| Name | cccs-yara JSON |
| Version |
2.4
JSON |
| download |
| home_page | None |
| Summary | A CCCS utility for YARA rule metadata validation |
| upload_time | 2024-05-07 15:31:35 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | None |
| license | None |
| keywords |
|
| VCS |
|
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# Canadian Centre for Cyber Security
## CCCS YARA Specification
The [CCCS YARA Specification](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml) has been created to define and validate the style and format of YARA rule metadata. It comes with a cli which allow you to validate and generate metadata automatically (such as unique id, rule fingerprint, actor enrichment from ATT&CK).
Over the years we have seen many YARA rules; in order to leverage them to their full potential we always had to modify some of their associated metadata, even for rules we developed ourselves. Adjusting simple elements such as datetime format and adding important information to help analysts.
You can leverage it in your CI/CD pipeplines to automatically verify and enrich your Yara rules before new rules are merged in!
This specification also include fields specific to the [MITRE ATT&CK framework](https://attack.mitre.org/matrices/enterprise/) to identify techniques and universal [MITRE ATT&CK threat groups](https://attack.mitre.org/groups/).
[AssemblyLine](https://www.cyber.gc.ca/en/assemblyline) supports this specification natively and will leverage it to provide more context around YARA signature hits.
[vscode-yara](https://github.com/infosec-intern/vscode-yara) creates a custom meta section that aligns with this specification, using the User or Workspace settings file, `settings.json`. See [settings.json](settings.json) for an example.
## Sample rule
```
rule MemoryModule {
meta:
id = "6O9mUMvPhziJ72IXHf6muZ"
fingerprint = "4aa0a23f28698898404d700cb363ddf06dd275f5798815e797113656a2a40ae8"
version = "1.0"
date = "2020-05-06"
modified = "2020-05-06"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "CCCS"
author = "analyst@CCCS"
description = "Yara rule to detect usage of MemoryModule Library"
category = "TECHNIQUE"
technique = "LOADER:MEMORYMODULE"
mitre_att = "T1129"
report = "TA20-0192"
hash = "812bbe8b9acabad05b08add50ee55c883e1f7998f3a7cae273d3f0d572a79adc"
strings:
$func_ptr = {55 8B EC 6A 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00}
$func_ptr_64 = {48 [3] 48 [4] 00 00 00 00 48 8? [5] 48 8? [3] 4? 8? [5] 48 8? [3-5] 48 8?}
$api_1 = "LoadLibraryA"
$api_2 = "GetProcAddress"
$api_3 = "FreeLibrary"
$api_4 = "VirtualFree"
$api_5 = "VirtualProtect"
$api_6 = "VirtualAlloc"
condition:
uint16(0) == 0x5a4d and all of ($api*) and ($func_ptr or $func_ptr_64)
}
```
## YARA repositories using this standard - thanks!
- https://github.com/reversinglabs/reversinglabs-yara-rules
- https://github.com/bartblaze/Yara-rules
- https://github.com/0xThiebaut/Signatures
## Components
validator.py: This is the validator library. It is used to validate the metadata section of YARA rules. It verifies specified metadata information, auto-generates some of metadata information and re-sorts the metadata information into the canonical order with all 'unknown' metadata information appended to the bottom.
- [CCCS_YARA.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml): This is the definition of the CCCS YARA Standard in the YAML format. (Limitation: This file is provided to show what fields are expected, currently the yara_validator doeSn't use this file directly, this will be addressed in a future release.)
- [CCCS_YARA_values.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA_values.yml): File which describe the list of acceptable values for fields defined in the CCCS_YARA.yml
yara_validator: This is a command line interface utility. It takes a file, list of files, a folder looking for files with the .yar or .yara extension.
## Requirements
Python 3.6+
All required python packages are in the requirements.txt
The [Cyber Threat Intelligence Repository](https://github.com/mitre/cti) is a submodule of this repository:
```
git clone https://github.com/CybercentreCanada/CCCS-Yara.git
cd CCCS-Yara
pip install .
```
## yara_validator usage
```
yara_validator -h
____ ____ ____ ____ __ __ _ ____ _
/ ___/ ___/ ___/ ___| \ \ / // \ | _ \ / \
| | | | | | \___ \ \ V // _ \ | |_) | / _ \
| |__| |__| |___ ___) | | |/ ___ \| _ < / ___ \
\____\____\____|____/ |_/_/ \_\_| \_\/_/ \_\
usage: yara_validator [-h] [-r] [-n] [-v] [-vv] [-f] [-w] [-s] [-st]
[-m] [-i | -c]
paths [paths ...]
