private void treeView_RemoveSelected() { if (treeViewYaraFilters.GetNodeCount(false) > 0) { TreeNode selectedNode = treeViewYaraFilters.SelectedNode; int level = selectedNode.Level; if (level == 1) { TreeNode parent = selectedNode.Parent; YaraFilter filter = (YaraFilter)parent.Tag; filter.OnMatchRules.Remove(selectedNode.ToolTipText); selectedNode.Remove(); if (!filter.OnMatchRules.Any()) { currentYaraFilters.Remove(filter); parent.Remove(); } return; } else { YaraFilter filter = (YaraFilter)selectedNode.Tag; currentYaraFilters.Remove(filter); selectedNode.Remove(); } } }
private void btnOkAddYaraCondition_Click(object sender, EventArgs e) { if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.None) { yaraErrorProvider.SetError(comboConditionType, "Missing filter type"); return; } if (!yaraMatchFiles.Any()) { yaraErrorProvider.SetError(listYaraMatchFiles, "Missing rule file(s)"); return; } YaraFilterType filterType = YaraFilterType.AlwaysRun; string filterValue = string.Empty; if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.Always) { filterType = YaraFilterType.AlwaysRun; } else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.PeFile) { filterType = YaraFilterType.IsPeFile; } else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.FileExtension) { filterType = YaraFilterType.FileExtension; if (string.IsNullOrWhiteSpace(tbYaraConditionValue.Text)) { yaraErrorProvider.SetError(tbYaraConditionValue, "Missing file extension"); return; } filterValue = tbYaraConditionValue.Text; if (!filterValue.Contains('.')) { if (filterValue.Contains('/')) { if (MessageBox.Show("You are attempting to add a file extension filter, yet the YARA filter value looks like a MIME type.\n\nDo you wish to add this as a MIME type filter instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No) { return; } filterType = YaraFilterType.MimeType; } else { yaraErrorProvider.SetError(tbYaraConditionValue, "File extensions should start with a period ('.')"); return; } } } else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.MimeType) { filterType = YaraFilterType.MimeType; if (string.IsNullOrWhiteSpace(tbYaraConditionValue.Text)) { yaraErrorProvider.SetError(tbYaraConditionValue, "Missing MIME type"); return; } filterValue = tbYaraConditionValue.Text; if (!filterValue.Contains('/')) { if (filterValue.Contains('.')) { if (MessageBox.Show("You are attempting to add a MIME type filter, yet the YARA filter value looks like a file extension.\n\nDo you wish to add this as a file extension filter type instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No) { return; } filterType = YaraFilterType.FileExtension; } else { yaraErrorProvider.SetError(tbYaraConditionValue, "MIME types contain a slash ('/')"); return; } } } else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.NoMatches) { filterType = YaraFilterType.ElseNoMatch; filterValue = ""; } YaraFilter yaraFilter = new YaraFilter(filterType, filterValue, yaraMatchFiles); if (currentYaraFilters.Contains(yaraFilter)) { MessageBox.Show("YARA filter already exists.\n\nDuplicate filter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } currentYaraFilters.Add(yaraFilter); UpdateYaraFilterTreeView(); ClearYaraControls(); panelYaraCondition.Visible = false; }