similar to: Re: Libguestfs with Yara rules error

On Tue, Dec 10, 2019 at 09:19:47AM +0100, Luis wrote: > I am using libguestfs 1.40.2 and yara 3.11.0 but when I execute my program > it thoughts the following error: > > $> ./yara-guestfs > libguestfs: error: yara_load: feature 'libyara' is not available in this > build of libguestfs. Read 'AVAILABILITY' in the guestfs(3) man page for > > If we check

Hi Richard. Few days ago, I installed libyara a libguestfs properly. But when I load a yara rule and scan it via guestfs_yara_scan, my binary throughts following error: libguestfs: error: deserialise_yara_detection_list: Success And function exists with NULL value. As we can see this function is on lib/yara.c from libguestfs git. I think that these yara functions are an integration for yara

libyara3 on Debian/Ubuntu yara on SUSE/RedHat Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- appliance/packagelist.in | 4 ++++ daemon/Makefile.am | 3 ++- m4/guestfs_daemon.m4 | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/appliance/packagelist.in b/appliance/packagelist.in index f278f66..2da7533 100644 ---

libyara3 on Debian/Ubuntu yara on SUSE/RedHat Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- appliance/packagelist.in | 4 ++++ daemon/Makefile.am | 3 ++- m4/guestfs_daemon.m4 | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/appliance/packagelist.in b/appliance/packagelist.in index bbbe4b2..352133c 100644 ---

libyara3 on Debian/Ubuntu yara on SUSE/RedHat Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- appliance/packagelist.in | 4 ++++ daemon/Makefile.am | 3 ++- m4/guestfs_daemon.m4 | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/appliance/packagelist.in b/appliance/packagelist.in index 5cf22768a..8846ce846 100644 ---

libyara3 on Debian/Ubuntu yara on SUSE/RedHat Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- appliance/packagelist.in | 4 ++++ daemon/Makefile.am | 3 ++- m4/guestfs_daemon.m4 | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/appliance/packagelist.in b/appliance/packagelist.in index 5cf22768a..8846ce846 100644 ---

On Monday, 20 February 2017 13:46:29 CET NoxDaFox wrote: > 2017-02-20 12:26 GMT+02:00 Daniel P. Berrange <berrange@redhat.com>: > > > On Sun, Feb 19, 2017 at 07:09:51PM +0200, Matteo Cafasso wrote: > > > Rebase patches on top of 1.35.25. > > > > > > No changes since last series. > > > > Can you explain the motivation behind adding the APis

Yara is a rule based scanning engine aimed to help malware analysts in finding and classifying interesting samples. https://github.com/VirusTotal/yara This series adds Yara support to Libguestfs allowing to upload sets of rules and scanning files against them. Currently provided APIs: - yara_load: loads a set of rules - yara_destroy: free resources allocated by loaded rules - yara_scan:

v2: - Fix yara dependency in packagelist - Use pkg-config where available - Improve longdesc of yara_load API - Fix libyara initialization and finalization - Import CLEANUP_FCLOSE - Add custom CLEANUP_DESTROY_YARA_COMPILER - Add rules compilation error callback - Other small fixes according to comments Matteo Cafasso (6): appliance: add yara dependency New API: yara_load New API:

Ok on most of the comments, only few notes on the last one. On 22/11/16 11:04, Pino Toscano wrote: > On Wednesday, 9 November 2016 22:38:55 CET Matteo Cafasso wrote: >> The internal_yara_scan runs the Yara engine with the previously loaded >> rules against the given file. >> >> For each rule matching against the scanned file, a struct containing >> the file name

The yara_load API allows to load a set of Yara rules contained within a file on the host. Rules can be in binary format, as when compiled with yarac command, or in source code format. In the latter case, the rules will be first compiled and then loaded. Subsequent calls of the yara_load API will result in the discard of the previously loaded rules. Signed-off-by: Matteo Cafasso

On 21/11/16 18:27, Pino Toscano wrote: > On Wednesday, 9 November 2016 22:38:53 CET Matteo Cafasso wrote: >> The yara_load API allows to load a set of Yara rules contained within a >> file on the host. >> >> Rules can be in binary format, as when compiled with yarac command, or >> in source code format. In the latter case, the rules will be first >> compiled

On Wednesday, 9 November 2016 22:38:53 CET Matteo Cafasso wrote: > The yara_load API allows to load a set of Yara rules contained within a > file on the host. > > Rules can be in binary format, as when compiled with yarac command, or > in source code format. In the latter case, the rules will be first > compiled and then loaded. > > Subsequent calls of the yara_load API

v3: - allow to load multiple rule files - added optional namespace parameter to yara_load - move destructor logic in yara module - use generic file upload logic - use generic temporary path function Matteo Cafasso (6): appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests

2017-02-20 12:26 GMT+02:00 Daniel P. Berrange <berrange@redhat.com>: > On Sun, Feb 19, 2017 at 07:09:51PM +0200, Matteo Cafasso wrote: > > Rebase patches on top of 1.35.25. > > > > No changes since last series. > > Can you explain the motivation behind adding the APis to libguestfs ? > > Since the libguestfs VM is separate from the real VM, it can't >

On Tuesday, 22 November 2016 19:41:10 CET noxdafox wrote: > > yara_load supports loading rules already compiled, which could have a > > namespace set -- I guess it should be reported here as well. > The namespace is accessible via the YR_RULE struct: > https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/types.h#L242 > > Yet is nowere to be found in the C

The yara_destroy API allows to claim resources back via the removal of the previously loaded Yara rules. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/yara.c | 14 ++++++++++++++ generator/actions_yara.ml | 8 ++++++++ generator/proc_nr.ml | 1 + lib/MAX_PROC_NR | 2 +- 4 files changed, 24 insertions(+), 1 deletion(-) diff --git

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- configure.ac | 1 + tests/yara/Makefile.am | 26 ++++++++++++++++ tests/yara/test-yara-scan.sh | 72 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 tests/yara/Makefile.am create mode 100755 tests/yara/test-yara-scan.sh diff --git a/configure.ac b/configure.ac

Rebase patches on top of 1.35.25. No changes since last series. Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am

On Wednesday, 9 November 2016 22:38:55 CET Matteo Cafasso wrote: > The internal_yara_scan runs the Yara engine with the previously loaded > rules against the given file. > > For each rule matching against the scanned file, a struct containing > the file name and the rule identifier is returned. > > The gathered list of yara_detection structs is serialised into XDR format