public YaraFilter(YaraFilterType filterType, string filterValue, List <string> onMatchRules)
{
FilterType = filterType;
OnMatchRules = onMatchRules.ToList();
FilterValue = filterValue;
if (FilterValue.Any(c => char.IsWhiteSpace(c)))
{
FilterValue = new string(FilterValue.Where(c => !char.IsWhiteSpace(c)).ToArray());
}
}
private void btnOkAddYaraCondition_Click(object sender, EventArgs e)
{
if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.None)
{
yaraErrorProvider.SetError(comboConditionType, "Missing filter type");
return;
}
if (!yaraMatchFiles.Any())
{
yaraErrorProvider.SetError(listYaraMatchFiles, "Missing rule file(s)");
return;
}
YaraFilterType filterType = YaraFilterType.AlwaysRun;
string filterValue = string.Empty;
if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.Always)
{
filterType = YaraFilterType.AlwaysRun;
}
else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.PeFile)
{
filterType = YaraFilterType.IsPeFile;
}
else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.FileExtension)
{
filterType = YaraFilterType.FileExtension;
if (string.IsNullOrWhiteSpace(tbYaraConditionValue.Text))
{
yaraErrorProvider.SetError(tbYaraConditionValue, "Missing file extension");
return;
}
filterValue = tbYaraConditionValue.Text;
if (!filterValue.Contains('.'))
{
if (filterValue.Contains('/'))
{
if (MessageBox.Show("You are attempting to add a file extension filter, yet the YARA filter value looks like a MIME type.\n\nDo you wish to add this as a MIME type filter instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No)
{
return;
}
filterType = YaraFilterType.MimeType;
}
else
{
yaraErrorProvider.SetError(tbYaraConditionValue, "File extensions should start with a period ('.')");
return;
}
}
}
else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.MimeType)
{
filterType = YaraFilterType.MimeType;
if (string.IsNullOrWhiteSpace(tbYaraConditionValue.Text))
{
yaraErrorProvider.SetError(tbYaraConditionValue, "Missing MIME type");
return;
}
filterValue = tbYaraConditionValue.Text;
if (!filterValue.Contains('/'))
{
if (filterValue.Contains('.'))
{
if (MessageBox.Show("You are attempting to add a MIME type filter, yet the YARA filter value looks like a file extension.\n\nDo you wish to add this as a file extension filter type instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No)
{
return;
}
filterType = YaraFilterType.FileExtension;
}
else
{
yaraErrorProvider.SetError(tbYaraConditionValue, "MIME types contain a slash ('/')");
return;
}
}
}
else if (comboConditionType.SelectedIndex == (int)ComboBoxSelection.NoMatches)
{
filterType = YaraFilterType.ElseNoMatch;
filterValue = "";
}
YaraFilter yaraFilter = new YaraFilter(filterType, filterValue, yaraMatchFiles);
if (currentYaraFilters.Contains(yaraFilter))
{
MessageBox.Show("YARA filter already exists.\n\nDuplicate filter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
currentYaraFilters.Add(yaraFilter);
UpdateYaraFilterTreeView();
ClearYaraControls();
panelYaraCondition.Visible = false;
}
public YaraFilter(YaraFilterType filterType, string filterValue, List <string> onMatchRules)
{
FilterType = filterType;
FilterValue = filterValue;
OnMatchRules = onMatchRules;
}
private void btnAddYaraFilter_Click(object sender, EventArgs e)
{
if (!yaraMatchFiles.Any())
{
MessageBox.Show($"Must have at least one file selected under \"{labelYaraRulesToRun.Text}\" selected.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
YaraFilterType filterType = YaraFilterType.AlwaysRun;
string filterValue = string.Empty;
if (radioButtonYara_AlwaysRun.Checked)
{
filterType = YaraFilterType.AlwaysRun;
}
else if (radioButtonYara_IsPeFile.Checked)
{
filterType = YaraFilterType.IsPeFile;
}
else if (radioButtonYara_Extention.Checked)
{
filterType = YaraFilterType.FileExtension;
if (string.IsNullOrWhiteSpace(tbYaraFilterValue.Text))
{
MessageBox.Show($"\"{labelYaraFilterValue.Text.Replace(":", "")}\" cannot be empty when \"{radioButtonYara_Extention.Text.Replace(":", "")}\" is selected.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
filterValue = tbYaraFilterValue.Text;
if (filterValue.Any(c => char.IsWhiteSpace(c)))
{
MessageBox.Show("No whitespace is allowed in a file extension.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
if (!filterValue.Contains('.'))
{
if (filterValue.Contains('/'))
{
if (MessageBox.Show("You are attempting to add a file extension filter, yet the YARA filter value looks like a MIME type.\n\nDo you wish to add this as a MIME type filter instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No)
{
return;
}
filterType = YaraFilterType.MimeType;
}
else
{
MessageBox.Show($"You are attempting to add a FILE EXTENSION filter, yet the YARA filter value does not contain the required character '.'.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
}
}
else if (radioButtonYara_MimeType.Checked)
{
filterType = YaraFilterType.MimeType;
if (string.IsNullOrWhiteSpace(tbYaraFilterValue.Text))
{
MessageBox.Show($"\"{labelYaraFilterValue.Text.Replace(":", "")}\" cannot be empty when \"{radioButtonYara_MimeType.Text.Replace(":", "")}\" is selected.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
filterValue = tbYaraFilterValue.Text;
if (filterValue.Any(c => char.IsWhiteSpace(c)))
{
MessageBox.Show("No whitespace is allowed in a MIME type.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
if (!filterValue.Contains('/'))
{
if (filterValue.Contains('.'))
{
if (MessageBox.Show("You are attempting to add a MIME type filter, yet the YARA filter value looks like a file extension.\n\nDo you wish to add this as a file extension filter type instead?", AddYaraRuleErrorCaption, MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.No)
{
return;
}
filterType = YaraFilterType.FileExtension;
}
else
{
MessageBox.Show($"You are attempting to add a MIME type filter, yet the YARA filter value does not contain the required character '/'.\n\nFilter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
}
}
else if (radioButtonYara_ElseNoMatch.Checked)
{
filterType = YaraFilterType.ElseNoMatch;
}
YaraFilter yaraFilter = new YaraFilter(filterType, filterValue, yaraMatchFiles);
if (currentYaraFilters.Contains(yaraFilter))
{
MessageBox.Show("YARA filter already exists.\n\nDuplicate filter not added.", AddYaraRuleErrorCaption, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
currentYaraFilters.Add(yaraFilter);
UpdateYaraFilterListbox();
}
