npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
YARA is the pattern matching swiss knife for malware researchers, enabling identification and classification of malware based on textual or binary patterns. Effective YARA rules combine unique string patterns, byte sequences, PE header characteristics, import table analysis, and conditional logic to detect malware families while avoiding false positives. Modern YARA-X (rewritten in Rust, stable since June 2025) brings improved performance and new modules. Rules should target unpacked malware artifacts like hardcoded stack strings, C2 URLs, mutex names, encryption constants, and unique code sequences rather than packer signatures.
When to Use
- When conducting security assessments that involve performing yara rule development for detection
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Python 3.9+ with
yara-pythonlibrary - YARA 4.5+ or YARA-X 0.10+
- PE analysis tools (
pefile,pestudio) - Hex editor for identifying unique byte patterns
- Access to malware samples (VirusTotal, MalwareBazaar)
- Understanding of PE file format, strings, and import tables
Key Concepts
Rule Structure
Every YARA rule consists of three sections: meta (optional descriptive metadata), strings (pattern definitions), and condition (matching logic). String types include text strings (ASCII/wide/nocase), hex patterns with wildcards and jumps, and regular expressions. Conditions combine string matches with file properties using boolean operators.
String Selection Strategy
Effective rules target patterns that are unique to the malware family and survive recompilation. Hardcoded stack strings are excellent choices because compilers embed them consistently. C2 domain patterns, custom encryption routines, unique error messages, and specific API call sequences provide stable detection anchors. Avoid compiler-generated boilerplate and common library strings.
Performance Optimization
YARA evaluates conditions short-circuit style. Place the most discriminating and cheapest-to-evaluate conditions first. Use filesize limits to skip irrelevant files quickly. Minimize regex usage in favor of hex patterns. Use private rules as building blocks for complex detection logic without generating standalone matches.
Workflow
Step 1: Analyze Sample for Unique Patterns
#!/usr/bin/env python3
"""Extract candidate strings and byte patterns for YARA rule creation."""
import pefile
import re
import sys
from collections import Counter
def extract_strings(filepath, min_length=6):
"""Extract ASCII and wide strings from binary."""
with open(filepath, 'rb') as f:
data = f.read()
# ASCII strings
ascii_strings = re.findall(
rb'[\x20-\x7e]{' + str(min_length).encode() + rb',}', data
)
# Wide (UTF-16LE) strings
wide_strings = re.findall(
rb'(?:[\x20-\x7e]\x00){' + str(min_length).encode() + rb',}', data
)
return {
'ascii': [s.decode('ascii') for s in ascii_strings],
'wide': [s.decode('utf-16-le') for s in wide_strings],
}
def analyze_pe_imports(filepath):
"""Extract import table for API-based detection."""
try:
pe = pefile.PE(filepath)
except pefile.PEFormatError:
return []
imports = []
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
dll_name = entry.dll.decode('utf-8', errors='replace')
for imp in entry.imports:
if imp.name:
func_name = imp.name.decode('utf-8', errors='replace')
imports.append(f"{dll_name}!{func_name}")
return imports
def find_unique_byte_patterns(filepath, pattern_length=16):
"""Find unique byte sequences suitable for YARA hex patterns."""
with open(filepath, 'rb') as f:
data = f.read()
try:
pe = pefile.PE(filepath)
# Focus on code section
for section in pe.sections:
if section.Characteristics & 0x20000000: # IMAGE_SCN_MEM_EXECUTE
code_start = section.PointerToRawData
code_end = code_start + section.SizeOfRawData
code_data = data[code_start:code_end]
break
else:
code_data = data
except Exception:
code_data = data
# Find byte patterns that appear exactly once
patterns = []
for i in range(0, len(code_data) - pattern_length, 4):
pattern = code_data[i:i+pattern_length]
if pattern.count(b'\x00') < pattern_length // 3: # Skip null-heavy
hex_pattern = ' '.join(f'{b:02X}' for b in pattern)
patterns.append(hex_pattern)
# Count frequency and return unique ones
freq = Counter(patterns)
unique = [p for p, count in freq.items() if count == 1]
return unique[:20] # Top 20 candidates
def suggest_rule_strings(filepath):
"""Suggest strings and patterns for YARA rule."""
