plyara

2.2.8 verified Fri May 01 auth: no python

plyara is a YARA rule parser that takes YARA rule text and returns a dictionary with metadata, strings, conditions, and other components. Current version 2.2.8, supports Python >=3.10. Released on an as-needed basis for bugfixes and minor improvements.

pip install plyara

Common errors

error ModuleNotFoundError: No module named 'plyara' ↓

cause The package is not installed or the import path is wrong.

fix

Run pip install plyara and import using from plyara import plyara.

error TypeError: __init__() got an unexpected keyword argument 'cache' ↓

cause Trying to pass 'cache' argument to plyara() constructor, which doesn't exist.

fix

Remove the cache argument. plyara does not support caching out of the box.

error plyara.core.ParseException: Failed to parse YARA rule: syntax error at line ... ↓

cause Invalid YARA syntax or unsupported rule features.

fix

Double-check your YARA rule for syntax errors. plyara follows YARA 4.x syntax but may not support all new operators (like 'xor' modifiers on hex strings were added in later versions).

Warnings

breaking Version 2.2.2 changed how logic hashes are computed. Old behavior (without version and algorithm names) is no longer default. Set `plyara_obj.store_logic_hash_versions = True` to retain old behavior. ↓

fix If you rely on the exact hash output, use `parser.store_logic_hash_versions = True` before parsing.

gotcha Comments between rules are now properly discarded (since 2.2.5). Previously they could be attached to the next rule, causing unexpected metadata or comment fields. ↓

fix Upgrade to >=2.2.5 or ensure your rules don't have trailing comments between rule blocks.

deprecated The `store_raw_sections` parameter defaults to `True`, but when set to `False` there was a bug in 2.2.0 causing an exception. Fixed in 2.2.1. ↓

fix Use version >=2.2.1 if you need to set `store_raw_sections=False`.

Imports

plyara
```
from plyara import plyara
```
Direct import of the main class
parse_source
```
from plyara import parse_source, is_yara_rule
```
Convenience functions for quick parsing

Quickstart

Parse a YARA rule string into a dictionary of rule components.

from plyara import plyara

parser = plyara()
yara_rules = '''
rule ExampleRule
{
    strings:
        $my_text_string = "text here"
        $my_hex_string = { E2 34 A1 C8 23 FB }

    condition:
        $my_text_string or $my_hex_string
}'''
parsed = parser.parse_string(yara_rules)
print(parsed[0]['rule_name'])
print(parsed[0]['strings'])