logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: How To Validate Yara Rules

EDR: How To Validate Yara Rules

Environment

  • EDR:  All Supported Versions
  • EDR Yara Connector:  All Supported Versions

Objective

How to validate Yara rules prior to deployment in the Response Yara Connector.

Resolution

      1.  Run:  
yara <yar file name> <directory>
Example: 
  yara /tmp/sample.yar .
      2.  No output indicates the rule compiled without error.  Any errors encountered may note the line number and error encountered. Example errors: 
error: rule "sample" in /tmp/sample.yar(3): non-ascii character
or 
error: rule "sample" in /tmp/sample.yar(3): syntax error, unexpected end of file
      3.  Yara syntax errors may also appear in the Yara Connector logs. 
less /var/log/cb/integrations/cb-yara-connector/yaraconnector.log
      4.  To verify the compiled Yara rules are actually tagging binaries, run this search query in the Process Search page: 
alliance_score_yara:*
 

 

Additional Notes

If there is no "score" value assigned by the rule, but a hit is determined, it will get a default score of 100.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎01-23-2020
Views:
4633
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.