[Forensics-changes] [yara] 95/135: Release version 3.0.0

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:27:36 UTC 2017


This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.1.0
in repository yara.

commit 35d9ce627f25a7c4937c269e9e524a54c13f0c77
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Wed Aug 13 14:25:25 2014 +0200

    Release version 3.0.0
---
 README.md                 |  84 +++++++++-----------
 config.h                  |   6 +-
 configure.ac              |   2 +-
 docs/gettingstarted.rst   |   4 +-
 docs/writingmodules.rst   |   2 +-
 libyara/Makefile.am       |   2 +-
 yara-python/README        | 190 +---------------------------------------------
 yara-python/setup.py      |   2 +-
 yara-python/setupwin32.py |   2 +-
 yara-python/setupwin64.py |   2 +-
 10 files changed, 50 insertions(+), 246 deletions(-)

diff --git a/README.md b/README.md
index de616d8..943a5cf 100644
--- a/README.md
+++ b/README.md
@@ -28,66 +28,33 @@ The above rule is telling YARA that any file containing one of the three strings
 must be reported as *silent_banker*. This is just a simple example, more
 complex and powerful rules can be created by using wild-cards, case-insensitive
 strings, regular expressions, special operators and many other features that
-you'll find explained in [YARA's documentation](https://googledrive.com/host/0BznOMqZ9f3VUek8yN3VvSGdhRFU/YARA-Manual.pdf).
+you'll find explained in [YARA's documentation](http://yara.readthedocs.org/).
 
 YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used
 through its command-line interface or from your own Python scripts with the
 yara-python extension.
 
-Python users can also use [yara-ctyles](https://github.com/mjdorma/yara-ctypes)
-by Michael Dorman. He has also written a multi-threaded command-line YARA
-scanner based on yara-ctypes that can exploit the benefits of current multi-core
-CPUs when scanning big file collections.
+## What's new in YARA 3.0
 
-If you are a Ruby user you can use [yara-ruby](https://github.com/SpiderLabs/yara-ruby),
-written by Eric Monti.
+YARA 3.0 introduces a new concept that will skyrocket its potential: extension
+modules. With extension modules you can implement new features for YARA in a
+simple and easy way. Modules can be used for dissecting file formats and then
+creating YARA rules based on features of the format, for implenting new
+functions that you can invoke later from your rules, and for much more!
 
+You can get a grasp of what modules can do by looking at the documentation of
+the two modules included in this release, the
+[Cuckoo module](http://yara.readthedocs.org/en/latest/modules.html#cuckoo-module)
+and the [PE module](http://yara.readthedocs.org/en/latest/modules.html#pe-module).
 
-## What's new in YARA 2.0
-
-YARA has experiencied an almost complete rewrite for version 2.0, as a result
-this new version has the following advantages over previous ones:
-
-* It's faster, [believe me](http://www.youtube.com/watch?v=ApAFU5ROo10), a
-LOT faster. With YARA 2.0 scanning speed is from 2X to 100X faster depending
-on your rules. The 100X speedup is only experienced with certain corner cases,
-but if you have a large and diverse set of rules you'll definitely notice the
-improvement.
-
-* Better multi-threading support. Previous versions of YARA were thread-safe up
-to a certain level. You could compile rules and scan multiple files
-simultaneously, provided that each thread was using its own set of compiled
-rules. In YARA 2.0 multiple threads can share the same compiled rules to scan
-multiple files at the same time. The new YARA's command-line scanner takes
-advance of that and is now multi-threaded, allowing to scan whole directories
-blazingly fast.
-
-* Rules can be saved to binary form. In the same way you would compile your
-program's source code to create an executable file, with YARA 2.0 you can
-compile your rules and save them into a binary file for later use. This way you
-can use pre-compiled rules without having to parse them again, or you can share
-rules with someone else without revealing the actual source code (but beware
-that each time you do that God kills a kitten).
-
-The drawsbacks for this rewrite are:
-
-* You can find some incompatibilities in regular expressions. YARA 2.0 replaced
-external libraries like PCRE or RE2 with its own regular expression engine. Most
-regular expression features are present in the new implementation, but a few
-ones like POSIX character classes and backreferences are missing. If you were
-using RE2 instead of PCRE with previous versions of YARA you won't miss
-backreferences, because RE2 don't support them neither.
-
-* The C API provided by libyara has changed. If you're a developer using this
-API you'll need to make some changes to your application in order to adapt it
-to YARA 2.0. But don't worry, it won't be too much work and the benefits worth
-the effort. Users of yara-python are not affected, the Python interface remains
-the same.
+More details about how to implement your own modules can be found in the
+[new documentation](http://yara.readthedocs.org/).
 
