search

chainguard-dev / malcontent

#supply #chain #attack #detection
Apache License 2.0
447 stars 31 forks source link

yara addfile third_party/yara-rules-full.yar: invalid field name "imphash" #63

Closed cipriancraciun closed 6 months ago

cipriancraciun commented 8 months ago

I've just compiled the tool as suggested in the README:

go install github.com/chainguard-dev/bincapz@latest

When running it on /bin/true it fails with:

> ~/go/bin/bincapz /bin/true 

scanning /bin/true ...
scan failed: YARA rule compilation: walk: yara addfile third_party/yara-rules-full.yar: invalid field name "imphash"

I am running OpenSUSE Tumbleweed, with the following packages:

> zypper info libyara-devel

Information for package libyara-devel:
--------------------------------------
Repository     : opensuse-oss-distribution
Name           : libyara-devel
Version        : 4.5.0-1.1
Arch           : x86_64
Vendor         : openSUSE
Installed Size : 177.3 KiB
Installed      : Yes
Status         : up-to-date
Source package : yara-4.5.0-1.1.src
> go version

go version go1.21.7 linux/amd64
tstromberg commented 8 months ago

That's really interesting! I haven't tested it in OpenSUSE, but have in Arch Linux, which appears to be on yara 4.3.2-1. I'll see about installing a Tumbleweed VM to see what might be going on: my going theory is that 4.5.0 is incompatible with one of these two dependencies:

In the meantime, if you want to try bincapz, I think this workaround will work:

bincapz --third_party=false

That will disable the YaraFORGE 3rd party rules.

tstromberg commented 8 months ago

I'm successfully using bincapz w/ yara v4.5.0 on macOS. I tried to start a Tumbleweed VM but it's not coming up for some reason, so I haven't yet been able to replicate this issue.

tstromberg commented 7 months ago

I haven't been able to duplicate this yet - but I wonder if this may be due to a missing OpenSSL dependency: https://github.com/VirusTotal/yara-python/issues/179

cipriancraciun commented 7 months ago

I do have OpenSSL, the library, installed, perhaps not the *-devel package.

However, you can close this issue if you want. OpenSUSE Tumbleweed is a rolling release, thus it is a moving target.

Running the tool with the third-party flag did make it work.

(Sorry for closing and re-opening the issue... I've touched by mistake the touchpad, which had the mouse just over the "close with comment".) :)

tstromberg commented 7 months ago

I don't think it will work, but can you try installing the openssl-devel package?

My theory is that yara may only enable the imphash feature it can find the necessary library support. If it requires compile-time support, installing openssl-devel won't help, but if it determines the existence of the dependency at runtime, it should work.

One workaround I thought about is to change this from a fatal error to a warning, but it could mask a loss an unexpected loss in functionality.

egibs commented 6 months ago

FWIW, I ran into this when testing #181 inside of a Wolfi container. Installing openssl-dev (apk add openssl-dev) resolved the error.

For anyone searching around on how to resolve the error, installing openssl-dev/openssl-devel/libssl-dev/libopenssl-devel (depending on your distribution) should resolve the error; Arch seems to work with just openssl.

egibs commented 6 months ago

Cross-posting from the closed PR

OpenSSL's libraries are required for Yara (depending on the platform being used).

A non-exhaustive list of Linux distributions and their respectie package names can be found below: