diff --git a/docs/YARA-X Config Guide.md b/docs/YARA-X Config Guide.md deleted file mode 100644 index b2549c5b8..000000000 --- a/docs/YARA-X Config Guide.md +++ /dev/null @@ -1,197 +0,0 @@ -YARA-X Config Guide -=================== - -YARA-X uses a configuration file for controlling the behavior of different -commands. It currently supports the `fmt` and `check` commands. More may be -added in the future. - -The `yr` command looks in `${HOME}/.yara-x.toml` when starting up. If that file -does not exist the default values are used. - -An example `.yara-x.toml` file is below, with comments that explain each option. -The values for each option are the default values that are used if the option -is omitted. - -This is the definitive list of supported configuration options, and will be -updated as more are added. - -```toml -# Config file for YARA-X. - -# Any options that are omitted from your config file will use the default value. - -# The configuration of the "fmt" subcommand can be controlled by options in the -# "fmt" section. Each line is a key-value pair where the key uses a dot notation -# to deliniate different options. The "rule" namespace are for options that -# apply to the rule as a whole, while the "meta" and "patterns" namespaces are -# for options that only apply to those sections in a rule. -[fmt] -# Indent section headers so that: -# -# rule a { -# condition: -# true -# } -# -# Becomes: -# -# rule a { -# condition: -# true -# } -rule.indent_section_headers = true - -# Indent section contents so that: -# rule a { -# condition: -# true -# } -# -# Becomes: -# -# rule a { -# condition: -# true -# } -rule.indent_section_contents = true - -# Number of spaces to use for indentation. Setting this to 0 will use one tab -# character per level of indentation. To disable indentation entirely use -# rule.indent_section_headers and rule.indent_section_contents -rule.indent_spaces = 2 - -# Add a newline before the curly brace that starts the rule body. -# -# rule a { -# condition: -# true -# } -# -# Becomes: -# -# rule a -# { -# condition: -# true -# } -# -# Note: If you have multiple newlines before the curly brace and this is set to -# `true` then this will ensure exactly two newlines are left. -rule.newline_before_curly_brace = false - -# Add an empty line before section headers so that: -# -# rule a { -# meta: -# date = "20240705" -# strings: -# $ = "AXSERS" -# } -# -# Becomes: -# -# rule a { -# meta: -# date = "20240705" -# -# strings: -# $ = "AXSERS" -# } -# -# Note: This does not apply to the first section header defined. All empty lines -# before the first section header are always removed. -rule.empty_line_before_section_header = true - -# Add an empty line after section headers so that: -# -# rule a { -# strings: -# $ = "AXSERS" -# } -# -# Becomes: -# -# rule a { -# strings: -# -# $ = "AXSERS" -# } -rule.empty_line_after_section_header = false - -# Align metadata values so that: -# -# rule a { -# meta: -# key = "a" -# long_key = "b" -# } -# -# Becomes: -# -# rule a { -# meta: -# key = "a" -# long_key = "b" -# } -# -# Note that alignment is done with spaces, regardless of rule.indent_spaces -# setting. -meta.align_values = true - -# Same as meta.align_values but applies to patterns. -patterns.align_values = true - -# The "check" section controls the behavior of the "check" command, which is -# used to enforce standards on various aspects of the rule like metadata and -# rule name. -# -[check.rule_name] -# A regular expression which must match rule names. For example, if you require -# that every rule start with a "category" description followed by an underscore -# you could use something like this: -# -# regexp = "^(APT|CRIME)_" -regexp = "" - -# Bad rule names only raise a warning by default, set this to true to raise -# an error instead of a warning. -error = false - -[check.metadata] -# Each entry in this section is a table (dictionary) of metadata identifiers and -# their requirements. -# -# The key is the identifier and the value is a table that describes the -# requirements for that identifier - what type it must have, if it is -# required