+If you want to contribute with ideas or code for new YARA modules, don't
+hesitate! Share your thoughts!
 
 ## Who's using YARA
 
-
 * [VirusTotal Intelligence](https://www.virustotal.com/intelligence/)
 * [jsunpack-n](http://jsunpack.jeek.org/)
 * [We Watch Your Website](http://www.wewatchyourwebsite.com/)
@@ -105,10 +72,29 @@ the same.
 * [Blueliv](http://www.blueliv.com)
 * [Adlice](http://www.adlice.com/)
 
-Are you using it too? Tell me!
+Are you using it? Want to see your site listed here?
 
 ## Releases
 
+### 3.0 (13/08/2014)
+
+* Support for modules
+* PE module
+* Cuckoo module
+* Some improvements in the C API
+* More comprehensive documentation
+* BUGFIX: Start anchor (^) not working properly with the "matches" operator
+* BUGFIX: False negative with certain regular expressions
+* BUGFIX: Improper handling of nested includes with relative pathes
+* BUGFIX: \s character class not recognizing \n, \r, \v and \f as spaces
+* BUGFIX: YARA for Win64 scanning only the first 4GB of files.
+* BUGFIX: Segmentation fault when using nested loops
+* BUGFIX: Segmentation fault caused by invalid characters in regular expressions
+* BUGFIX: Segmentation fault while scanning some processes in Windows
+* BUGFIX: Segmentation fault caused by regexp code spanning over non-contiguous
+memory pages
+
+
 ### 2.1.0 (03/03/2014)
 
 * Improve regexp engine
diff --git a/config.h b/config.h
index 2edeb52..c02f7ab 100644
--- a/config.h
+++ b/config.h
@@ -60,19 +60,19 @@
 #define PACKAGE_NAME "yara"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "yara 2.1"
+#define PACKAGE_STRING "yara 3.0"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "yara"
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "2.1"
+#define PACKAGE_VERSION "3.0"
 
 /* Define to 1 if you have the ANSI C header files. */
 #define STDC_HEADERS 1
 
 /* Version number of package */
-#define VERSION "2.1"
+#define VERSION "3.0"
 
 /* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
    `char[]'. */
diff --git a/configure.ac b/configure.ac
index 2f69736..5130552 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([yara], [2.1], [vmalvarez at virustotal.com])
+AC_INIT([yara], [3.0], [vmalvarez at virustotal.com])
 
 AC_CONFIG_SRCDIR([yara.c])
 
diff --git a/docs/gettingstarted.rst b/docs/gettingstarted.rst
index f840fb1..31a5580 100644
--- a/docs/gettingstarted.rst
+++ b/docs/gettingstarted.rst
@@ -12,8 +12,8 @@ Compiling and installing YARA
 
 Download the source tarball and get prepared for compiling it::
 
-    tar -zxf yara-2.2.0.tar.gz
-    cd yara-2.2.0
+    tar -zxf yara-3.0.0.tar.gz
+    cd yara-3.0.0
     ./bootstrap.sh
 
 YARA uses GNU autotools, so it's compiled and installed in the standard
diff --git a/docs/writingmodules.rst b/docs/writingmodules.rst
index 9e6b315..4d127df 100644
--- a/docs/writingmodules.rst
+++ b/docs/writingmodules.rst
@@ -4,7 +4,7 @@
 Writing your own modules
 ************************
 
