Created
February 7, 2018 20:02
-
-
Save Xumeiquer/362a10dbd817bcab97ec957dfe9f49ac to your computer and use it in GitHub Desktop.
This script splits up a Yara rule file in several files with a specific number of rules on them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| import os | |
| import sys | |
| import uuid | |
| from collections import deque | |
| # Motify this as the number of rules per file | |
| RULES_PER_FILE = 3 | |
| SPLIT_KW = "rule" | |
| EXT = ".yar" | |
| def main(): | |
| if len(sys.argv) != 2: | |
| print("Feed me, please!") | |
| sys.exit(1) | |
| if not os.path.exists(sys.argv[1]): | |
| print("Feed me with files, please!") | |
| sys.exit(1) | |
| with open(sys.argv[1]) as fi: | |
| rules_found = -1 | |
| file_content = "" | |
| sub_buff = deque(maxlen=len(SPLIT_KW)) | |
| while True: | |
| buff = fi.read(1) | |
| sub_buff.append(buff) | |
| if buff == '': | |
| fname = str(uuid.uuid4()) + EXT | |
| print("[+] Writing {} rules into {}".format(rules_found+1, fname)) | |
| with open(fname, "w") as fo: | |
| fo.write(file_content) | |
| print("[!] Reached EOF") | |
| sys.exit(0) | |
| file_content += buff | |
| if "".join(sub_buff) == SPLIT_KW: # Rule found | |
| sub_buff.clear() | |
| rules_found += 1 | |
| if rules_found == RULES_PER_FILE: | |
| file_content = file_content[:-len(SPLIT_KW)] # Remove the last 'rule' keyword | |
| fname = str(uuid.uuid4()) + EXT | |
| print("[+] Writing {} rules into {}".format(rules_found, fname)) | |
| with open(fname, "w") as fo: | |
| fo.write(file_content) | |
| rules_found = 0 | |
| file_content = SPLIT_KW | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment