Rulesets

YARA rulesets allow to have a group of YARA rules so that they can be checked against incoming Apks in the system.

Rulesets can have two possible states: enabled or disabled. When enabled the YARA ruleset will enter the Koodous analysis system; if they are disabled they will not be used during analysis.

When updating a rule it can take from 5 to 15 minutes to start running within the system.

Endpoints

GET /rulesets/

List of YARA rulesets.

All rules that are public or belong to the querying user are displayed.

Query Parameters

  • status – filter by the status of the rule, with the possible values being: enabled, disabled.

  • author – filter by author. Only their public rules will be displayed.

  • is_own – filter for rules that are owned only.

  • name__iexact – filter by rule name (case-insensitive).

  • name__icontains – filter by whether the rule name contains the specified string (case-insensitive).

  • is_public – filter for rules that are public (True) or private (False).

POST /rulesets/

Creating a YARA ruleset.

Form Parameters

  • name – Ruleset name.

  • status – Ruleset status. Options: enabled, disabled.

  • is_public – Indicates whether it is public or private. There is a limit to the number of private rules depending on the subscription type that the user has.

  • is_notifier – Indicates whether the YARA ruleset will create notifications when matching against apks.

GET /rulesets/(str: hashid)/

Detailed information about a YARA ruleset.

More information is added, such as the rule itself.

PUT /rulesets/(str: hashid)/

Update the ruleset configuration, as well as add or update YARA rules.

Rules are pre-validated before being saved.

Form Parameters

  • name – ruleset name.

  • status – ruleset status. Options: enabled, disabled.

  • is_public – indicates whether the ruleset is visible only to the author or to all users.

  • rules – YARA ruleset.

Status Codes
PATCH /rulesets/(str: hashid)/

Update the ruleset configuration, as well as add or update YARA rules.

Rules are pre-validated before being saved.

Form Parameters

  • name – ruleset name.

  • status – ruleset status. Options: enabled, disabled.

  • is_public – indicates whether the ruleset is visible only to the author or to all users.

  • rules – YARA ruleset.

Status Codes
DELETE /rulesets/(str: hashid)/

Delete the ruleset.

Matches of a ruleset

GET /rulesets/(str: hashid)/matches/

List of matches that a YARA ruleset has produced.

GET /rulesets/(str: hashid)/matches/(str: hashid)/

Details of a match produced by the YARA ruleset.