print(f"[+] Analyzing: {filepath}")
# Extract strings
strings = extract_strings(filepath)
# Filter for suspicious/unique strings
suspicious_keywords = [
'http', 'https', 'cmd', 'powershell', 'mutex', 'pipe',
'password', 'credential', 'inject', 'hook', 'debug',
'sandbox', 'virtual', 'vmware', 'vbox',
]
print("\n[+] Suspicious ASCII strings:")
for s in strings['ascii']:
if any(kw in s.lower() for kw in suspicious_keywords):
print(f" $ = \"{s}\" ascii")
print("\n[+] Suspicious wide strings:")
for s in strings['wide']:
if any(kw in s.lower() for kw in suspicious_keywords):
print(f" $ = \"{s}\" wide")
# Import analysis
imports = analyze_pe_imports(filepath)
suspicious_apis = [
'VirtualAlloc', 'VirtualProtect', 'WriteProcessMemory',
'CreateRemoteThread', 'NtUnmapViewOfSection', 'RtlMoveMemory',
'OpenProcess', 'CreateToolhelp32Snapshot',
'InternetOpenA', 'HttpSendRequestA',
'CryptEncrypt', 'CryptDecrypt',
]
print("\n[+] Suspicious imports:")
for imp in imports:
func = imp.split('!')[-1]
if func in suspicious_apis:
print(f" {imp}")
# Byte patterns
print("\n[+] Candidate hex patterns:")
patterns = find_unique_byte_patterns(filepath)
for p in patterns[:5]:
print(f" $hex = {{ {p} }}")
if __name__ == "__main__":
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <sample_path>")
sys.exit(1)
suggest_rule_strings(sys.argv[1])Step 2: Write and Test YARA Rules
import yara
import os
def create_yara_rule(rule_name, meta, strings, condition):
"""Generate a YARA rule from components."""
meta_str = "\n".join(f' {k} = "{v}"' for k, v in meta.items())
strings_str = "\n".join(f" {s}" for s in strings)
rule = f"""rule {rule_name} {{
meta:
{meta_str}
strings:
{strings_str}
condition:
{condition}
}}"""
return rule
def test_yara_rule(rule_text, test_dir):
"""Compile and test YARA rule against sample directory."""
try:
rules = yara.compile(source=rule_text)
except yara.SyntaxError as e:
print(f"[-] YARA syntax error: {e}")
return None
results = {"matches": [], "no_match": []}
for filename in os.listdir(test_dir):
filepath = os.path.join(test_dir, filename)
if not os.path.isfile(filepath):
continue
matches = rules.match(filepath)
if matches:
results["matches"].append({
"file": filename,
"rules": [m.rule for m in matches],
})
else:
results["no_match"].append(filename)
print(f"[+] Matches: {len(results['matches'])}")
print(f"[-] No match: {len(results['no_match'])}")
return results
# Example: Create a rule for a hypothetical malware family
example_rule = create_yara_rule(
rule_name="MalwareFamily_Variant_A",
meta={
"description": "Detects MalwareFamily Variant A",
"author": "Malware Analysis Team",
"date": "2025-01-01",
"hash": "abc123...",
"tlp": "WHITE",
},
strings=[
'$mutex = "Global\\\\UniqueM4lwareMutex" ascii wide',
'$c2_pattern = /https?:\\/\\/[a-z]{5,10}\\.(xyz|top|buzz)\\/gate\\.php/',
'$api1 = "VirtualAllocEx" ascii',
'$api2 = "WriteProcessMemory" ascii',
'$api3 = "CreateRemoteThread" ascii',
'$hex_decrypt = { 8B 45 ?? 33 C1 89 45 ?? 83 C1 04 }',
'$pdb = "C:\\\\Users\\\\" ascii',
],
condition=(
'uint16(0) == 0x5A4D and filesize < 2MB and '
'($mutex or $c2_pattern) and '
'2 of ($api*) and '
'$hex_decrypt'
),
)
print(example_rule)Step 3: Performance Testing and Optimization
import time
def benchmark_rule(rule_text, scan_directory, iterations=3):
"""Benchmark YARA rule scan performance."""
