yaraast

yaraast

Parse, analyze, and transform YARA rules with a Python AST toolkit

Overview

yaraast is a Python library for parsing and manipulating YARA-family rules using Abstract Syntax Trees (AST). It supports classic YARA, YARA-L, and YARA-X workflows with automatic dialect detection and CLI tooling.

Key Features

Feature	Description
Multi-dialect Parsing	Parse YARA, YARA-L, and YARA-X from files or strings
Automatic Dialect Detection	Unified parser auto-detects rule dialects
AST Tooling	Build, transform, diff, and serialize ASTs
Formatting & Validation	CLI commands for parse/format/validate workflows
Streaming Support	Parse very large files with streaming mode
Ecosystem Integrations	Optional LSP and libyara-related capabilities

Supported Rule Ecosystem

Dialects   YARA, YARA-L, YARA-X
Parsers    Standard parser, unified parser, streaming parser
Outputs    YARA, JSON, YAML, AST tree views
Tooling    CLI, visitors, builders, serialization, semantic checks

Installation

From PyPI (Recommended)

pip install yaraast

From Source

git clone https://github.com/mriverolopez/yaraast.git
cd yaraast
python3 -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -e .

Quick Start

from yaraast.unified_parser import UnifiedParser

yara_code = """
rule example {
    strings:
        $a = "malware" nocase
    condition:
        $a
}
"""

ast = UnifiedParser.parse_string(yara_code)
print(ast.rules[0].name)

Usage

Command Line Interface

# Parse and print normalized YARA
yaraast parse rules.yar

# Parse to JSON
yaraast parse rules.yar --format json

# Parse with explicit dialect
yaraast parse rules.yar --dialect yara-x

# Validate file (syntax + parse checks)
yaraast validate rules.yar

# Format file in-place (AST-based formatter)
yaraast fmt rules.yar

# Check formatting without modifying file
yaraast fmt rules.yar --check

Core CLI Commands

Command	Description
parse	Parse a rule file and output YARA/JSON/YAML/tree
validate	Validate rules and run validation subcommands
fmt	AST-based formatter (with --check and --diff)
format	Format input into a target output file
validate-syntax	Syntax-focused validation entrypoint
lsp	Launch Language Server Protocol features

Python Library

Unified Parsing

from yaraast.unified_parser import UnifiedParser
from yaraast.dialects import YaraDialect

# Auto-detect dialect
ast = UnifiedParser.parse_file("rules.yar")

# Force specific dialect
ast = UnifiedParser.parse_file("rules.yar", dialect=YaraDialect.YARA)

Direct Parser + Visitor

from yaraast import Parser
from yaraast.visitor import BaseVisitor

class RuleCollector(BaseVisitor):
    def __init__(self):
        self.rules = []

    def visit_rule(self, node):
        self.rules.append(node.name)
        super().visit_rule(node)

ast = Parser(open("rules.yar", encoding="utf-8").read()).parse()
collector = RuleCollector()
collector.visit(ast)
print(collector.rules)

Optional Dependencies

# LSP support
pip install yaraast[lsp]

# libyara integration
pip install yaraast[libyara]

# Performance tooling
pip install yaraast[performance]

# Visualization support
pip install yaraast[visualization]

# Everything
pip install yaraast[all]

Runtime Docs

• LSP runtime internals: docs/lsp-runtime.md
• LSP parity report: docs/lsp-parity-report.md
• Latest runtime benchmark artifact: docs/benchmarks/lsp-runtime-latest.json

Requirements

• Python 3.13+
• See pyproject.toml for full dependency and extras list

Contributing

Contributions are welcome. See CONTRIBUTING.md for setup, quality checks, and workflow guidelines.

• Fork the repository
• Create a branch (git checkout -b feature/your-change)
• Commit changes (git commit -m "Add your change")
• Push (git push origin feature/your-change)
• Open a Pull Request

License

This project is licensed under the MIT License - see LICENSE.

Author

• Marc Rivero (mriverolopez@gmail.com)
• Repository: github.com/mriverolopez/yaraast

_{Built for malware analysis and detection engineering workflows}