Knowledge Base

Yes

Objective

Add Yara rules to EDR Server.

Rules are contained within *.yar files.
The .yar files are placed in the following directory:
```
/etc/cb/integrations/cb-yara-connector/yara_rules/
```
Yara Manager can add rules by uploading the .yar files into Yara Manager browser. This action performs rudimentary checks on the file.
```
Yara Manager > Yara Rules > Choose File > Upload Rule
```
Yara-connector monitors the directory for new rules. No need to restart cb-yara-connector to ingest new rules.
Tips:

Get yara-connector working with the default rule first. (/etc/cb/integrations/cb-yara-connector/yara_rules/sample.yar)
Only add a few rules at a time.
Cut-n-paste can add extra characters and cause troubleshooting issues. If cut-n-paste, copy from a text editor.
Validate they are working – Currently by reviewing the logs. Validate tool should be fixed in next release
Review yara.readthedocs.io (see link below) for additional information.

Note: The option ./yaraconnector --validate-yara-rules is currently broken. The fix is expected in the next release post version 2.2.0
1. Run:

yara <yar file name> <directory>
Example: 
  yara /tmp/sample.yar .

2. No output indicates the rule compiled without error. Any errors encountered may note the line number and error encountered. Example errors:

error: rule "sample" in /tmp/sample.yar(3): non-ascii character
error: rule "sample" in /tmp/sample.yar(3): syntax error, unexpected end of file

3. Yara syntax errors may also appear in the Yara Connector logs.

less /var/log/cb/integrations/cb-yara-connector/yaraconnector.log

4. To verify the compiled Yara rules are actually tagging binaries, run this search query in the Process Search page:

alliance_score_yara:*