rules = yara.compile(source=rule_text)
files = []
for root, _, filenames in os.walk(scan_directory):
for f in filenames:
files.append(os.path.join(root, f))
print(f"[+] Benchmarking against {len(files)} files "
f"({iterations} iterations)")
times = []
for i in range(iterations):
start = time.perf_counter()
matches = 0
for filepath in files:
try:
result = rules.match(filepath)
if result:
matches += 1
except Exception:
pass
elapsed = time.perf_counter() - start
times.append(elapsed)
print(f" Iteration {i+1}: {elapsed:.3f}s ({matches} matches)")
avg_time = sum(times) / len(times)
files_per_sec = len(files) / avg_time
print(f"\n[+] Average: {avg_time:.3f}s ({files_per_sec:.0f} files/sec)")
return avg_timeValidation Criteria
- YARA rules compile without syntax errors
- Rules detect target malware family samples with zero false negatives
- False positive rate below 0.1% when scanned against clean file corpus
- Rule performance allows scanning 1000+ files per second
- Rules survive minor malware modifications (recompilation, string changes)
- Metadata includes hash, author, date, description, and TLP marking
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.9 KB
API Reference: YARA Rule Development for Detection
yara-python API
| Method | Description |
|---|---|
yara.compile(filepath=path) |
Compile rule from file |
yara.compile(source=string) |
Compile rule from string |
yara.compile(filepaths={ns: path}) |
Compile with namespaces |
rules.match(filepath=path) |
Scan file against compiled rules |
rules.match(data=bytes) |
Scan bytes in memory |
rules.match(filepath, timeout=30) |
Scan with timeout |
Match Object Attributes
| Attribute | Description |
|---|---|
match.rule |
Name of matching rule |
match.namespace |
Rule namespace |
match.tags |
Rule tags list |
match.meta |
Rule metadata dict |
match.strings |
List of (offset, identifier, data) |
YARA Rule Structure
rule RuleName : tag1 tag2 {
meta:
description = "..."
author = "..."
date = "2025-01-01"
hash = "sha256_of_sample"
strings:
$s1 = "string" ascii
$s2 = "wide_string" wide
$h1 = { 4D 5A 90 00 }
$r1 = /regex[0-9]+/
condition:
uint16(0) == 0x5A4D and 3 of ($s*)
}Condition Operators
| Operator | Description |
|---|---|
X of ($s*) |
X or more strings match |
all of ($s*) |
All strings match |
any of ($s*) |
At least one matches |
uint16(0) == 0x5A4D |
PE file magic bytes |
filesize < 10MB |
File size constraint |
Python Libraries
| Library | Version | Purpose |
|---|---|---|
yara-python |
>=4.3 | Compile and scan YARA rules |
hashlib |
stdlib | SHA256 of samples |
re |
stdlib | String extraction |
References
- YARA Documentation: https://yara.readthedocs.io/en/stable/
- yara-python: https://github.com/VirusTotal/yara-python
- YARA Rules Repository: https://github.com/Yara-Rules/rules
- VirusTotal Hunting: https://www.virustotal.com/gui/hunting-overview
standards.md1.4 KB
YARA Rule Development Standards
Rule Naming Convention
Malware_Family_Variant: For specific malware variantsAPT_Group_Tool: For threat actor associated toolsExploit_CVE_YYYY_NNNN: For exploit payloadsTechnique_Name: For generic technique detection
Rule Quality Metrics
| Metric | Target | Description |
|---|---|---|
| True Positive Rate | >99% | Detection of known samples |
| False Positive Rate | <0.1% | Matches on clean files |
| Scan Speed | >1000 files/s | Processing performance |
| Maintenance Burden | Low | Frequency of updates needed |
String Types Reference
| Type | Syntax | Use Case |
|---|---|---|
| ASCII text | "text" ascii |
Plain text strings |
| Wide text | "text" wide |
UTF-16LE encoded strings |
| Case-insensitive | "text" nocase |
Variable casing |
| Hex pattern | { AA BB CC } |
Byte sequences |
| Wildcard hex | { AA ?? CC } |
Single byte wildcard |
| Jump hex | { AA [2-4] CC } |
Variable length gap |
| Regex | /pattern/ |
Complex pattern matching |
MITRE ATT&CK Relevance
- T1027 - Obfuscated Files: Rules detect packed/encoded malware
- T1036 - Masquerading: Rules identify file mimicry
- T1059 - Command Interpreter: Rules detect malicious scripts
References
workflows.md1.7 KB
YARA Rule Development Workflows
Workflow 1: Sample-Driven Rule Creation
[Malware Sample] --> [Static Analysis] --> [Extract Unique Strings] --> [Draft Rule]
|
v
[Test Against Samples]
|
v
[Test Against Clean Files]
|
v
[Deploy to Production]Workflow 2: Family-Wide Detection
[Multiple Samples] --> [Cross-Sample Analysis] --> [Find Common Patterns]
|
v
[Build Generic Rule]
|
v
[Validate Coverage]Workflow 3: Threat Hunt Integration
[Intelligence Report] --> [Extract IOCs] --> [Convert to YARA] --> [Retrohunt]
|
v
[Triage New Matches]Scripts 2
agent.py5.6 KB
#!/usr/bin/env python3
"""Agent for YARA rule development and testing.
