private static void YaraRulesCompileTest(FileEnumeratorParameters parameters)
{
if (!parameters.YaraParameters.Any())
{
return;
}
foreach (YaraFilter filter in parameters.YaraParameters)
{
YSScanner compiledRule = null;
try
{
compiledRule = YaraHelper.CompileRules(filter.OnMatchRules, parameters.ReportAndLogOutputFunction);
}
catch (Exception ex)
{
parameters.ReportExceptionFunction.Invoke(nameof(YaraRulesCompileTest), string.Empty, ex);
throw;
}
finally
{
if (compiledRule != null)
{
compiledRule.Dispose();
}
}
}
}
private YSScanner GetCompiledYaraRules(FileEnumeratorParameters parameters)
{
YSScanner results = null;
using (var timer = new TimingMetrics(TimingMetric.YaraRuleCompiling))
{
List <YaraFilter> yaraFilters = parameters.YaraParameters;
List <string> distinctRulesToRun =
yaraFilters
.SelectMany(yf => yf.ProcessRule(this))
.Distinct()
.ToList();
if (!distinctRulesToRun.Any())
{
distinctRulesToRun =
yaraFilters
.Where(yf => yf.FilterType == YaraFilterType.ElseNoMatch)
.SelectMany(yf => yf.OnMatchRules)
.Distinct()
.ToList();
}
if (!distinctRulesToRun.Any())
{
return(null);
}
distinctRulesToRun = distinctRulesToRun.OrderBy(s => s).ToList();
string uniqueRuleCollectionToken = string.Join("|", distinctRulesToRun);
string ruleCollectionHash = Hash.ByteArray.Sha256(Encoding.UTF8.GetBytes(uniqueRuleCollectionToken));
if (_yaraCompiledRulesDictionary.ContainsKey(ruleCollectionHash))
{
results = _yaraCompiledRulesDictionary[ruleCollectionHash];
}
else
{
try
{
results = YaraHelper.CompileRules(distinctRulesToRun, parameters.ReportAndLogOutputFunction);
}
catch (Exception ex)
{
parameters.ReportExceptionFunction.Invoke(nameof(GetCompiledYaraRules), string.Empty, ex);
}
_yaraCompiledRulesDictionary.Add(ruleCollectionHash, results);
}
}
return(results);
}