or not, and whether the violation of the requirements should be -# consired an error or only a warning. -# -# Supported types are "string", "integer", "float", "bool", "md5", -# "sha1", "sha256", or "hash". -# -# To require that there must be a "file" metadata field that contains a hash, -# an "author" field of type string, and an optional "date" field of type integer, -# use these lines: -# -# file = { type = "hash", required = true, error = true } -# author = { type = "string", required = true } -# date = { type = "integer" } - -# -# The default for "required" is false. -# -# The "md5", "sha1" and "sha256" types are convenience types that check for a -# string that is the correct length and only contains valid hexadecimal digits. -# -# The "hash" type is another convenience type that checks for any of the valid -# hashes mentioned above. It is meant to be more flexible than requiring a -# specific hash type in every rule. -# -# For example, to require that every rule have a metadata field named "sample" -# and that the type of that field be an md5, sha1 or sha256 string use this: -# -# sample = { type = "hash", required = true } -# -# NOTE: Inline tables must be expressed as a single line and no trailing comma -# is allowed. -``` \ No newline at end of file diff --git a/site/content/docs/cli/config.md b/site/content/docs/cli/config.md index b6ff70729..589eb5631 100644 --- a/site/content/docs/cli/config.md +++ b/site/content/docs/cli/config.md @@ -18,99 +18,263 @@ seo: noindex: false # false (default) or true --- -YARA-X uses a configuration file to control the behavior of its various -commands. Currently, it supports settings for the `fmt` command, but additional -command options will be introduced in future updates. +YARA-X uses a configuration file for controlling the behavior of different +commands. The file is written in [TOML](https://toml.io/) format, and it +currently +supports the `fmt` and `check` commands. More may be added in the future. -By default, YARA-X looks for the configuration file at `${HOME}/.yara-x.toml` -when it starts. If the file is not present, default settings are used instead. +The `yr` command looks in `${HOME}/.yara-x.toml` when starting up. If that file +does not exist the default values are used. -An example `.yara-x.toml` file is shown below, with comments that explain each -option. +This is the definitive list of supported configuration options, invalid keys +or incorrect types will result in a parsing error while loading the +configuration +file. -```toml -# Config file for YARA-X. -# -# The `[fmt]` section controls the behavior of the "fmt" command, which is -# responsible for formatting YARA rules. Settings are defined as key-value -# pairs, using dot notation to specify different aspects of formatting. -# -# The available namespaces are: -# - `rule`: Options that apply to formatting the overall rule structure. -# - `meta`: Options specific to the "meta" section of a rule. -# - `patterns`: Options specific to formatting the "patterns" section of a rule. +## The [fmt] section -[fmt] +The `[fmt]` section controls the behavior of the `fmt` command, which formats +YARA-X rules for readability and consistency. -# Indent section headers. When enabled, section headers (like "condition:") will -# be indented to improve readability. -# -# == Example == -# -# Before: -# rule a { -# condition: -# true -# } -# -# After: -# rule a { -# condition: -# true -# } +```toml +[fmt] rule.indent_section_headers = true - -# Indent the contents within each section. This controls whether the content -# under each section header (e.g., "condition:") is indented. -# -# == Example == -# -# Before: -# rule a { -# condition: -# true -# } -# -# After: -# rule a { -# condition: -# true -# } rule.indent_section_contents = true +rule.indent_spaces = 2 +rule.newline_before_curly_brace = false +rule.empty_line_before_section_header = true +rule.empty_line_after_section_header = false +meta.align_values = true +patterns.align_values = true +``` + +These options control the formatting of rules: + +- `rule.indent_spaces`: Sets the number of spaces per