Closed brianwarehime closed 4 years ago
When you install yara-python
with pip
or with setup.py
it builds yara-python
from source code and link it statically, it doesn't use the libyara
library installed by brew
.
If during the build process it can't find the openssl
library you won't get the imphash
function nor the hash
module. As you have yara
already installed, you can try:
yara /Users/bwarehime/repos/email-binaryalert/rules/github.com/Neo23x0/signature-base.git/yara/apt_oilrig.yar <some dummy file here>
If yara
doesn't complain about the missing imphash
it means the libyara
was correctly built with openssl
support, and you can force yara-python
to use libyara
by doing:
$ git clone --recursive https://github.com/VirusTotal/yara-python
$ cd yara-python
$ python setup.py build --dynamic-linking
$ sudo python setup.py install
Hmm, tried doing that and still seeing this come up when I try to compile again:
› python3 setup.py build --dynamic-linking
running build
running build_ext
› sudo python3 setup.py install
running install
running bdist_egg
running egg_info
writing yara_python.egg-info/PKG-INFO
writing dependency_links to yara_python.egg-info/dependency_links.txt
writing top-level names to yara_python.egg-info/top_level.txt
reading manifest file 'yara_python.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
writing manifest file 'yara_python.egg-info/SOURCES.txt'
installing library code to build/bdist.macosx-10.14-x86_64/egg
running install_lib
running build_ext
creating build/bdist.macosx-10.14-x86_64/egg
copying build/lib.macosx-10.14-x86_64-3.7/yara.cpython-37m-darwin.so -> build/bdist.macosx-10.14-x86_64/egg
creating stub loader for yara.cpython-37m-darwin.so
byte-compiling build/bdist.macosx-10.14-x86_64/egg/yara.py to yara.cpython-37.pyc
creating build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/PKG-INFO -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/SOURCES.txt -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/dependency_links.txt -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/not-zip-safe -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/top_level.txt -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
writing build/bdist.macosx-10.14-x86_64/egg/EGG-INFO/native_libs.txt
creating 'dist/yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg' and adding 'build/bdist.macosx-10.14-x86_64/egg' to it
removing 'build/bdist.macosx-10.14-x86_64/egg' (and everything under it)
Processing yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg
removing '/usr/local/lib/python3.7/site-packages/yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg' (and everything under it)
creating /usr/local/lib/python3.7/site-packages/yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg
Extracting yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg to /usr/local/lib/python3.7/site-packages
yara-python 3.11.0 is already the active version in easy-install.pth
Installed /usr/local/lib/python3.7/site-packages/yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg
Processing dependencies for yara-python==3.11.0
Finished processing dependencies for yara-python==3.11.0
› python3
Python 3.7.5 (default, Nov 1 2019, 02:16:32)
[Clang 11.0.0 (clang-1100.0.33.8)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>> yara.compile('/Users/bwarehime/repos/email-binaryalert/rules/github.com/Neo23x0/signature-base.git/yara/apt_oilrig.yar')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
yara.SyntaxError: /Users/bwarehime/repos/email-binaryalert/rules/github.com/Neo23x0/signature-base.git/yara/apt_oilrig.yar(194): invalid field name "imphash"
yara-python 3.11.0 is already the active version in easy-install.pth
That line suggests that it wasn't actually installed because it detected that it was already there. So, my advice is that you do pip uninstall yara-python
, and make sure that you don't have any yara-python
laying around. Once import yara
fails because the module wasn't found, then repeat the installation with python3 setup.py build --dynamic-linking && python3 setup.py install
Ah, yea, that did it! Didn't notice the message about it being installed already, but once I uninstalled it and removed it from /usr/local/lib/python3.7/site-packages/
it worked great.
Thanks for the help, much appreciated!
Cool!
I'm trying to compile a bunch of rules, however, when compiling, I get the error
invalid field name "imphash"
Below is information which I think would be relevant: