Thank you for the response, 1) Yes, validation that rules compile is the primary request. 1a) Validation that a rule that uses the"vt" module matches a local file would be useful, but that does not seem reasonable.
2) Yes, a REST API to validate that a rule compiles would work, since the module is not going to be available. 2a) Having feedback about what errors is preferred, similar to the current feedback when compiling rules locally. Please let me know if clarification is needed for any of those answers. On Thursday, September 3, 2020 at 7:54:42 PM UTC+2 [email protected] wrote: > Hi, > > I have two questions about your issue: > > 1) You only want to make sure that the rules compile, right? You don't > want to be able to control the values of variables like > vt.metadata.new_file, is that correct? > 2) A REST API that you could call for checking the syntax would work for > you? > > Regards, > Víctor > > > On Wed, Sep 2, 2020 at 10:30 PM [email protected] <[email protected]> > wrote: > >> Is there a way to test VirusTotal Livehunt rules that use the new import >> "vt" module instead of the deprecated externals? >> >> I was using a CI runner to compile YARA rules with yara-python before >> deployment to ensure that the rules compile before deploying them to >> VirusTotal LiveHunt. >> >> For example, I often use this rule to only match on new files. >> global private rule new_files_only { condition: new_file } >> >> Unfortunately, I have found no way to test rules when the "vt" module is >> used, like this rule, which also only filters to only match new files. >> >> import "vt" >> global private rule new_files_only { condition: vt.metadata.new_file } >> >> There may be similar issues where other rules that use the "vt" module >> will not match the intended files, because there was no way to test the >> rule effectively. >> >> I asked technical support, and they responded that "vt" is an internal >> module that cannot be used. >> >> Can a dummy version be provided? The documentation appears to provide a >> definition of all of the data types that are exposed for use in Livehunt >> rules. >> >> >> https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/yara-project/d27462db-eef7-4ada-a149-5f25a9ab52afn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/yara-project/d27462db-eef7-4ada-a149-5f25a9ab52afn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/eac6f63d-5254-4f39-b08c-25fb9b929612n%40googlegroups.com.