CCCS YARA script to run the CCCS YARA validator, use the -i or -c flags to
generate the id, fingerprint, version, first_imported, or last_modified (if
not already present) and add them to the file.
positional arguments:
paths A list of files or folders to be analyzed.
optional arguments:
-h, --help show this help message and exit
-r, --recursive Recursively search folders provided.
-n, --no-changes Makes no changes and outputs potential results to the
output.
-v, --verbose Verbose mode, will print why a rule was invalid.
-vv, --very-verbose Very-verbose mode, will printout what rule is about to
be processed, the invalid rules, the reasons they are
invalid and all contents of the rule.
-f, --fail Fail mode, only prints messages about invalid rules.
-w, --warnings This mode will ignore warnings and proceed with other
behaviors if the rule is valid.
-s, --standard This prints the YARA standard to the screen.
-st, --strict This causes the cli to return a non-zero exit code for
warnings.
-m, --module This flag overrides the check for modules that have not
been imported.
-i, --in-place Modifies valid files in place, mutually exclusive with
-c.
-c, --create-files Writes a new file for each valid file, mutually
exclusive with -i.
```
Quick example:
```
# Rule will be converted inline
python yara_validator -v -i <path>
```
# Centre canadien pour la cybersécurité
## Spécification YARA du CCCS
La [Spécification YARA du CCCS](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml) a été créé pour définir et validé le style et le format des attributs pour les règles YARA. Un outil ligne de commandes permet de valider et généré les tags automatiquement!
Au fil des années nous avons vu beaucoup de régles YARA; mais pour pouvoir les utilisées à leur plein potentiel nous devions modifiée les méta données associtiées, parfois même pour nos propres règles. En ajustant des éléments aussi simples que le format de date et en ajoutant des attributs important pour les analystes.
Ce standard pour les méta données inclus aussi des champs spécifique au [MITRE ATT&CK framework](https://attack.mitre.org/matrices/enterprise/) pour identifier les techniques et les groups d'acteurs [MITRE ATT&CK threat groups](https://attack.mitre.org/groups/).
[AssemblyLine](https://www.cyber.gc.ca/fr/chaine-de-montage-assemblyline) supporte cette spécification nativement et l'utilisera pour fournir d'avantage d'information à l'utilisateur lors du déclanchement d'une signature.
## Exemple
```
rule MemoryModule {
meta:
id = "6O9mUMvPhziJ72IXHf6muZ"
fingerprint = "4aa0a23f28698898404d700cb363ddf06dd275f5798815e797113656a2a40ae8"
version = "1.0"
date = "2020-05-06"
modified = "2020-05-06"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "CCCS"
author = "analyst@CCCS"
description = "Yara rule to detect usage of MemoryModule Library"
category = "TECHNIQUE"
technique = "LOADER:MEMORYMODULE"
mitre_att = "T1129"
report = "TA20-0192"
hash = "812bbe8b9acabad05b08add50ee55c883e1f7998f3a7cae273d3f0d572a79adc"
strings:
$func_ptr = {55 8B EC 6A 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00}
$func_ptr_64 = {48 [3] 48 [4] 00 00 00 00 48 8? [5] 48 8? [3] 4? 8? [5] 48 8? [3-5] 48 8?}
$api_1 = "LoadLibraryA"
$api_2 = "GetProcAddress"
$api_3 = "FreeLibrary"
$api_4 = "VirtualFree"
$api_5 = "VirtualProtect"
$api_6 = "VirtualAlloc"
condition:
uint16(0) == 0x5a4d and all of ($api*) and ($func_ptr or $func_ptr_64)
}
```
## Répertoires de règles YARA qui utilise ce standard - merci!
- https://github.com/reversinglabs/reversinglabs-yara-rules
- https://github.com/bartblaze/Yara-rules
## Composantes
validator.py: La librairie de validation. Elle permet de vérifier si une règle YARA a tous les attributs nécessaires, elle auto-génère aussi certain attribut et les ordonnent selon l'ontologie. Tous les attributs supplémentaires ne faisant pas partie de la spécification sont placé à la fin.
- [CCCS_YARA.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml): Fichier de de définition de la spécification. (Limitation: Ce fichier démontre les attributs nécessaires, présentement le validateur n'utilise pas se fichier directement, ceci sera améliorer dans le futur.)
