You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
yallback - dispatch YARA rule matches to shell functions
yallback enables you to handle YARA rule matches with simple shell function callbacks.
Getting Started
Here's a very basic example, building on YARA's own ~hello-world example:
echo rule dummy { condition: true } > my_first_rule
echo'yallback:rule:dummy:each(){ echo no, _you_ are the dummy! $@ ; }'> my_first_rodeo
yara my_first_rule my_first_rule | yallback my_first_rodeo
This example emits: no, _you_ are the dummy! dummy my_first_rule
Usage
For now, yallback is pretty simple:
pipe/redirect output from yara to yallback on stdin. don't use any fancy output options; yallback doesn't (and may not) support them
yallback directly handles a single argument for now--a y'all-file. This is just a shell (bash) file that tells yallback which information you'd like to receive by defining functions to receive them:
yallback:rule:<rulename>:all - receive all rule matches in a single call
$1 == <rulename> (this is a convenience, in case you want a single function to handle multiple rules)
matching files are passed on stdin, one per line
yallback:rule:<rulename>:each - receive one call per rule match
$1 == <rulename>
$2 == <file>
yallback:done called to return control to your script after calling the last callback
Any additional arguments passed when invoking yallback will be passed to your y'all-file when it is sourced.