indentation level. Set + to `0` to use tab characters. + + +- `rule.indent_section_headers`: Indents section headers within a rule body. + + ``` + // rule.indent_section_headers = false + rule a { + condition: + true + } + ``` + + ``` + // rule.indent_section_headers = true (default) + rule a { + condition: + true + } + ``` + +- `rule.indent_section_contents`: Indents the content within each section. + + ``` + // rule.indent_section_contents = false + rule a { + condition: + true + } + ``` + + ``` + // rule.indent_section_contents = true (default) + rule a { + condition: + true + } + +- `rule.newline_before_curly_brace`: Ensures a newline appears before the + opening `{` of the rule body when set to `true`. + + ``` + // rule.newline_before_curly_brace = false (default) + rule a { + condition: + true + } + ``` + + ``` + // rule.newline_before_curly_brace = true + rule a + { + condition: + true + } + ``` + +- `rule.empty_line_before_section_header`: Adds an empty line before each + section header, except the first one. + + ``` + // rule.empty_line_before_section_header = false (default) + rule a { + meta: + date = "20240705" + strings: + $ = "AXSERS" + } + ``` + + ``` + // rule.empty_line_before_section_header = true + rule a { + meta: + date = "20240705" + + strings: + $ = "AXSERS" + } + ``` + +- `rule.empty_line_after_section_header`: Adds an empty line after each section + header. + + ``` + // rule.empty_line_after_section_header = false (default) + rule a { + strings: + $ = "AXSERS" + } + ``` + + ``` + // rule.empty_line_after_section_header = true + rule a { + strings: + + $ = "AXSERS" + } + ``` + +- `meta.align_values`: Aligns metadata values for better readability. + + ``` + // meta.align_values = false (default) + rule a { + meta: + key = "a" + long_key = "b" + } + ``` + + ``` + // meta.align_values = true + rule a { + meta: + key = "a" + long_key = "b" + } + ``` + +- `patterns.align_values`: Aligns pattern values in a similar manner. + + ``` + // patterns.align_values = false (default) + rule a { + strings: + $s = "a" + $long = "b" + } + ``` -# Number of spaces used for indentation. -# - Set to a positive integer to indicate the number of spaces per indentation -# level. -# - If set to `0`, tabs will be used instead of spaces. -# - To completely disable indentation, set both `rule.indent_section_headers` -# and `rule.indent_section_contents` to `false`. + ``` + // patterns.align_values = true + rule a { + strings: + $s = "a" + $long = "b" + } + ``` + +--- + +## The [check] section + +The `[check]` section controls the behavior of the `check` command, which +enforces standards on rule naming and metadata fields. + +### Rule name validation (`check.rule_name`) + +```toml +[check.rule_name] +regexp = "^(APT|CRIME)_" +error = false +``` + +These options define constraints for rule names: + +- `regexp`: Specifies a regular expression pattern that rule names must match. +- `error`: Determines whether a rule name violation is treated as an + error (`true`) or just a warning (`false`). + +### Metadata validation (`check.metadata`) + +Each entry in `check.metadata` is a table specifying the requirements for a +metadata field. + +```toml +[check.metadata] +author = { type = "string", required = true } +date = { type = "integer" } +file = { type = "hash", required = true, error = true } +``` + +{{< callout title="Warning">}} + +Inline tables must be expressed as a single line and no trailing comma is +allowed. + +{{< /callout >}} + +- The `author` field must be a string and is required. +- The `date` field must be an integer but is optional. +- The `file` field must contain a valid hash (`md5`, `sha1`, or `sha256`) + and is required. If the field is not present or has the wrong type it will + cause + an error instead of a warning. + +Supported metadata types are `"string"`, `"integer"`, `"float"`, `"bool"`, +`"md5"`, `"sha1"`, `"sha256"`, or `"hash"`. The `"md5"`, `"sha1"` and `"sha256"` +types are convenience types that check for a string that is the correct length +and only contains valid hexadecimal digits. + +The `"hash"` type is another convenience type