- [CCCS_YARA_values.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA_values.yml): Fichier qui décrit les valeurs acceptables pour chacun des attributs définit dans CCCS_YARA.yml.
yara_validator: Utilitaire de validation pour la ligne de commande. Il accepte une règle, une liste de règles ou un dossier pour validé les fichiers se terminant par .yar ou .YARA.
## Exigences
Python 3.6+
Tous les libraries python sont dans le fichier requirements.txt
[Cyber Threat Intelligence Repository](https://github.com/mitre/cti) est un sous module de ce répertoire:
```
git clone https://github.com/CybercentreCanada/CCCS-Yara.git
cd CCCS-Yara
pip install .
```
## yara_validator en ligne de commandes
```
yara_validator -h
____ ____ ____ ____ __ __ _ ____ _
/ ___/ ___/ ___/ ___| \ \ / // \ | _ \ / \
| | | | | | \___ \ \ V // _ \ | |_) | / _ \
| |__| |__| |___ ___) | | |/ ___ \| _ < / ___ \
\____\____\____|____/ |_/_/ \_\_| \_\/_/ \_\
usage: yara_validator [-h] [-r] [-n] [-v] [-vv] [-f] [-w] [-s] [-st]
[-m] [-i | -c]
paths [paths ...]
CCCS YARA script to run the CCCS YARA validator, use the -i or -c flags to
generate the id, fingerprint, version, first_imported, or last_modified (if
not already present) and add them to the file.
positional arguments:
paths A list of files or folders to be analyzed.
optional arguments:
-h, --help show this help message and exit
-r, --recursive Recursively search folders provided.
-n, --no-changes Makes no changes and outputs potential results to the
output.
-v, --verbose Verbose mode, will print why a rule was invalid.
-vv, --very-verbose Very-verbose mode, will printout what rule is about to
be processed, the invalid rules, the reasons they are
invalid and all contents of the rule.
-f, --fail Fail mode, only prints messages about invalid rules.
-w, --warnings This mode will ignore warnings and proceed with other
behaviors if the rule is valid.
-s, --standard This prints the YARA standard to the screen.
-st, --strict This causes the cli to return a non-zero exit code for
warnings.
-m, --module This flag overrides the check for modules that have not
been imported.
-i, --in-place Modifies valid files in place, mutually exclusive with
-c.
-c, --create-files Writes a new file for each valid file, mutually
exclusive with -i.
```
Raw data
{
"_id": null,
"home_page": null,
"name": "cccs-yara",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": null,
"author": null,
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/d2/07/e4d5428edb0fd0cde4df21723eeb9d1b468613c4cbd5eb48effbdf4803b6/cccs_yara-2.4.tar.gz",
"platform": null,
"description": "# Canadian Centre for Cyber Security\n\n## CCCS YARA Specification\n\nThe [CCCS YARA Specification](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml) has been created to define and validate the style and format of YARA rule metadata. It comes with a cli which allow you to validate and generate metadata automatically (such as unique id, rule fingerprint, actor enrichment from ATT&CK).\n\nOver the years we have seen many YARA rules; in order to leverage them to their full potential we always had to modify some of their associated metadata, even for rules we developed ourselves. Adjusting simple elements such as datetime format and adding important information to help analysts.\n\nYou can leverage it in your CI/CD pipeplines to automatically verify and enrich your Yara rules before new rules are merged in!\n\nThis specification also include fields specific to the [MITRE ATT&CK framework](https://attack.mitre.org/matrices/enterprise/) to identify techniques and universal [MITRE ATT&CK threat groups](https://attack.mitre.org/groups/).\n\n[AssemblyLine](https://www.cyber.gc.ca/en/assemblyline) supports this specification natively and will leverage it to provide more context around YARA signature hits.