-Starting with YARA 2.2 you can extend its features by using modules. With
+Starting with YARA 3.0 you can extend its features by using modules. With
 modules you can define data structures and functions which can be later used
 from your rules to express more complex and refined conditions. You can see
 some examples of what a module can do in the :ref:`using-modules` section.
diff --git a/libyara/Makefile.am b/libyara/Makefile.am
index 26f4f45..04dce2c 100644
--- a/libyara/Makefile.am
+++ b/libyara/Makefile.am
@@ -32,7 +32,7 @@ yarainclude_HEADERS = \
 
 lib_LTLIBRARIES = libyara.la
 
-libyara_la_LDFLAGS = -export-symbols libyara.sym -version-number 2:1
+libyara_la_LDFLAGS = -export-symbols libyara.sym -version-number 3:0
 
 libyara_la_SOURCES = \
   $(MODULES) \
diff --git a/yara-python/README b/yara-python/README
index ac84643..f7aca65 100644
--- a/yara-python/README
+++ b/yara-python/README
@@ -2,190 +2,8 @@
 YARA for Python
 ===============
 
-This is a Python extension that gives you access to YARA's powerful features from 
-your own Python scripts. 
+This is a Python extension that gives you access to YARA's powerful features from
+your own Python scripts.
 
-
-HOW TO BUILD
-============
-
-
-yara-python depends on libyara, a library that implements YARA's core functions. You
-must build and install YARA in your system before building yara-python. The latest
-YARA version can be downloaded from:
-
-http://yara.googlecode.com/files/yara-1.6.tar.gz
-
-
-After installing YARA you can build yara-python this way:
-
-$ tar xzvf yara-python-1.6.tar.gz
-$ cd yara-python-1.6
-$ python setup.py build
-$ sudo python setup.py install
-
-You can test your installation by invoking Python and importing the YARA module:
-
-$ python
-Python 2.7.1 (r271:86832, Jun 16 2011, 16:59:05) 
-[GCC 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00)] on darwin
-Type "help", "copyright", "credits" or "license" for more information.
->>> import yara
->>>
-
-In some operating systems (e.g: Ubuntu) you can get an error message like this one:
-
-Traceback (most recent call last):
-  File "<stdin>", line 1, in ?
-ImportError: libyara.so.0: cannot open shared object file: No such file or directory
-
-
-If you get the previous error you should add the path /usr/local/lib to the loader
-configuration file:
-
-$ sudo su
-$ echo "/usr/local/lib" >> /etc/ld.so.conf
-$ ldconfig
-
-
-HOW TO USE
-==========
-
-Once yara-python is built and installed on your system you can use it as shown below:
-
-import yara
-
-Then you will need to compile your YARA rules before applying them to your data, the
-rules can be compiled from a file path:
-
-rules = yara.compile(filepath='/foo/bar/myrules')
-
-The default argument is 'filepath', so you don't need to explicitly specify its name:
-
-rules = yara.compile('/foo/bar/myrules')
-
-You can also compile your rules from a file object:
-
-fh = open('/foo/bar/myrules')
-rules = yara.compile(file=fh)
-fh.close()
-
-Or you can compile them directly from a Python string:
-
-rules = yara.compile(source='rule dummy { condition: true }')
-
-If you want to compile a group of files or strings at the same time you can do it by using
-the 'filepaths' or 'sources' named arguments:
-
-rules = yara.compile(filepaths={
-
-	'namespace1':'/my/path/rules1',
-	'namespace2':'/my/path/rules2'
-})
-
-rules = yara.compile(sources={
-
-	'namespace1':'rule dummy { condition: true }',
-	'namespace2':'rule dummy { condition: false }'
-})
-
-Notice that both 'filepaths' and 'sources' must be dictionaries with keys of string type. The dictionary
-keys are used as a namespace identifier, allowing to differentiate between rules with the same name in
-different sources, as occurs in the second example with the “dummy” name.
-
-The compile method also have an optional boolean parameter 'includes' which allows you to control
-whether or not the include directive should be accepted in the source files, for example:
-
-rules = yara.compile('/foo/bar/myrules', includes=False)
-
-If the source file contains include directives the previous line would raise an exception.
-
-If you are using external variables in your rules you must define those externals variables either while
-compiling the rules, or while applying the rules to some file. To define your variables at the moment of
-compilation you should pass the 'externals' parameter to the compile method. For example:
-
-rules = yara.compile( '/foo/rules', 
-				   externals= {
-						'var1': 'some string',
-						'var2': 4,
-						'var3': True
-				   })
-
-The 'externals' parameter must be a dictionary with the names of the variables as keys and an associated
-value of either string, integer or boolean type.
-
-In all cases compile returns an instance of the class Rules, which in turn has a match method:
-
-matches = rules.match('/foo/bar/myfile')
-
-But you can also apply the rules to a Python string:
-
-f = fopen('/foo/bar/myfile', 'rb')
-
-matches = rules.match(data=f.read())
-
-As in the case of compile, the 'match' method can receive definitions for externals variables in the externals
-parameter.
-
-matches = rules.match( '/foo/bar/myfile', 
-				   externals= {
-						'var1': 'some other string',
-						'var4': 100,
-				   })
-
-Externals variables defined during compile-time don’t need to be defined again in subsequent invocations of
-'match' method. However you can redefine any variable as needed, or provide additional definitions that weren’t
-provided during compilation.
-
-You can also specify a callback function when invoking match method. The provided function will be called for
-every rule, no matter if matching or not. Your callback function should expect a single parameter of dictionary
-type, and should return CALLBACK_CONTINUE to proceed to the next rule or CALLBACK_ABORT to stop applying rules to
-your data.
-
-
-Here is an example:
-
-import yara
-
-def mycallback(data):
-	print data
-	yara.CALLBACK_CONTINUE
-
-matches = rules.match('/foo/bar/myfile', callback=mycallback)
-
-The passed dictionary will be something like this:
-
-{
-	'tags': ['foo', 'bar'], 
-	'matches': True, 
-	'namespace': 'default', 
-	'rule': 'my_rule', 
-	'meta': {}, 
-	'strings': [(81, '$a', 'abc'), (141, '$b', 'def')]
-}
-
-The 'matches' field indicates if the rules matches the data or not.
-
-The 'strings' fields is a list of matching strings, with vectors of the form:
-
-(<offset>, <string identifier>, <string data>)
-
-The 'match' method returns a list of instances of the class Match. The instances of this class can be treated as text
-strings containing the name of the matching rule. For example you can print them:
-
-for m in matches:
-	print "%s" % m
-
-In some circumstances you may need to explicitly convert the instance of Match to string, for example when comparing
-it with another string:
-
-if str(matches[0]) == 'SomeRuleName':
-	...
-
-The Match class has the same attributes as the dictionary passed to the callback function:
-
--rule
--namespace
--meta
--tags
--strings
+Refer to http://yara.readthedocs.org for more information about how to build and
+use yara-python.
\ No newline at end of file
diff --git a/yara-python/setup.py b/yara-python/setup.py
index cc6c479..e5e99c9 100644
--- a/yara-python/setup.py
+++ b/yara-python/setup.py
@@ -17,7 +17,7 @@
 from distutils.core import setup, Extension
 
