From 43db92dbe60d21615793b3d4806d7c6ce830804e Mon Sep 17 00:00:00 2001
From: Dennis Rand <rand@ecrime.dk>
Date: Mon, 12 Feb 2018 19:11:54 +0000
Subject: [PATCH 1/2] Added Yara syntax validation expansion module

---
 REQUIREMENTS                                  |  1 +
 misp_modules/modules/expansion/__init__.py    |  2 +-
 .../expansion/yara_syntax_validator.py        | 38 +++++++++++++++++++
 3 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 misp_modules/modules/expansion/yara_syntax_validator.py

diff --git a/REQUIREMENTS b/REQUIREMENTS
index 3b31b16..9e383d4 100644
--- a/REQUIREMENTS
+++ b/REQUIREMENTS
@@ -21,3 +21,4 @@ domaintools_api
 pygeoip
 bs4
 oauth2
+yara
diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py
index 7b56b62..e40e844 100644
--- a/misp_modules/modules/expansion/__init__.py
+++ b/misp_modules/modules/expansion/__init__.py
@@ -3,4 +3,4 @@ from . import _vmray
 __all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl',
            'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache',
            'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx',
-           'threatcrowd', 'vulndb', 'crowdstrike_falcon']
+           'threatcrowd', 'vulndb', 'crowdstrike_falcon','yara_syntax_validator']
diff --git a/misp_modules/modules/expansion/yara_syntax_validator.py b/misp_modules/modules/expansion/yara_syntax_validator.py
new file mode 100644
index 0000000..4953c41
--- /dev/null
+++ b/misp_modules/modules/expansion/yara_syntax_validator.py
@@ -0,0 +1,38 @@
+import json
+import requests
+try:
+    import yara
+except:
+    print("yara is missing, use 'pip3 install yara' to install it.")
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['yara'], 'output': ['text']}
+moduleinfo = {'version': '0.1', 'author': 'Dennis Rand', 'description': 'An expansion hover module to perform a syntax check on if yara rules are valid or not.', 'module-type': ['hover']}
+moduleconfig = []
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    if not request.get('yara'):
+        misperrors['error'] = 'Yara rule missing'
+        return misperrors
+
+    try:
+        rules = yara.compile(source=request.get('yara'))
+        summary = ("Syntax valid")
+    except Exception as e:
+        summary = ("Syntax error: " + str(e))
+
+    r = {'results': [{'types': mispattributes['output'], 'values': summary}]}
+    return r
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo

From 37ea090cbaaf0060c01a40ec72295fbc01ca3583 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 12 Feb 2018 21:13:32 +0100
Subject: [PATCH 2/2] add: YARA syntax validator

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index dcf6c85..11c28b4 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
 * [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to pull known resolutions and malware samples related with an IP/Domain from virusTotal (this modules require a VirusTotal private API key)
 * [wikidata](misp_modules/modules/expansion/wiki.py) - a [wikidata](https://www.wikidata.org) expansion module.
 * [xforce](misp_modules/modules/expansion/xforceexchange.py) - an IBM X-Force Exchange expansion module.
+* [YARA syntax validator](misp_modules/modules/expansion/yara_syntax_validator.py) - YARA syntax validator.
 
 ### Export modules