Creates YARA rules from malware samples by extracting unique strings
and byte patterns, validates rules for performance, tests against
sample sets, and generates detection coverage reports.
"""
import json
import sys
import os
import hashlib
import re
from datetime import datetime
from pathlib import Path
try:
import yara
HAS_YARA = True
except ImportError:
HAS_YARA = False
class YaraRuleDeveloper:
"""Develops, validates, and tests YARA rules."""
def __init__(self, output_dir="./yara_rules"):
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
self.rules = []
def extract_strings(self, sample_path, min_length=8, max_strings=30):
"""Extract unique strings from a binary sample for rule creation."""
with open(sample_path, "rb") as f:
data = f.read()
ascii_strings = re.findall(rb'[\x20-\x7E]{%d,}' % min_length, data)
wide_strings = re.findall(
rb'(?:[\x20-\x7E]\x00){%d,}' % min_length, data)
unique_ascii = list(set(s.decode("ascii", errors="ignore")
for s in ascii_strings))
unique_wide = list(set(s.decode("utf-16-le", errors="ignore")
for s in wide_strings))
scored = []
generic_terms = {"http", "https", "www", "com", "dll", "exe",
"the", "this", "that", "error", "warning"}
for s in unique_ascii:
score = len(s)
if any(g in s.lower() for g in generic_terms):
score -= 5
if re.search(r'[A-Z][a-z]+[A-Z]', s):
score += 3
if "/" in s or "\\" in s:
score += 2
scored.append({"string": s, "type": "ascii", "score": score})
for s in unique_wide:
scored.append({"string": s, "type": "wide", "score": len(s) - 2})
scored.sort(key=lambda x: x["score"], reverse=True)
return scored[:max_strings]
def generate_rule(self, rule_name, sample_path, description="",
tags=None, author="auto"):
"""Generate a YARA rule from a malware sample."""
strings = self.extract_strings(sample_path)
sha256 = hashlib.sha256(Path(sample_path).read_bytes()).hexdigest()
rule_strings = []
for i, s in enumerate(strings[:15]):
if s["type"] == "ascii":
rule_strings.append(f' $s{i} = "{s["string"]}"')
else:
rule_strings.append(f' $s{i} = "{s["string"]}" wide')
tags_str = " : " + " ".join(tags) if tags else ""
rule_text = f"""rule {rule_name}{tags_str}
{{
meta:
description = "{description}"
author = "{author}"
date = "{datetime.utcnow().strftime('%Y-%m-%d')}"
hash = "{sha256}"
strings:
{chr(10).join(rule_strings)}
condition:
uint16(0) == 0x5A4D and filesize < 10MB and 5 of ($s*)
}}
"""
rule_path = self.output_dir / f"{rule_name}.yar"
rule_path.write_text(rule_text)
self.rules.append({"name": rule_name, "path": str(rule_path),
"strings_count": len(rule_strings)})
return {"rule_name": rule_name, "path": str(rule_path),
"strings": len(rule_strings), "hash": sha256}
def validate_rule(self, rule_path):
"""Compile and validate a YARA rule for syntax and performance."""
if not HAS_YARA:
return {"error": "yara-python not installed"}
try:
yara.compile(filepath=rule_path)
return {"valid": True, "path": rule_path}
except yara.SyntaxError as exc:
return {"valid": False, "error": str(exc)}
def test_rule(self, rule_path, sample_dir):
"""Test a YARA rule against a directory of samples."""
