Open masifpak opened 7 years ago
doomedraven
commented
7 years ago you have binary and memory yara rule, depend where you place it, and if that is memory one, you should have process memory activated, or just reexecute processing in debug mode to see which yara is loaded
mallorybobalice
commented
7 years ago @doomedraven i thought for binaries you could also specify cuckoo/data/yara/index_binaries.yar (and likewise index_memory.yar)
but then other places say
#We divide yara rules in three categories.
categories = ["binaries", "urls", "memory"]:\
is the safest correct option to copy them into each subfolder ala data/yara/binaries urls memory
?
masifpak
commented
7 years ago Here is my directory structure.
Here is report. My question is why yara and clamav section is always empty in all malware reports.
masifpak
commented
7 years ago I had some yara rules. What i did I added those rules in index_binaries.yar file as shown below.
But problem is when I start cuckoo, below three entries removed automatically. But yara rules matched. How can i make them permanent?
niterain
commented
7 years ago For me, I separate the systems into 3 pieces, the one that generates the report, and runs the yara rules I have debug on so I see what is happening on that level, but I am pretty sure this happens if you run it as one as well, just turn on debug and scan for the section where yara rules are loaded.
I have installed everything as said in http://yara.readthedocs.io/en/v3.5.0/gettingstarted.html. But in report yara rule section is empty. How can I verify integration of yara rules with cuckoo. There are no yara rules in cuckoo directory.