logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: CB-Yara-Manager 404 Error or Connection Refused

EDR: CB-Yara-Manager 404 Error or Connection Refused

Environment

  • EDR Server: 7.5.x +
  • CB-Yara-Manager: 2.x +

Symptoms

  • Unable to browse to Yara Manager page after installation of CB-Yara-Connector and CB-Yara-Manager.
  • /var/log/cb/nginx/access.log :
::ffff:<ip_address> - - [14/Oct/2021:10:42:05 +0200(0.017)] "GET /connector/yara HTTP/1.1" 308 281 917 841 "-" "" ">[::1]:8082, 127.0.0.1:8082" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36 Edg/94.0.992.38" "-"
::ffff:<ip_address> - - [14/Oct/2021:10:42:05 +0200(0.003)] "GET /connector/yara/ HTTP/1.1" 401 338 553 842 "-" "" ">127.0.0.1:8082" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36 Edg/94.0.992.38" "-"
  • /var/log/cb/nginx/error.log :
2021/10/14 10:42:05 [error] 10699#10699: *348352190 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:<ip_address>, server: , request: "GET /connector/yara HTTP/1.1", upstream: "http://[::1]:8082/connector/yara", host: "edr.localdomain.com:443"
2021/10/14 10:42:05 [warn] 10699#10699: *348352190 upstream server temporarily disabled while connecting to upstream, client: ::ffff:<ip_address>, server: , request: "GET /connector/yara HTTP/1.1", upstream: "http://[::1]:8082/connector/yara", host: "edr.localdomain.com:443"
  • /var/log/cb/integrations/cb-yara-manager/cb-yara-manager.log :
<ip_address> - - [14/Oct/2021 10:59:59] code 400, message Bad request version ('\x00\x00')
<ip_address> - - [14/Oct/2021 10:59:59] "^[[35m^[[1m^V^C^A^B^@^A^@^Aü^C^C^NjHsHóøÌ-ÐQ%è^_h.<8b>ÄTYnnR1&<9a><80>GJ<83>^SÏ ûÔº«¬å1Ç^V4^E dcð^K7Ö^V^P^O<8f>Ø<96>ýïB×*¿<85>~^@ êê^S^A^S^B^S^CÀ+À/À,À0̨̩À^SÀ^T^@<9c>^@<9d>^@/^@5^A^@^A<93>ºº^@^@^@^@^@^O^@^M^@^@^[[0m" HTTPStatus.BAD_REQUEST -

 

Cause

Incomplete setup as defined on page 271 of the VMware Carbon Black EDR 7.5 User Guide.

Resolution

  • Add these parameters into the /etc/cb/cb.conf file:
YaraManagerEnabled=true
YaraManagerToken=<token created in the yara manager auth.conf file>
  • Restart the following services :
sudo systemctl restart cb-yara-connector
sudo systemctl restart cb-yara-manager
sudo /usr/share/cb/cbservice cb-coreservices restart

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎10-19-2021
Views:
378
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.