if not HAS_YARA:
return {"error": "yara-python not installed"}
try:
compiled = yara.compile(filepath=rule_path)
except yara.SyntaxError as exc:
return {"error": str(exc)}
results = {"matches": [], "no_match": [], "errors": []}
for root, dirs, files in os.walk(sample_dir):
for fname in files:
fpath = os.path.join(root, fname)
try:
matches = compiled.match(fpath, timeout=30)
if matches:
results["matches"].append({
"file": fpath, "rules": [m.rule for m in matches]})
else:
results["no_match"].append(fpath)
except yara.Error as exc:
results["errors"].append({"file": fpath, "error": str(exc)})
return results
def generate_report(self):
report = {
"report_date": datetime.utcnow().isoformat(),
"rules_created": len(self.rules),
"rules": self.rules,
}
print(json.dumps(report, indent=2))
return report
def main():
if len(sys.argv) < 3:
print("Usage: agent.py <rule_name> <sample_path> [test_dir]")
sys.exit(1)
agent = YaraRuleDeveloper()
rule_name = sys.argv[1]
sample = sys.argv[2]
result = agent.generate_rule(rule_name, sample)
validation = agent.validate_rule(result["path"])
print(json.dumps({"rule": result, "validation": validation}, indent=2))
if len(sys.argv) > 3:
test_results = agent.test_rule(result["path"], sys.argv[3])
print(json.dumps(test_results, indent=2))
if __name__ == "__main__":
main()
process.py8.5 KB
#!/usr/bin/env python3
"""
YARA Rule Development and Testing Framework
Assists in creating, testing, and optimizing YARA rules
for malware detection.
Requirements:
pip install yara-python pefile
Usage:
python process.py --analyze sample.exe
python process.py --test rule.yar --samples ./malware --clean ./goodware
python process.py --generate --name MalwareX --strings strings.txt
"""
import argparse
import json
import os
import re
import sys
import time
from collections import Counter
from pathlib import Path
try:
import yara
except ImportError:
print("ERROR: yara-python not installed. Run: pip install yara-python")
sys.exit(1)
try:
import pefile
except ImportError:
pefile = None
class YaraRuleBuilder:
"""Build and test YARA rules."""
def __init__(self):
self.candidate_strings = []
self.candidate_hex = []
self.imports = []
def analyze_sample(self, filepath):
"""Extract candidate patterns from a malware sample."""
with open(filepath, 'rb') as f:
data = f.read()
# Extract ASCII strings (min 8 chars)
ascii_strings = [
s.decode('ascii')
for s in re.findall(rb'[\x20-\x7e]{8,}', data)
]
# Extract wide strings
wide_strings = [
s.decode('utf-16-le')
for s in re.findall(rb'(?:[\x20-\x7e]\x00){8,}', data)
]
# Score strings by uniqueness/suspiciousness
suspicious = [
'http', 'https', 'ftp', 'cmd.exe', 'powershell',
'mutex', 'pipe', 'password', 'encrypt', 'decrypt',
'inject', 'hook', 'shell', 'backdoor', 'keylog',
'screenshot', 'clipboard', 'download', 'upload',
'sandbox', 'vmware', 'virtualbox', 'debug',
]
scored = []
for s in ascii_strings + wide_strings:
score = 0
s_lower = s.lower()
for kw in suspicious:
if kw in s_lower:
score += 10
if len(s) > 20:
score += 5
if re.search(r'[A-Z][a-z]+[A-Z]', s): # CamelCase
score += 3
scored.append((s, score))
scored.sort(key=lambda x: -x[1])
self.candidate_strings = scored[:30]
# PE imports if available
if pefile:
try:
pe = pefile.PE(filepath)
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
if imp.name:
self.imports.append(
imp.name.decode('utf-8', errors='replace')
)
except Exception:
pass
return {
"total_ascii": len(ascii_strings),
"total_wide": len(wide_strings),
"top_candidates": [(s, sc) for s, sc in scored[:10]],
"suspicious_imports": [
i for i in self.imports
if i in ['VirtualAlloc', 'VirtualAllocEx',
'WriteProcessMemory', 'CreateRemoteThread',
'NtUnmapViewOfSection', 'OpenProcess',
'CryptEncrypt', 'InternetOpenA']
],
}
def generate_rule(self, name, author="analyst", description=""):
"""Generate YARA rule from analyzed patterns."""
