void moloch_yara_init() { yr_init(); yContext = yr_create_context(); yContext->error_report_function = moloch_yara_report_error; if (config.yara) { FILE *rule_file; rule_file = fopen(config.yara, "r"); if (rule_file != NULL) { yr_push_file_name(yContext, config.yara); int errors = yr_compile_file(rule_file, yContext); fclose(rule_file); if (errors) { exit (0); } } else { printf("yara could not open file: %s\n", config.yara); exit(1); } } }
YARA_CONTEXT *moloch_yara_open(char *filename) { YARA_CONTEXT *context; context = yr_create_context(); context->error_report_function = moloch_yara_report_error; if (filename) { FILE *rule_file; rule_file = fopen(filename, "r"); if (rule_file != NULL) { yr_push_file_name(context, filename); int errors = yr_compile_file(rule_file, context); fclose(rule_file); if (errors) { exit (0); } } else { printf("yara could not open file: %s\n", filename); exit(1); } } return context; }
int main(int argc, char const* argv[]) { int i, pid, errors; YARA_CONTEXT* context; FILE* rule_file; TAG* tag; TAG* next_tag; yr_init(); context = yr_create_context(); if (context == NULL) return 0; if (!process_cmd_line(context, argc, argv)) { yr_destroy_context(context); return 0; } if (argc == 1 || ((optind == argc) && (! compile_only))) { yr_destroy_context(context); show_help(); return 0; } context->error_report_function = report_error; for (i = optind; i < (compile_only ? argc : argc - 1); i++) { rule_file = fopen(argv[i], "r"); if (rule_file != NULL) { yr_push_file_name(context, argv[i]); errors = yr_compile_file(rule_file, context); fclose(rule_file); if (errors) /* errors during compilation */ { yr_destroy_context(context); return 2; } } else { fprintf(stderr, "could not open file: %s\n", argv[i]); if (compile_only) return 2; } } if (optind == (compile_only ? argc : argc - 1)) /* no rule files, read rules from stdin */ { yr_push_file_name(context, "stdin"); errors = yr_compile_file(stdin, context); if (errors > 0) /* errors during compilation */ { yr_destroy_context(context); return 0; } } if (compile_only) { printf("syntax check OK\n"); return 0; } if (is_numeric(argv[argc - 1])) { pid = atoi(argv[argc - 1]); switch (i = yr_scan_proc(pid, context, callback, (void*) argv[argc - 1])) { case ERROR_SUCCESS: break; case ERROR_COULD_NOT_ATTACH_TO_PROCESS: fprintf(stderr, "can not attach to process (try running as root)\n"); break; case ERROR_INSUFICIENT_MEMORY: fprintf(stderr, "not enough memory\n"); break; default: fprintf(stderr, "internal error: %d\n", i); break; } } else if (is_directory(argv[argc - 1])) { scan_dir(argv[argc - 1], recursive_search, context, callback); } else { yr_scan_file(argv[argc - 1], context, callback, (void*) argv[argc - 1]); } yr_destroy_context(context); /* free tag list allocated by process_cmd_line */ tag = specified_tags_list; while(tag != NULL) { next_tag = tag->next; free(tag); tag = next_tag; } return 1; }