public YaraFilter(YaraFilterType filterType, string filterValue, List <string> onMatchRules) { FilterType = filterType; OnMatchRules = onMatchRules.ToList(); FilterValue = filterValue; if (FilterValue.Any(c => char.IsWhiteSpace(c))) { FilterValue = new string(FilterValue.Where(c => !char.IsWhiteSpace(c)).ToArray()); } }
private void btnOkAddYaraCondition_Click(object sender, EventArgs e) { if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.None) { yaraErrorProvider.SetError(comboConditionType, "Missing filter type"); return; } if (!yaraMatchFiles.Any()) { yaraErrorProvider.SetError(listYaraMatchFiles, "Missing rule file(s)"); return; } YaraFilterType filterType = YaraFilterType.AlwaysRun; string filterValue = string.Empty; if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.Always) { filterType = YaraFilterType.AlwaysRun; } else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.PeFile) { filterType = YaraFilterType.IsPeFile; } else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.FileExtension) { filterType = YaraFilterType.FileExtension; if (string.IsNullOrWhiteSpace(tbYaraConditionValue.Text)) { yaraErrorProvider.SetError(tbYaraConditionValue, "Missing file extension"); return; } filterValue = tbYaraConditionValue.Text; if (!filterValue.Contains('.')) { if (filterValue.Contains('/')) { if (MessageBox.Show("You are attempting to add a file extension filter, yet the YARA filter value looks like a MIME type.\n\nDo you wish to add this as a MIME type filter instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No) { return; } filterType = YaraFilterType.MimeType; } else { yaraErrorProvider.SetError(tbYaraConditionValue, "File extensions should start with a period ('.')"); return; } } } else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.MimeType) { filterType = YaraFilterType.MimeType; if (string.IsNullOrWhiteSpace(tbYaraConditionValue.Text)) { yaraErrorProvider.SetError(tbYaraConditionValue, "Missing MIME type"); return; } filterValue = tbYaraConditionValue.Text; if (!filterValue.Contains('/')) { if (filterValue.Contains('.')) { if (MessageBox.Show("You are attempting to add a MIME type filter, yet the YARA filter value looks like a file extension.\n\nDo you wish to add this as a file extension filter type instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No) { return; } filterType = YaraFilterType.FileExtension; } else { yaraErrorProvider.SetError(tbYaraConditionValue, "MIME types contain a slash ('/')"); return; } } } else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.NoMatches) { filterType = YaraFilterType.ElseNoMatch; filterValue = ""; } YaraFilter yaraFilter = new YaraFilter(filterType, filterValue, yaraMatchFiles); if (currentYaraFilters.Contains(yaraFilter)) { MessageBox.Show("YARA filter already exists.\n\nDuplicate filter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } currentYaraFilters.Add(yaraFilter); UpdateYaraFilterTreeView(); ClearYaraControls(); panelYaraCondition.Visible = false; }
public YaraFilter(YaraFilterType filterType, string filterValue, List <string> onMatchRules) { FilterType = filterType; FilterValue = filterValue; OnMatchRules = onMatchRules; }
private void btnAddYaraFilter_Click(object sender, EventArgs e) { if (!yaraMatchFiles.Any()) { MessageBox.Show($"Must have at least one file selected under \"{labelYaraRulesToRun.Text}\" selected.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } YaraFilterType filterType = YaraFilterType.AlwaysRun; string filterValue = string.Empty; if (radioButtonYara_AlwaysRun.Checked) { filterType = YaraFilterType.AlwaysRun; } else if (radioButtonYara_IsPeFile.Checked) { filterType = YaraFilterType.IsPeFile; } else if (radioButtonYara_Extention.Checked) { filterType = YaraFilterType.FileExtension; if (string.IsNullOrWhiteSpace(tbYaraFilterValue.Text)) { MessageBox.Show($"\"{labelYaraFilterValue.Text.Replace(":", "")}\" cannot be empty when \"{radioButtonYara_Extention.Text.Replace(":", "")}\" is selected.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } filterValue = tbYaraFilterValue.Text; if (filterValue.Any(c => char.IsWhiteSpace(c))) { MessageBox.Show("No whitespace is allowed in a file extension.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } if (!filterValue.Contains('.')) { if (filterValue.Contains('/')) { if (MessageBox.Show("You are attempting to add a file extension filter, yet the YARA filter value looks like a MIME type.\n\nDo you wish to add this as a MIME type filter instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No) { return; } filterType = YaraFilterType.MimeType; } else { MessageBox.Show($"You are attempting to add a FILE EXTENSION filter, yet the YARA filter value does not contain the required character '.'.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } } } else if (radioButtonYara_MimeType.Checked) { filterType = YaraFilterType.MimeType; if (string.IsNullOrWhiteSpace(tbYaraFilterValue.Text)) { MessageBox.Show($"\"{labelYaraFilterValue.Text.Replace(":", "")}\" cannot be empty when \"{radioButtonYara_MimeType.Text.Replace(":", "")}\" is selected.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } filterValue = tbYaraFilterValue.Text; if (filterValue.Any(c => char.IsWhiteSpace(c))) { MessageBox.Show("No whitespace is allowed in a MIME type.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } if (!filterValue.Contains('/')) { if (filterValue.Contains('.')) { if (MessageBox.Show("You are attempting to add a MIME type filter, yet the YARA filter value looks like a file extension.\n\nDo you wish to add this as a file extension filter type instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No) { return; } filterType = YaraFilterType.FileExtension; } else { MessageBox.Show($"You are attempting to add a MIME type filter, yet the YARA filter value does not contain the required character '/'.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } } } else if (radioButtonYara_ElseNoMatch.Checked) { filterType = YaraFilterType.ElseNoMatch; } YaraFilter yaraFilter = new YaraFilter(filterType, filterValue, yaraMatchFiles); if (currentYaraFilters.Contains(yaraFilter)) { MessageBox.Show("YARA filter already exists.\n\nDuplicate filter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } currentYaraFilters.Add(yaraFilter); UpdateYaraFilterListbox(); }