 setup(name='yara-python',
-      version='2.1',
+      version='3.0',
       author='Victor M. Alvarez',
       author_email='plusvic at gmail.com;vmalvarez at virustotal.com',
       ext_modules=[Extension(
diff --git a/yara-python/setupwin32.py b/yara-python/setupwin32.py
index a88a9bb..7bbf1b3 100644
--- a/yara-python/setupwin32.py
+++ b/yara-python/setupwin32.py
@@ -17,7 +17,7 @@
 from distutils.core import setup, Extension
 
 setup(name='yara-python',
-      version='2.1',
+      version='3.0',
       author='Victor M. Alvarez',
       author_email='plusvic at gmail.com;vmalvarez at virustotal.com',
       ext_modules=[Extension(
diff --git a/yara-python/setupwin64.py b/yara-python/setupwin64.py
index cb808cc..eb5a239 100644
--- a/yara-python/setupwin64.py
+++ b/yara-python/setupwin64.py
@@ -17,7 +17,7 @@
 from distutils.core import setup, Extension
 
 setup(name='yara-python',
-      version='2.1',
+      version='3.0',
       author='Victor M. Alvarez',
       author_email='plusvic at gmail.com;vmalvarez at virustotal.com',
       ext_modules=[Extension(

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git



More information about the forensics-changes mailing list