This is a great library! It would be super helpful for bigger projects (like BinaryAlert) if plyara were made available as a pip package

Add support for the include keyword.

When parsing valid YARA rules containing the XOR operator (^) in the condition, t_error is raised in interp.py. It appears the error can be solved by adding the character to the t_ignore variable, but I wanted to raise this as an issue rather than committing a fix as I don't know if this will impact other things.

https://github.com/8u1a/plyara/blob/master/plyara/interp.py#L316

The BYTESTRING regex is currently
r'\{[\|\(\)\[\]\-\?a-fA-f0-9\s]+\}'

I'm fairly certain it's supposed to be
r'\{[\|\(\)\[\]\-\?a-fA-F0-9\s]+\}'

The second F is meant to be capitalized. Currently the regex is too inclusive and will miss errors where the hex contains some invalid characters.

Spaces immediately after comment delimiters causes an error:

Example:
$s = /test/ // A test
Result:
unknown text at 'A' ; token of type 'ID'

EDIT
This appears to only occur for regex strings with appended comments. Fixed example above and example in comment below

@8u1a Can you archive this repo to read-only. All the PRs and issues are fixed in the community fork.

I did find one problem that still exists, but it was reported as a comment on a different issue. I opened a new issue in the community fork to track the problem and get it fixed:
plyara/plyara#46

So, at this point this project needs to be read-only.

The include or the import information probably needs to be included with every rule dictionary. It is hard to say which rules in a file use external rules from an 'included' file, or use an imported module.
Updated: Or maybe since the first time the import/include statement is encountered

There seems to be an when parsing metadata with emty value

I took the following example from YARA website and replace my_identifier_1 value with an empty one.

rule MetadataExample
{
meta:
my_identifier_1 = ""
my_identifier_2 = 24
my_identifier_3 = true

strings:
    $my_text_string = "text here"
    $my_hex_string = { E2 34 A1 C8 23 FB }

condition:
    $my_text_string or $my_hex_string

}

Error:
Illegal character " at line

I noticed the generation of the parsetab.py file for the ply library is never done in the installation. This would cause first time usage (and any unprivileged usage after that) to cause warnings at runtime like: WARNING: Couldn't create 'plyara.parsetab'. [Errno 13] Permission denied: '/usr/lib/python2.7/site-packages/plyara/parsetab.py'

A solution would be to add a test_suite to the setup.py file per documentation here: http://setuptools.readthedocs.io/en/latest/setuptools.html

This would initiate the generation of the parsetab.py file at installation which would have permissions to write the file in the module installation directory.

I am using plyara in a script and get the following error.

Traceback (most recent call last):
  File "rule-export.py", line 19, in <module>
    rulesDict = interp.parseString(open(args.f).read(), isPrintDebug=False)
  File "/Library/Python/2.7/site-packages/plyara/interp.py", line 151, in parseString
    parser.parse(inputString)
  File "/Library/Python/2.7/site-packages/ply/yacc.py", line 331, in parse
    return self.parseopt_notrack(input, lexer, debug, tracking, tokenfunc)
  File "/Library/Python/2.7/site-packages/ply/yacc.py", line 1199, in parseopt_notrack
    tok = call_errorfunc(self.errorfunc, errtoken, self)
  File "/Library/Python/2.7/site-packages/ply/yacc.py", line 193, in call_errorfunc
    r = errorfunc(token)
  File "/Library/Python/2.7/site-packages/plyara/interp.py", line 574, in p_error
    raise TypeError("unknown text at %r ; token of type %r" % (p.value, p.type))
TypeError: unknown text at '+' ; token of type 'PLUS'

The rule that causes the error is this one:

rule koadic_enum_users {
   meta:
      description = "Detects Koadic component"
      author = "Florian Roth"
      reference = "https://github.com/zerosum0x0/koadic"
      date = "2017-07-31"
      hash1 = "69b03e425c37ff2526d79aed8eccf671e8e51d5b9832ae3e870718b0342890b9"
   strings:
      $x1 = "Koadic.work.report(\"No interactive users found.\")" fullword ascii
      $x2 = "var sessions = wmi.ExecQuery(\"Select * from Win32_LogonSession Where LogonType = 2 OR LogonType = 10\");" fullword ascii
      $x3 = "var wmi = GetObject(\"winmgmts:{impersonationLevel=impersonate}!\\\\\\\\\" + computer + \"\\\\root\\\\cimv2\");" fullword ascii
      $x4 = "query += \"Associators of {Win32_LogonSession.LogonId=\" + session.LogonId;" fullword ascii
      $s1 = "info += session.LogonType + \"\\n\";" fullword ascii
      $s2 = "for (var f = new Enumerator(users); !f.atEnd(); f.moveNext())" fullword ascii
      $s3 = "info += session.Description + \"\\n\";" fullword ascii
   condition:
      ( uint16(0) == 0x7274 and filesize < 5KB and 1 of ($x*) ) or
      ( 2 of them )
}

Is this because of comments? Or am I missing something?