\n\n[vscode-yara](https://github.com/infosec-intern/vscode-yara) creates a custom meta section that aligns with this specification, using the User or Workspace settings file, `settings.json`. See [settings.json](settings.json) for an example.\n\n## Sample rule\n\n```\nrule MemoryModule {\n meta:\n\tid = \"6O9mUMvPhziJ72IXHf6muZ\"\n\tfingerprint = \"4aa0a23f28698898404d700cb363ddf06dd275f5798815e797113656a2a40ae8\"\n\tversion = \"1.0\"\n\tdate = \"2020-05-06\"\n\tmodified = \"2020-05-06\"\n\tstatus = \"RELEASED\"\n\tsharing = \"TLP:WHITE\"\n\tsource = \"CCCS\"\n\tauthor = \"analyst@CCCS\"\n\tdescription = \"Yara rule to detect usage of MemoryModule Library\"\n\tcategory = \"TECHNIQUE\"\n\ttechnique = \"LOADER:MEMORYMODULE\"\n\tmitre_att = \"T1129\"\n\treport = \"TA20-0192\"\n\thash = \"812bbe8b9acabad05b08add50ee55c883e1f7998f3a7cae273d3f0d572a79adc\"\n\n strings:\n $func_ptr = {55 8B EC 6A 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00}\n $func_ptr_64 = {48 [3] 48 [4] 00 00 00 00 48 8? [5] 48 8? [3] 4? 8? [5] 48 8? [3-5] 48 8?}\n $api_1 = \"LoadLibraryA\"\n $api_2 = \"GetProcAddress\"\n $api_3 = \"FreeLibrary\"\n $api_4 = \"VirtualFree\"\n $api_5 = \"VirtualProtect\"\n $api_6 = \"VirtualAlloc\"\n\n condition:\n uint16(0) == 0x5a4d and all of ($api*) and ($func_ptr or $func_ptr_64)\n}\n```\n\n## YARA repositories using this standard - thanks!\n\n- https://github.com/reversinglabs/reversinglabs-yara-rules\n- https://github.com/bartblaze/Yara-rules\n- https://github.com/0xThiebaut/Signatures\n\n## Components\n\nvalidator.py: This is the validator library. It is used to validate the metadata section of YARA rules. It verifies specified metadata information, auto-generates some of metadata information and re-sorts the metadata information into the canonical order with all 'unknown' metadata information appended to the bottom.\n\n- [CCCS_YARA.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml): This is the definition of the CCCS YARA Standard in the YAML format. (Limitation: This file is provided to show what fields are expected, currently the yara_validator doeSn't use this file directly, this will be addressed in a future release.)\n\n- [CCCS_YARA_values.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA_values.yml): File which describe the list of acceptable values for fields defined in the CCCS_YARA.yml\n\nyara_validator: This is a command line interface utility. It takes a file, list of files, a folder looking for files with the .yar or .yara extension.\n\n## Requirements\n\nPython 3.6+\n\nAll required python packages are in the requirements.txt\n\nThe [Cyber Threat Intelligence Repository](https://github.com/mitre/cti) is a submodule of this repository:\n\n```\ngit clone https://github.com/CybercentreCanada/CCCS-Yara.git\ncd CCCS-Yara\npip install .\n```\n\n## yara_validator usage\n\n```\nyara_validator -h\n ____ ____ ____ ____ __ __ _ ____ _\n / ___/ ___/ ___/ ___| \\ \\ / // \\ | _ \\ / \\\n | | | | | | \\___ \\ \\ V // _ \\ | |_) | / _ \\\n | |__| |__| |___ ___) | | |/ ___ \\| _ < / ___ \\\n \\____\\____\\____|____/ |_/_/ \\_\\_| \\_\\/_/ \\_\\\n\nusage: yara_validator [-h] [-r] [-n] [-v] [-vv] [-f] [-w] [-s] [-st]\n [-m] [-i | -c]\n paths [paths ...]\n\nCCCS YARA script to run the CCCS YARA validator, use the -i or -c flags to\ngenerate the id, fingerprint, version, first_imported, or last_modified (if\nnot already present) and add them to the file.\n\npositional arguments:\n paths A list of files or folders to be analyzed.\n\noptional arguments:\n -h, --help show this help message and exit\n -r, --recursive Recursively search folders provided.\n -n, --no-changes Makes no changes and outputs potential results to the\n output.\n -v, --verbose Verbose mode, will print why a rule was invalid.\n -vv, --very-verbose Very-verbose mode, will printout what rule is about to\n be processed, the invalid rules, the reasons they are\n invalid and all contents of the rule.\n -f, --fail Fail mode, only prints messages about invalid rules.