Parse, analyze, and transform YARA rules with a Python AST toolkit
yaraast is a Python library for parsing and manipulating YARA-family rules using Abstract Syntax Trees (AST). It supports classic YARA, YARA-L, and YARA-X workflows with automatic dialect detection and CLI tooling.
| Feature | Description |
|---|---|
| Multi-dialect Parsing | Parse YARA, YARA-L, and YARA-X from files or strings |
| Automatic Dialect Detection | Unified parser auto-detects rule dialects |
| AST Tooling | Build, transform, diff, and serialize ASTs |
| Formatting & Validation | CLI commands for parse/format/validate workflows |
| Streaming Support | Parse very large files with streaming mode |
| Ecosystem Integrations | Optional LSP and libyara-related capabilities |
Dialects YARA, YARA-L, YARA-X
Parsers Standard parser, unified parser, streaming parser
Outputs YARA, JSON, YAML, AST tree views
Tooling CLI, visitors, builders, serialization, semantic checks
pip install yaraastgit clone https://github.com/mriverolopez/yaraast.git
cd yaraast
python3 -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -e .from yaraast.unified_parser import UnifiedParser
yara_code = """
rule example {
strings:
$a = "malware" nocase
condition:
$a
}
"""
ast = UnifiedParser.parse_string(yara_code)
print(ast.rules[0].name)# Parse and print normalized YARA
yaraast parse rules.yar
# Parse to JSON
yaraast parse rules.yar --format json
# Parse with explicit dialect
yaraast parse rules.yar --dialect yara-x
# Validate file (syntax + parse checks)
yaraast validate rules.yar
# Format file in-place (AST-based formatter)
yaraast fmt rules.yar
# Check formatting without modifying file
yaraast fmt rules.yar --check| Command | Description |
|---|---|
parse |
Parse a rule file and output YARA/JSON/YAML/tree |
validate |
Validate rules and run validation subcommands |
fmt |
AST-based formatter (with --check and --diff) |
format |
Format input into a target output file |
validate-syntax |
Syntax-focused validation entrypoint |
lsp |
Launch Language Server Protocol features |
from yaraast.unified_parser import UnifiedParser
from yaraast.dialects import YaraDialect
# Auto-detect dialect
ast = UnifiedParser.parse_file("rules.yar")
# Force specific dialect
ast = UnifiedParser.parse_file("rules.yar", dialect=YaraDialect.YARA)from yaraast import Parser
from yaraast.visitor import BaseVisitor
class RuleCollector(BaseVisitor):
def __init__(self):
self.rules = []
def visit_rule(self, node):
self.rules.append(node.name)
super().visit_rule(node)
ast = Parser(open("rules.yar", encoding="utf-8").read()).parse()
collector = RuleCollector()
collector.visit(ast)
print(collector.rules)# LSP support
pip install yaraast[lsp]
# libyara integration
pip install yaraast[libyara]
# Performance tooling
pip install yaraast[performance]
# Visualization support
pip install yaraast[visualization]
# Everything
pip install yaraast[all]- LSP runtime internals: docs/lsp-runtime.md
- LSP parity report: docs/lsp-parity-report.md
- Latest runtime benchmark artifact: docs/benchmarks/lsp-runtime-latest.json
- Python 3.13+
- See pyproject.toml for full dependency and extras list
Contributions are welcome. See CONTRIBUTING.md for setup, quality checks, and workflow guidelines.
- Fork the repository
- Create a branch (
git checkout -b feature/your-change) - Commit changes (
git commit -m "Add your change") - Push (
git push origin feature/your-change) - Open a Pull Request
This project is licensed under the MIT License - see LICENSE.
Author
- Marc Rivero (mriverolopez@gmail.com)
- Repository: github.com/mriverolopez/yaraast
Built for malware analysis and detection engineering workflows