Add an option to ignore private rules ?

[ayoubfaouzi]

Private yara rules are not reported by yara when they match. I believe many people uses them for rules such as:

private rule IsPE {
    meta:
        description = "Ientifies Portable Executable binaries that has a valid magic in DOS and NT header"
    condition:
        (uint16(0) == 0x5A4D or uint16(0) == 0x4D5A) and uint32(uint32(0x3c)) == 0x00004550
}

Because these rules are never reported, and they are mostly referenced by other rules, does it make sense to ignore them in the validation process by adding a flag in the CLI or an option in the py package ?

This will save us from being obliged to add meta attributes to these rules. What do you think ?

Cheers.

[cccs-rs]

I think this could make sense in general without a special flag. The idea of the metadata is to provide more definitive context on YARA hit (ie. if a rule hits in Assemblyline and the rule indicates the file belongs to certain malware family). So if the private rules don't show up in the hit, I don't see a lot of reason to perform the metadata validation on them (other than perhaps for consistency's sake 😅)

[ayoubfaouzi]

That's right. Maybe some folks would still prefer to run metadata validation on them, hence an optional flag. Maybe ON by default. which means don't skip validation on private rules.

I don't mind waiting for other ppl to give their opinion on this :)

Cheers.