\n -w, --warnings This mode will ignore warnings and proceed with other\n behaviors if the rule is valid.\n -s, --standard This prints the YARA standard to the screen.\n -st, --strict This causes the cli to return a non-zero exit code for\n warnings.\n -m, --module This flag overrides the check for modules that have not\n been imported.\n -i, --in-place Modifies valid files in place, mutually exclusive with\n -c.\n -c, --create-files Writes a new file for each valid file, mutually\n exclusive with -i.\n```\n\nQuick example:\n\n```\n# Rule will be converted inline\npython yara_validator -v -i <path>\n```\n\n# Centre canadien pour la cybers\u00e9curit\u00e9\n\n## Sp\u00e9cification YARA du CCCS\n\nLa [Sp\u00e9cification YARA du CCCS](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml) a \u00e9t\u00e9 cr\u00e9\u00e9 pour d\u00e9finir et valid\u00e9 le style et le format des attributs pour les r\u00e8gles YARA. Un outil ligne de commandes permet de valider et g\u00e9n\u00e9r\u00e9 les tags automatiquement!\n\nAu fil des ann\u00e9es nous avons vu beaucoup de r\u00e9gles YARA; mais pour pouvoir les utilis\u00e9es \u00e0 leur plein potentiel nous devions modifi\u00e9e les m\u00e9ta donn\u00e9es associti\u00e9es, parfois m\u00eame pour nos propres r\u00e8gles. En ajustant des \u00e9l\u00e9ments aussi simples que le format de date et en ajoutant des attributs important pour les analystes.\n\nCe standard pour les m\u00e9ta donn\u00e9es inclus aussi des champs sp\u00e9cifique au [MITRE ATT&CK framework](https://attack.mitre.org/matrices/enterprise/) pour identifier les techniques et les groups d'acteurs [MITRE ATT&CK threat groups](https://attack.mitre.org/groups/).\n\n[AssemblyLine](https://www.cyber.gc.ca/fr/chaine-de-montage-assemblyline) supporte cette sp\u00e9cification nativement et l'utilisera pour fournir d'avantage d'information \u00e0 l'utilisateur lors du d\u00e9clanchement d'une signature.\n\n## Exemple\n\n```\nrule MemoryModule {\n meta:\n\tid = \"6O9mUMvPhziJ72IXHf6muZ\"\n\tfingerprint = \"4aa0a23f28698898404d700cb363ddf06dd275f5798815e797113656a2a40ae8\"\n\tversion = \"1.0\"\n\tdate = \"2020-05-06\"\n\tmodified = \"2020-05-06\"\n\tstatus = \"RELEASED\"\n\tsharing = \"TLP:WHITE\"\n\tsource = \"CCCS\"\n\tauthor = \"analyst@CCCS\"\n\tdescription = \"Yara rule to detect usage of MemoryModule Library\"\n\tcategory = \"TECHNIQUE\"\n\ttechnique = \"LOADER:MEMORYMODULE\"\n\tmitre_att = \"T1129\"\n\treport = \"TA20-0192\"\n\thash = \"812bbe8b9acabad05b08add50ee55c883e1f7998f3a7cae273d3f0d572a79adc\"\n\n strings:\n $func_ptr = {55 8B EC 6A 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00}\n $func_ptr_64 = {48 [3] 48 [4] 00 00 00 00 48 8? [5] 48 8? [3] 4? 8? [5] 48 8? [3-5] 48 8?}\n $api_1 = \"LoadLibraryA\"\n $api_2 = \"GetProcAddress\"\n $api_3 = \"FreeLibrary\"\n $api_4 = \"VirtualFree\"\n $api_5 = \"VirtualProtect\"\n $api_6 = \"VirtualAlloc\"\n\n condition:\n uint16(0) == 0x5a4d and all of ($api*) and ($func_ptr or $func_ptr_64)\n}\n```\n\n## R\u00e9pertoires de r\u00e8gles YARA qui utilise ce standard - merci!\n\n- https://github.com/reversinglabs/reversinglabs-yara-rules\n- https://github.com/bartblaze/Yara-rules\n\n## Composantes\n\nvalidator.py: La librairie de validation. Elle permet de v\u00e9rifier si une r\u00e8gle YARA a tous les attributs n\u00e9cessaires, elle auto-g\u00e9n\u00e8re aussi certain attribut et les ordonnent selon l'ontologie. Tous les attributs suppl\u00e9mentaires ne faisant pas partie de la sp\u00e9cification sont plac\u00e9 \u00e0 la fin.\n\n- [CCCS_YARA.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml): Fichier de de d\u00e9finition de la sp\u00e9cification. (Limitation: Ce fichier d\u00e9montre les attributs n\u00e9cessaires, pr\u00e9sentement le validateur n'utilise pas se fichier directement, ceci sera am\u00e9liorer dans le futur.)\n\n- [CCCS_YARA_values.