search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.29k stars 586 forks source link

YARA Compile error 1 #7883

Closed scallensc closed 4 months ago

scallensc commented 4 months ago

image image image image

Attempting to use Yara Forge rulesets from https://github.com/YARAHQ/yara-forge

Attached screenshots show the .yar file in the correct folder, Autopsy yara module settings showing the file is found correctly, and the subsequent error.

Receive Compile error 1. - nothing is shown in any log file. This happens whether "All Files" or "Only Executable Files" is chosen on the "Run Ingest Modules" YARA Analyzer options page.

Verified these rules compile fine from command line based on the only forum post related to this issue I could find - attached screenshot showing this.

I've tested core, extended and full sets and they all have this issue.

Running latest Autopsy 4.21.0 downloaded from your releases section. Have tested this on a Win10 PC and VM at work, as well as at home on my Win11 PC, same issue.

Additionally, I have used these rulesets with no issues in X-Ways with the CrowdStrike YARA x-tension, so I think the issue is with the compilation process in Autopsy. These rulesets are compatible with v4.3.2 of yara, do you use an outdated version?

scallensc commented 4 months ago

image

Resolved by downloading the latest yara from https://github.com/virustotal/yara/releases/tag/v4.3.2

Overwrite the Autopsy provided yarac64.exe file as per screenshot.