Add convenience method for YaraScanner

[JSCU-CNI]

This convenience method makes it easier to use the YaraScanner with a Python defined YARA rule. This makes one off, single file plugins easier to make because one can include the YARA rule directly in Python instead of having to include the rule in a separate YARA file. I.e.:

RULE = """rule ExampleRule
{
    strings:
        $line = { 00 01 02 03 }

    condition:
        all of them
}
"""

class Plugin:
    [setup]
    
    def _generator(self, layer):
        rule = yarascan.YaraScanner.from_text(RULE)
        scanner = yarascan.YaraScanner(rules=rule)
        [...]
""""

[ikelos]

This seems fairly innocuous, but to avoid code duplication, I'd probably make use of it whenever text is being compiled into a pattern, so use it in get_rule as well. You'd need to check if there's a subtle difference in output between yara.compile(source=...) and yara.compile(sources=...) but I don't think that should be too catastrophic for people to cope with.

[ikelos]

Why are we stripping all new line characters, and is there any situation in which that could change the meaning of the rule?

[ikelos]

It also feels like get_rule could be modified to call this after wrapping its parameter into simple rule text?

[JSCU-CNI]

New line stripping: good point! The docs of yara-python contains an example with a single line rule hence I replaced the newlines. I tested it with ~20 rules, and the newline can be included without any problems. I removed the replace line of code.

The source vs sources thing: the main difference is the namespacing. Theoretically we could check whether the given rule is a string or a dict and use source and sources accordingly. Don't prefer that though because of it's implicitness. The function name from_text is also clear in that it requires text, and not a dict.

The get_rule currently uses namespaces while from_text does not. I don't think it'd be wise to change it to use from_text because that would result in a backwards incompatible change. What do you think?

[ikelos]

Yeah, fair enough. Looks good then, thanks! 5:)

[ikelos]

Oh, ruff spotted that formatted_rule now isn't defined, we can just use rule. 5:)

[ikelos]

Also, the type hinting uses yara which may not exist if yara_x is the only installed instance. The previous methods avoided it by just not type hinting, but if you want to do it correctly, I guess assign the type to a variable after the import has been made, and then use that type in the signature...