Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How To Validate Yara Rules

EDR: How To Validate Yara Rules

Environment

  • EDR:  All Supported Versions
  • EDR Yara Connector:  All Supported Versions

Objective

How to validate Yara rules prior to deployment in the Response Yara Connector.

Resolution

      1.  Run: 
yara <yar file name> <directory>
Example: 
  yara /tmp/sample.yar .
      2.  No output indicates the rule compiled without error.  Any errors encountered may note the line number and error encountered. Example errors:
error: rule "sample" in /tmp/sample.yar(3): non-ascii character
or 
error: rule "sample" in /tmp/sample.yar(3): syntax error, unexpected end of file
      3.  Yara syntax errors may also appear in the Yara Connector logs.
less /var/log/cb/integrations/cb-yara-connector/yaraconnector.log
      4.  To verify the compiled Yara rules are actually tagging binaries, run this search query in the Process Search page:
alliance_score_yara:*
 

 

Additional Notes

If there is no "score" value assigned by the rule, but a hit is determined, it will get a default score of 100.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎01-23-2020
Views:
4574
Contributors