YARA-X Python Bindings

1.15.0 · active · verified Tue Apr 14

YARA-X is a rewrite of YARA in Rust, designed for faster, safer, and more user-friendly pattern matching, primarily for malware research. It aims to replace the original YARA as the default tool. This library provides official Python bindings for YARA-X, supporting Python 3.9+ on Linux, macOS, and Windows. Releases are frequent, with new versions often appearing monthly.

Warnings

breaking YARA-X enforces stricter regular expression syntax compared to the original YARA. Certain constructs that YARA previously accepted (e.g., invalid escape sequences treated as literals, unescaped special characters inferred from context) will now raise compilation errors in YARA-X.
Fix: Review and update YARA rules to conform to stricter regex syntax. The `Compiler` object has a `relaxed_re_syntax` argument that can be set to `True` to mimic YARA's behavior, but this is generally not recommended for new rules.
gotcha YARA-X is a completely new implementation (in Rust) and is not a drop-in replacement for the `yara-python` library. The Python module is imported as `yara_x`, not `yara`. Users migrating from `yara-python` will need to update import statements and be aware of API differences, though the core compilation and scanning workflow is similar.
Fix: Always use `import yara_x`. Consult the YARA-X Python documentation for API specifics and any behavioral changes compared to `yara-python`.
gotcha The behavior of the `strings` field in the `Match` object significantly changed in `yara-python` versions 4.3.0 and later (from an array of tuples to `yara.StringMatch` objects). While this is specific to `yara-python`, users familiar with that library's older API might incorrectly expect similar `Match` object structures or behaviors when adapting to YARA-X. YARA-X's match result structure is different.
Fix: Familiarize yourself with the `yara_x` scan result object structure, particularly how matched strings are represented, as it differs from both old and new `yara-python` versions.

Install

pip install yara-x Install YARA-X

Imports

yara_x
```
import yara_x
```
YARA-X is a distinct library from the original YARA-Python. The module name is `yara_x`, not `yara`.

Quickstart

This quickstart demonstrates compiling YARA-X rules from a string and then scanning data. It covers both the simple `yara_x.compile()` function and using the `Compiler` object for more advanced scenarios like managing namespaces.

import yara_x

rules_source = '''
rule example_rule {
  strings:
    $a = "foobar"
  condition:
    $a
}
'''

# Compile the rules
rules = yara_x.compile(rules_source)

# Scan data
data_to_scan = b"This is some data containing foobar for testing."
results = rules.scan(data_to_scan)

if results:
    print(f"Matches found: {results}")
else:
    print("No matches.")

# Example with a Compiler object for more complex scenarios
compiler = yara_x.Compiler()
compiler.add_source(rules_source, origin="my_rules")
compiled_rules_obj = compiler.build()

scan_results_obj = compiled_rules_obj.scan(b"Another foobar string.")
if scan_results_obj:
    print(f"Matches found with Compiler: {scan_results_obj}")

view raw JSON →