python - 使用 YARA python 扫描目录

问题描述

现在被这个问题困扰了一段时间。我正在使用自己的 yara 规则扫描目录，当我尝试使用我的代码获取单个文件时它可以工作，但是当我在 a 上使用相同的代码时for loop，它不匹配任何内容。

我试过搜索我的问题，但它总是向我展示 yara 基础知识的文档。

def scan_test(): // works
    file_source = 'index.php'
    match_list = []
    externals = {'filename': file_source}
    rules = yara.compile('rules.yar', externals=externals)
    with open('filepath') as f:
        matches = rules.match(data=f.read(), externals=externals)

    if len(matches) > 0:
        match_list.append(matches)

    return match_list
    
def scan_test3(dir_source): // not working
    match_list = []
    for folder,subfolders, files in os.walk(dir_source):
        for file in files:
            path = os.path.join(folder, file)
            try:
                file_name, file_extension = os.path.splitext(file)
                if (file_extension == '.txt' or file_extension == '.php'):
                    rules = yara.compile('rules.yar', externals={'filename': file})
                    with open(path) as f:
                        matches = rules.match(data=f.read(), externals={'filename': file})
                    if len(matches) > 0:
                        match_list.append(matches)
            except Exception as e:
                print(e)
                pass
    return match_list

测试yara规则：

    rule test_rule
    {
        meta:
            description = "This is a test rule"
        strings:
            $a = "<?php"
        condition:
            $a and (filename matches /index\.php/ or filename matches /login\.php/)
    }

我的代码是否正确？谁可以帮我这个事？

标签： pythonscanningyara