cccs-rs
commented
1 year ago I think this may come down to how YARA & yara-python was installed on the host as I think certain modules have to be enabled in order to take effect.
According to the documention, dotnet isn't enabled by default:
https://yara.readthedocs.io/en/stable/gettingstarted.html
dotnet should be enabled in the Assemblyline service since it compiles YARA with the flags to enable support:
https://github.com/CybercentreCanada/assemblyline-service-yara/blob/d92c59e9f1663b23939e482e9551e88dacc9bd31/yara_/Dockerfile#L24
bartblaze
Hi folks,
Compiled some new rules and updated to the standard - however, one rule imports the dotnet module - which the YARA validator does not seem to like as I'm getting an error compiling with an invalid field name of typelib.
In the yara_file_processor.py I see several modules that are not defined - are they not supported natively in AL? Or is there another reason to not have these included?
Thanks!