3c7
commented
6 years ago Need to take a look on it. You can replace the relative paths in the MALW_AZORULT.yar with absolute paths, though, that should fix it.
Closed Tux-Panik closed 6 years ago
3c7
commented
6 years ago Need to take a look on it. You can replace the relative paths in the MALW_AZORULT.yar with absolute paths, though, that should fix it.
Tux-Panik
commented
6 years ago Hi, thanks for your feedback. You are right, and I already did it in all '_index.yar' files, by replacing "./" by "/opt/Cortex-Analyzers/analyzers/rules/" but I missed the simply "index.yar" :-(
Now it works, and people can use the following command line:
find /full/path/to/analyzers/Yara/rules/ -type f -iname "*index*.yar" -exec sed -i 's/\.\//\/opt\/Cortex-Analyzers\/analyzers\/Yara\/rules\//g' {} \;
However, the rule 'MALW_AZORULT.yar' raised an error on my side:
SyntaxError: MALW_AZORULT.yar(23): invalid field name "sync"
Removing this rule, and also all its inclusion, the analyzers works perfectly.
I used the following command, as I need to automate this action:
for i in `grep -H -R "MALW_AZORULT\.yar" /full/path/to/analyzers/Yara/rules/ | grep -Eio "^.+\.yar:" | sed 's/:$//' | sort -u`; do sed -i '/MALW_AZORULT\.yar/d' $i; done
Probably dirty, but it works.
Last point: where do you grab your relevant (and compatible) Yara rules?
Kind regards, Julien
3c7
commented
6 years ago I found the yara-rules repository to be a mess, but maybe it's just me. Using the repository by florian roth often: https://github.com/Neo23x0/signature-base
Tux-Panik
commented
6 years ago I believe these repository has some fields/variables unsupported by someYara engines: https://github.com/viper-framework/viper/issues/545
Tux-Panik
commented
6 years ago I tested the one of @Neo23x0 and it fails:
Invalid output
Traceback (most recent call last):
File "Yara/yara_analyzer.py", line 71, in <module>
YaraAnalyzer().run()
File "Yara/yara_analyzer.py", line 30, in __init__
self.ruleset.append(yara.compile(rulepath + '/index.yar'))
yara.SyntaxError: /opt/Cortex-Analyzers/analyzers/Yara/signature-base/yara/yara_mixed_ext_vars.yar(308): undefined identifier "filename"So, I renamed all "filename" to "_filename" and I reached the same error:
Invalid output
Traceback (most recent call last):
File "Yara/yara_analyzer.py", line 71, in <module>
YaraAnalyzer().run()
File "Yara/yara_analyzer.py", line 30, in __init__
self.ruleset.append(yara.compile(rulepath + '/index.yar'))
yara.SyntaxError: /opt/Cortex-Analyzers/analyzers/Yara/signature-base/yara/yara_mixed_ext_vars.yar(308): undefined identifier "file_name"Regards,
Neo23x0
commented
6 years ago README says read me 😄
Tux-Panik
commented
6 years ago You are absolutely right. I guess this section is new, perhaps following the issue I mentioned above.
I also enjoy your reactivity :-) Feedback expected tomorrow
Regards, Julien
Tux-Panik
commented
6 years ago Confirmed. It works like a charm... As mentioned in the Cortex documentation, it is mandatory to create manually an "index.yar" file who contains all the rule files:
cd ./signature-base/yara/
rm -f ./generic_anomalies.yar ./general_cloaking.yar ./thor_inverse_matches.yar ./yara_mixed_ext_vars.yar
for i in `ls $(pwd)`; do echo "include \"/opt/Cortex-Analyzers/analyzers/Yara/signature-base/yara/$i\"" >> index.yar; doneThanks guys, Regards, Julien
Request Type
Bug / Support
Work Environment
(replace with N/A if not applicable)
Description
All jobs running Yara analyzer raised an error; while the mentioned file exists. Due to the error message, I guess it could be a location issue or something like this; but I still can't find the root cause.
Steps to Reproduce
(keep this section only if the issue relates to a bug)
Complementary information
From the Cortex's container, the first file exists. The second one is not found form the default path, but it is present if you are in the Yara rules folder (here: /opt/Cortex-Analyzers/analyzers/Yara/rules/). Perhaps this issue is due to the path from where the Yara analyzer is launch.
Thank you for your help, Kind regards, Julien M.