust.
Conclusion
In conclusion, we've explored a straightforward method for compiling and testing YARA rules in Rust, leveraging the power of the yara-rust crate. With its API bindings inspired by the well-known yara-python library maintained by VirusTotal, this tool provides an accessible way to work with YARA rules in the Rust programming language. It's worth noting that while there isn't an official Rust implementation by VirusTotal, an experimental project hosted on GitHub offers exciting possibilities for the future of YARA in Rust.
If you found this how-to guide helpful and would like to stay updated on more Rust-related tips, tricks, and tutorials, please consider following me on social media. Whether you have further questions or need assistance with any aspect of this process, feel free to reach out – I'm here to help you on your Rust journey!