Invalid Field Name "imphash" with 3.11.0

[brianwarehime]

I'm trying to compile a bunch of rules, however, when compiling, I get the error invalid field name "imphash"

Below is information which I think would be relevant:

Python 3.7.5 (default, Nov  1 2019, 02:16:32)
[Clang 11.0.0 (clang-1100.0.33.8)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>> yara.compile('/Users/bwarehime/repos/email-binaryalert/rules/github.com/Neo23x0/signature-base.git/yara/apt_oilrig.yar')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
yara.SyntaxError: /Users/bwarehime/repos/email-binaryalert/rules/github.com/Neo23x0/signature-base.git/yara/apt_oilrig.yar(194): invalid field name "imphash"

(env) › pip freeze | grep yara-python
yara-python==3.11.0

(env) › yara --version
3.11.0

(env) › brew info yara
yara: stable 3.11.0 (bottled), HEAD
Malware identification and classification tool
https://github.com/VirusTotal/yara/
/usr/local/Cellar/yara/3.11.0 (44 files, 1.4MB) *
  Poured from bottle on 2019-11-11 at 15:19:37
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/yara.rb
==> Dependencies
Build: autoconf ✘, automake ✘, libtool ✘
Required: jansson ✔, libmagic ✔, openssl@1.1 ✔
==> Options
--HEAD
    Install HEAD version
==> Analytics
install: 5,092 (30 days), 9,192 (90 days), 38,259 (365 days)
install_on_request: 784 (30 days), 1,399 (90 days), 5,727 (365 days)
build_error: 0 (30 days)```

Any idea on what may be wrong? I just installed yara through brew this week, and updated yara-python today.

Let me know what other information I can provide please!

[plusvic]

When you install yara-python with pip or with setup.py it builds yara-python from source code and link it statically, it doesn't use the libyara library installed by brew.

If during the build process it can't find the openssl library you won't get the imphash function nor the hash module. As you have yara already installed, you can try:

yara /Users/bwarehime/repos/email-binaryalert/rules/github.com/Neo23x0/signature-base.git/yara/apt_oilrig.yar <some dummy file here>

If yara doesn't complain about the missing imphash it means the libyara was correctly built with openssl support, and you can force yara-python to use libyara by doing:

$ git clone --recursive https://github.com/VirusTotal/yara-python
$ cd yara-python
$ python setup.py build --dynamic-linking
$ sudo python setup.py install

[brianwarehime]

Hmm, tried doing that and still seeing this come up when I try to compile again:

› python3 setup.py build --dynamic-linking
running build
running build_ext
› sudo python3 setup.py install
running install
running bdist_egg
running egg_info
writing yara_python.egg-info/PKG-INFO
writing dependency_links to yara_python.egg-info/dependency_links.txt
writing top-level names to yara_python.egg-info/top_level.txt
reading manifest file 'yara_python.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
writing manifest file 'yara_python.egg-info/SOURCES.txt'
installing library code to build/bdist.macosx-10.14-x86_64/egg
running install_lib
running build_ext
creating build/bdist.macosx-10.14-x86_64/egg
copying build/lib.macosx-10.14-x86_64-3.7/yara.cpython-37m-darwin.so -> build/bdist.macosx-10.14-x86_64/egg
creating stub loader for yara.cpython-37m-darwin.so
byte-compiling build/bdist.macosx-10.14-x86_64/egg/yara.py to yara.cpython-37.pyc
creating build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/PKG-INFO -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/SOURCES.txt -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/dependency_links.txt -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/not-zip-safe -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
copying yara_python.egg-info/top_level.txt -> build/bdist.macosx-10.14-x86_64/egg/EGG-INFO
writing build/bdist.macosx-10.14-x86_64/egg/EGG-INFO/native_libs.txt
creating 'dist/yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg' and adding 'build/bdist.macosx-10.14-x86_64/egg' to it
removing 'build/bdist.macosx-10.14-x86_64/egg' (and everything under it)
Processing yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg
removing '/usr/local/lib/python3.7/site-packages/yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg' (and everything under it)
creating /usr/local/lib/python3.7/site-packages/yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg
Extracting yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg to /usr/local/lib/python3.7/site-packages
yara-python 3.11.0 is already the active version in easy-install.pth

Installed /usr/local/lib/python3.7/site-packages/yara_python-3.11.0-py3.7-macosx-10.14-x86_64.egg
Processing dependencies for yara-python==3.11.0
Finished processing dependencies for yara-python==3.11.0
› python3
Python 3.7.5 (default, Nov  1 2019, 02:16:32)
[Clang 11.0.0 (clang-1100.0.33.8)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>> yara.compile('/Users/bwarehime/repos/email-binaryalert/rules/github.com/Neo23x0/signature-base.git/yara/apt_oilrig.yar')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
yara.SyntaxError: /Users/bwarehime/repos/email-binaryalert/rules/github.com/Neo23x0/signature-base.git/yara/apt_oilrig.yar(194): invalid field name "imphash"

[plusvic]

yara-python 3.11.0 is already the active version in easy-install.pth

That line suggests that it wasn't actually installed because it detected that it was already there. So, my advice is that you do pip uninstall yara-python, and make sure that you don't have any yara-python laying around. Once import yara fails because the module wasn't found, then repeat the installation with python3 setup.py build --dynamic-linking && python3 setup.py install

[brianwarehime]

Ah, yea, that did it! Didn't notice the message about it being installed already, but once I uninstalled it and removed it from /usr/local/lib/python3.7/site-packages/ it worked great.

Thanks for the help, much appreciated!

[plusvic]

Cool!