that checks for any of the valid +hashes mentioned above. It is meant to be more flexible than requiring a +specific hash type in every rule. + +The default values for `required` and `error` are both `false`. This means that +metadata fields are optional by default, and if they don't comply with the +requirements established in the configuration file YARA-X will raise a warning. +By setting `error` to `true` these warnings are turned into errors. + +## Example file + +```toml +[fmt] rule.indent_spaces = 2 +rule.indent_section_headers = true +rule.indent_section_contents = true + +rule.newline_before_curly_brace = false +rule.empty_line_before_section_header = true +rule.empty_line_after_section_header = false + +meta.align_values = true +patterns.align_values = true + +[check.rule_name] +regexp = "^(APT|CRIME)_" +error = false -# Align metadata key-value pairs. This controls whether metadata values in the -# "meta" section should be aligned for readability. When enabled, the key-value -# pairs in metadata will be visually aligned to make them easier to compare. -# -# == Example == -# -# Before: -# rule a { -# meta: -# key = "a" -# long_key = "b" -# } -# -# After (with alignment enabled): -# rule a { -# meta: -# key = "a" -# long_key = "b" -# } -# -# Note: Alignment is performed using spaces, regardless of the `rule.indent_spaces` -# setting. -meta.align_values = false - -# Align pattern key-value pairs. Similar to `meta.align_values`, but applies to -# the "patterns" section. -patterns.align_values = false +[check.metadata] +file = { type = "hash", required = true, error = true } +author = { type = "string", required = true } +date = { type = "integer" } ``` \ No newline at end of file diff --git a/site/hugo_stats.json b/site/hugo_stats.json index 512590a9d..d6313f7ad 100644 --- a/site/hugo_stats.json +++ b/site/hugo_stats.json @@ -28,6 +28,7 @@ "header", "hr", "html", + "iframe", "img", "input", "kbd", @@ -333,6 +334,7 @@ "assemblyref", "base64-modifier", "better-error-reporting", + "binary-similarity", "build", "building-the-c-library", "building-the-go-library", @@ -383,12 +385,16 @@ "duplicate-rule-modifiers", "dyldinfo", "dylib", + "dylib-hashing", "dylib_hash", + "dylibs", "dyn", "dyntype", "dysymtab", "enabling-rules-profiling", + "entitlement-hashing", "entitlement_hash", + "entitlements", "entropyoffset-size", "entropystring", "entry_point_for_archtype_arg", @@ -408,9 +414,12 @@ "example-7", "example-8", "example-9", + "example-file", "examples", "export", + "export-hashing", "export_hash", + "exports", "exports_indexfn_name", "exports_indexfn_regex", "exports_indexordinal", @@ -454,9 +463,12 @@ "identifier-1", "imphash", "import", + "import-hashing", "import_hash", "import_md5", "importflags", + "importing-the-macho-module", + "imports", "importsdll_name", "importsdll_name-fn_name", "importsdll_name-ordinal", @@ -467,6 +479,7 @@ "indenting-section-headers-and-contents", "installation", "installing-with-cargo", + "introduction", "is-yara-really-dead", "is_32bit", "is_64bit", @@ -498,6 +511,7 @@ "meanoffset-size", "meanstring", "metadata", + "metadata-validation-checkmetadata", "method", "minint-int", "minversion", @@ -508,6 +522,7 @@ "monte_carlo_pistring", "more-powerful-cli", "more-rules-accepted", + "myriad-structures-inside-a-mach-o-binary", "namespace", "negation", "negative-numbers-as-array-indexes", @@ -535,6 +550,7 @@ "query", "reading-data-at-a-given-offset", "referencing-other-rules", + "remote-paths", "resource", "resourcetype", "rich_signaturetoolidtoolid-version", @@ -542,6 +558,7 @@ "richsignature", "richtool", "rule", + "rule-name-validation-checkrule_name", "rules", "rva_to_offsetrva", "scan", @@ -587,6 +604,7 @@ "sym", "sym_hash", "symbind", + "symbol-table", "symtab", "symtype", "symvisibility", @@ -594,6 +612,8 @@ "telfhash", "the--character-must-be-escaped-in-regular-expressions", "the-bad-things", + "the-check-section", + "the-fmt-section", "the-good-things", "the-with-statement", "timeouterror", @@ -605,6 +625,7 @@ "toc", "trackerdata", "type", + "usage", "using-xor-and-fullword-together", "version", "versioninfoentry",