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA_values.yml): Fichier qui d\u00e9crit les valeurs acceptables pour chacun des attributs d\u00e9finit dans CCCS_YARA.yml.\n\nyara_validator: Utilitaire de validation pour la ligne de commande. Il accepte une r\u00e8gle, une liste de r\u00e8gles ou un dossier pour valid\u00e9 les fichiers se terminant par .yar ou .YARA.\n\n## Exigences\n\nPython 3.6+\n\nTous les libraries python sont dans le fichier requirements.txt\n\n[Cyber Threat Intelligence Repository](https://github.com/mitre/cti) est un sous module de ce r\u00e9pertoire:\n\n```\ngit clone https://github.com/CybercentreCanada/CCCS-Yara.git\ncd CCCS-Yara\npip install .\n```\n\n## yara_validator en ligne de commandes\n\n```\nyara_validator -h\n ____ ____ ____ ____ __ __ _ ____ _\n / ___/ ___/ ___/ ___| \\ \\ / // \\ | _ \\ / \\\n | | | | | | \\___ \\ \\ V // _ \\ | |_) | / _ \\\n | |__| |__| |___ ___) | | |/ ___ \\| _ < / ___ \\\n \\____\\____\\____|____/ |_/_/ \\_\\_| \\_\\/_/ \\_\\\n\nusage: yara_validator [-h] [-r] [-n] [-v] [-vv] [-f] [-w] [-s] [-st]\n [-m] [-i | -c]\n paths [paths ...]\n\nCCCS YARA script to run the CCCS YARA validator, use the -i or -c flags to\ngenerate the id, fingerprint, version, first_imported, or last_modified (if\nnot already present) and add them to the file.\n\npositional arguments:\n paths A list of files or folders to be analyzed.\n\noptional arguments:\n -h, --help show this help message and exit\n -r, --recursive Recursively search folders provided.\n -n, --no-changes Makes no changes and outputs potential results to the\n output.\n -v, --verbose Verbose mode, will print why a rule was invalid.\n -vv, --very-verbose Very-verbose mode, will printout what rule is about to\n be processed, the invalid rules, the reasons they are\n invalid and all contents of the rule.\n -f, --fail Fail mode, only prints messages about invalid rules.\n -w, --warnings This mode will ignore warnings and proceed with other\n behaviors if the rule is valid.\n -s, --standard This prints the YARA standard to the screen.\n -st, --strict This causes the cli to return a non-zero exit code for\n warnings.\n -m, --module This flag overrides the check for modules that have not\n been imported.\n -i, --in-place Modifies valid files in place, mutually exclusive with\n -c.\n -c, --create-files Writes a new file for each valid file, mutually\n exclusive with -i.\n```\n",
"bugtrack_url": null,
"license": null,
"summary": "A CCCS utility for YARA rule metadata validation",
"version": "2.4",
"project_urls": null,
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "931942e041b80fc34f434f6efc992ec3bb4942a0ce9989c25f9bf768dd91f6ac",
"md5": "a69eaeef669a1aa790f3f7ed2c0ddf8b",
"sha256": "fe95b25a5ddd6ed51340787c868230ab1b1f7eebc32944388803660b821f0d75"
},
"downloads": -1,
"filename": "cccs_yara-2.4-py3-none-any.whl",
"has_sig": false,
"md5_digest": "a69eaeef669a1aa790f3f7ed2c0ddf8b",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 39011,
"upload_time": "2024-05-07T15:31:33",
"upload_time_iso_8601": "2024-05-07T15:31:33.947136Z",
"url": "https://files.pythonhosted.org/packages/93/19/42e041b80fc34f434f6efc992ec3bb4942a0ce9989c25f9bf768dd91f6ac/cccs_yara-2.4-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "d207e4d5428edb0fd0cde4df21723eeb9d1b468613c4cbd5eb48effbdf4803b6",
"md5": "42f42a65620f1b510a3ad939a0512e6a",
"sha256": "9314fab81d35df99ad27835c9923adce2b8e329772f1aa7c4df25e4145e9908c"
},
"downloads": -1,
"filename": "cccs_yara-2.4.tar.gz",
"has_sig": false,
"md5_digest": "42f42a65620f1b510a3ad939a0512e6a",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 43169,
"upload_time": "2024-05-07T15:31:35",
"upload_time_iso_8601": "2024-05-07T15:31:35.643611Z",
"url": "https://files.pythonhosted.org/packages/d2/07/e4d5428edb0fd0cde4df21723eeb9d1b468613c4cbd5eb48effbdf4803b6/cccs_yara-2.4.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-05-07 15:31:35",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "cccs-yara"
}
