Configurable hard limit for rules

TheHive-Project · Mar 3, 2025 · 1a086ff · 1a086ff
1 parent efb9ad3
commit 1a086ff
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/analyzers/Yara/Yara.json b/analyzers/Yara/Yara.json
@@ -29,6 +29,13 @@
       "type": "string",
       "multi": false,
       "required": false
+    },
+    {
+      "name": "rules_limit",
+      "description": "Enforce a limit on the number of YARA rules tested against the file",
+      "type": "integer",
+      "multi": false,
+      "required": false
     }
   ]
 }
diff --git a/analyzers/Yara/yara_analyzer.py b/analyzers/Yara/yara_analyzer.py
@@ -160,6 +160,8 @@ def __init__(self):
 
         self.github_urls = self.get_param('config.github_urls', None, 'No GitHub URLs provided.')
         self.github_token = self.get_param('config.github_token', None, 'No GitHub PAT provided.')
+
+        self.rules_limit = self.get_param('config.rules_limit', None, 'No rules limit provided.')
 
         self.ruleset = []
         self.ignored_rules = []
@@ -218,6 +220,16 @@ def __init__(self):
 
         if not self.ruleset:
             print("Warning: No valid YARA rules were loaded.")
+
+        # Enforce the rules limit if set
+        if self.rules_limit:
+            try:
+                limit = int(self.rules_limit)
+                if len(self.ruleset) > limit:
+                    self.ruleset = self.ruleset[:limit]
+            except ValueError:
+                self.error("Invalid rules_limit value; it should be an integer.")
+
 
 
     def check(self, file_path):