How to configure yara rules in cuckoo

[ghost]

I have installed cuckoo in my linux with 3 VMs and all the analysis are performed well. No my issue is to configure custom yara rules in cuckoo from github repo https://github.com/Yara-Rules/rules/archive/master.zip

I have changed my cwd to "/opt/cuckoo" and at this location I cannot see "/data" directory. Do I need to create it?

After installing cuckoo community "/yara" directory is created with default rules under "/opt/cuckoo/"

Now where do I download and include the custom yara rules to make it match against the samples I submit for analysis ?

Where will these default yara rules be included for scan ?

Which module of cuckoo calls these yara rules to scan it against the samples ?

Kindly help with these issues and queries

[doomedraven]

Dont integrate them, it will break yor cuckoo! Only use that which you need, check in your cwd or do

locate memory.yar to find the location

[ghost]

@doomedraven I can see index_memory.yar in "/opt/cuckoo/stuff/". Should I include the path of all my other yara rules in this file?

I think this file will match the yara rules against the process memory.

If other yara rules are included can it be matched against the file in static scan ?

[doomedraven]

for static you need add them to binary.yar, which should be in the same folder, yes you need add all what you want there, but as i told you if you will add all yaras from yara-rules, you will get much more problems with cuckoo/mongo

[capnspacehook]

@doomedraven what problems have you gotten when using the rules from https://github.com/Yara-Rules/rules?

I have also been trying to add yara rules from this repo, and per commit https://github.com/jbremer/cuckoo/commit/2eeb10e8134bd5636484fff01ffe93e2a6ccf506, Cuckoo should just grab the yara rules in the CWD/yara dir. I've added yara rules to the CWD/yara dir, and they are only loaded by Cuckoo when placed in the original folders. Why doesn't this happen @jbremer?

[doomedraven]

do searches in issues and you will see tons of issues related to this

[capnspacehook]

I see. So really extra yara rules don't enhance as much as you might think? Because they depend on additional Cuckoo signatures as well?

[jbremer]

That's correct. We'd be happy if somebody steps up to isolate the useful Yara rules and create Cuckoo Signatures, though ;-)

[doomedraven]

totally agree

[SparkyNZL]

see, i learn something new every day ! :(

On Tue, Jun 5, 2018 at 8:53 AM, Jurriaan Bremer notifications@github.com wrote:

That's correct. We'd be happy if somebody steps up to isolate the useful Yara rules and create Cuckoo Signatures, though ;-)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/2299#issuecomment-394495566, or mute the thread https://github.com/notifications/unsubscribe-auth/AQ_imB661VBtK75l1FIqa4HEtcnR0FuAks5t5Z4-gaJpZM4UWyDC .

[doomedraven]

the problem what useful is different for every usercase

[benrau87]

FWIW, you can get a good base of rules from https://github.com/Yara-Rules/rules ONLY use CVE_Rules, Crypto and Packers though. Most of the malware rules work too except for MALW_AZORULT.yar

[capnspacehook]

I was just playing with the rules today, and it seems MAL_AZORUKT.yar only works if you compile yara to use the Cuckoo module

[jbremer]

Closing issue.