[HN Gopher] YARA is dead, long live YARA-X
___________________________________________________________________
YARA is dead, long live YARA-X
Author : serhack_
Score : 120 points
Date : 2024-05-18 10:06 UTC (1 days ago)
(HTM) web link (virustotal.github.io)
(TXT) w3m dump (virustotal.github.io)
| rwmj wrote:
| Yara seems to be quite widely used by the UK police for digital
| forensics (or at least by the companies that supply their tools).
| lima wrote:
| Yara is pretty much the industry standard for detection rules
| now.
| badrabbit wrote:
| If all you have is a Rusty hammer, everything is a nail.
|
| Third party module dev is harder now for yara-x. And I wonder how
| the python module will turn out.
|
| Neither 3rd party/go clients nor the official virustotal C client
| could meet my requirements, I had to write a scanner in python on
| at least two different times and having to do it again soon. The
| main issues are resource usage, result shuffling and supporting
| very large proprietary ruled that depend on specific yara
| modules.
|
| Crowsresponse by crowdstrike is better too but it still has
| limits. Python is the best way to yara.
| viraptor wrote:
| > Third party module dev is harder now for yara-x.
|
| In what way / what's harder about it?
| serhack_ wrote:
| TL;DR: https://github.com/VirusTotal/yara-x
| Ar-Curunir wrote:
| It's a pretty short article. You really have to hate reading to
| not be able get through it...
| serhack_ wrote:
| Apart from the website itself, there're no links of YARA-X
| repo in that article
| lima wrote:
| The risk with such rewrites is ending up with a Python 3
| situation and an ecosystem split. Sounds like YARA-X is (mostly)
| a stricter subset of YARA, and it's easy to write rules that are
| valid for both:
|
| https://virustotal.github.io/yara-x/docs/writing_rules/diffe...
|
| Although I wonder how long it'll stay that way? It'll be very
| tempting to add new features to YARA-X that won't be backported
| to YARA.
| andrewflnr wrote:
| > At VirusTotal, we have been running YARA-X alongside YARA for
| a while, scanning millions of files with tens of thousands of
| rules, and addressing discrepancies between the two.
|
| This is pretty encouraging as far as compatibility. I hope they
| keep doing this.
| kingforaday wrote:
| After reading the article, a fun thought popped into my head. Who
| has the right to determine if a project like this is dead or
| EOL'd? Is it the original author to make that declaration or when
| it is under BSD license, wide community-use, and support -- when
| does a project like this truly become dead or EOL'd?
| dartos wrote:
| Well EOL usually means something like "end of official support,
| active development, and security patches" so the
| owner/creator/foundation usually chooses when.
|
| "Dead" is usually a colloquialism, so if enough people call it
| dead, it is.
| zokier wrote:
| The corollary is that if you didn't have any support to begin
| with, as is the case with most open source projects, EOL is
| pretty meaningless concept.
| anamexis wrote:
| Whoever owns the canonical repo (also, any relevant trademarks)
| has a lot of power in this situation. The community can
| certainly fork it, but then you start asking if the fork is a
| new project.
| patmorgan23 wrote:
| The official maintainers say they won't be maintaining the repo
| any more. Anyone else is always welcome to fork and form their
| own project to continue to maintain the software.
| petiepooo wrote:
| YARA-X is dead, long love the next fad
| skybrian wrote:
| For curious onlookers, here's an explanation of what Yara does:
|
| https://virustotal.github.io/yara/
| banish-m4 wrote:
| YARA is on every Mac and about half of corporate laptops.
___________________________________________________________________
(page generated 2024-05-19 23:01 UTC)