strings_section = []
conditions = []
# Add top candidate strings
for i, (s, score) in enumerate(self.candidate_strings[:8]):
if score > 0:
escaped = s.replace('\\', '\\\\').replace('"', '\\"')
strings_section.append(
f'$str{i} = "{escaped}" ascii wide'
)
# Add import-based strings
sus_imports = [
i for i in self.imports
if i in ['VirtualAlloc', 'VirtualAllocEx',
'WriteProcessMemory', 'CreateRemoteThread']
]
for i, imp in enumerate(sus_imports[:4]):
strings_section.append(f'$api{i} = "{imp}" ascii')
# Build condition
str_count = len([s for s in strings_section if s.startswith('$str')])
api_count = len([s for s in strings_section if s.startswith('$api')])
condition_parts = ['uint16(0) == 0x5A4D', 'filesize < 5MB']
if str_count > 0:
threshold = max(2, str_count // 2)
condition_parts.append(f'{threshold} of ($str*)')
if api_count > 0:
condition_parts.append(f'{max(1, api_count - 1)} of ($api*)')
rule = f"""rule {name} {{
meta:
description = "{description or f'Detects {name}'}"
author = "{author}"
date = "{time.strftime('%Y-%m-%d')}"
tlp = "WHITE"
strings:
{chr(10) + " ".join(strings_section)}
condition:
{" and ".join(condition_parts)}
}}"""
return rule
def test_rule(self, rule_path_or_text, sample_dir, clean_dir=None):
"""Test YARA rule for detection and false positive rates."""
if os.path.isfile(rule_path_or_text):
rules = yara.compile(filepath=rule_path_or_text)
else:
rules = yara.compile(source=rule_path_or_text)
results = {
"true_positives": 0,
"false_negatives": 0,
"false_positives": 0,
"true_negatives": 0,
"scan_time": 0,
"details": [],
}
# Scan malware samples
start = time.perf_counter()
for f in Path(sample_dir).rglob('*'):
if f.is_file():
try:
matches = rules.match(str(f))
if matches:
results["true_positives"] += 1
else:
results["false_negatives"] += 1
results["details"].append(
{"file": str(f), "result": "FALSE_NEGATIVE"}
)
except Exception:
pass
# Scan clean files
if clean_dir:
for f in Path(clean_dir).rglob('*'):
if f.is_file():
try:
matches = rules.match(str(f))
if matches:
results["false_positives"] += 1
results["details"].append(
{"file": str(f), "result": "FALSE_POSITIVE"}
)
else:
results["true_negatives"] += 1
except Exception:
pass
results["scan_time"] = time.perf_counter() - start
total_samples = results["true_positives"] + results["false_negatives"]
if total_samples > 0:
results["detection_rate"] = round(
results["true_positives"] / total_samples * 100, 2
)
total_clean = results["false_positives"] + results["true_negatives"]
if total_clean > 0:
results["fp_rate"] = round(
results["false_positives"] / total_clean * 100, 4
)
return results
def main():
parser = argparse.ArgumentParser(
description="YARA Rule Development Framework"
)
parser.add_argument("--analyze", help="Analyze sample for YARA patterns")
parser.add_argument("--generate", action="store_true",
help="Generate rule from analysis")
parser.add_argument("--name", default="MalwareDetection",
help="Rule name")
parser.add_argument("--test", help="Test YARA rule file")
parser.add_argument("--samples", help="Malware samples directory")
parser.add_argument("--clean", help="Clean files directory")
parser.add_argument("--output", help="Output rule file")
args = parser.parse_args()
builder = YaraRuleBuilder()
if args.analyze:
analysis = builder.analyze_sample(args.analyze)
print(json.dumps(analysis, indent=2, default=str))
if args.generate:
rule = builder.generate_rule(args.name)
print(f"\n{rule}")
if args.output:
with open(args.output, 'w') as f:
f.write(rule)
print(f"[+] Rule saved to {args.output}")
elif args.test and args.samples:
results = builder.test_rule(args.test, args.samples, args.clean)
print(json.dumps(results, indent=2))
else:
parser.print_help()
if __name__ == "__main__":
main()