Troubleshoot Yara Components.
Stepping through the Yara process:
- Validate the services are running:
systemctl restart cb-yara-connector
systemctl restart cb-yara-manager
systemctl status cb-yara-connector
systemctl status cb-yara-manager
- Troubleshoot broken services:
Yara Manager is in the left menu column of EDR Console after cb.conf changes.
Look for errors:
less /var/log/cb/integrations/cb-yara-connector/yaraconnector.log
less /var/log/cb/integrations/cb-yara-manager/cb-yara-manager.log
- Was the binary uploaded?
psql -d cb -p 5002 -c "select * from storefiles where md5hash='\x<hash>';"
- Did Yara analyze the file?
select md5,last_scan_date from binarydetonationresult where md5="<hash>"
- Was there a match?
grep <hash> /var/cb/data/cb-yara-connector/feed.json
- Where is the Yara alert?
curl 'http://localhost:8080/solr/cbfeeds/select?q=id:"binary_<md5 hash lower case here>"'
Additional Troubleshooting
a) Yara Connector logs
/var/log/cb/integrations/cb-yara-connector/yaraconnector.log
journalctl -fexu cb-yara-connector
b) Yara Manager logs
/var/log/cb/integrations/cb-yara-manager/cb-yara-manager.log
c) Monitor binary.db. Does it grow in size as new binaries arrive to EDR? First command presents the total binaries scanned (should increase).
The second command identifies any missing binaries, perhaps aged out or uploaded to Alliance (should be 0).
sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "select count(*) from binarydetonationresult;"
sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "select count(*) from binarydetonationresult where ‘binary_not_available’ and ‘score’>0;”
d) Run a Process Search in EDR console and expand the time range to "All available".
alliance_score_yara:*
e) Check for new binaries in Postgres. Modify the timestamp as needed.
psql -p 5002 cb -c “select md5hash,node_id from storefiles where present_locally=true and timestamp>=’2023-05-19 00:00:00’ order by timestamp desc;”
f) Feed tile does not appear on Threat Intelligence page.
- Redis could be overwhelmed. Remove the client output buffer limit in /etc/cb/redis.conf.template. Change to
client-output-buffer-limit pubsub 0 0 0
- OR using EDR Console > Threat Intelligence > Add New Feed
URL: file://var/cb/data/cb-yara-connector/feed.json
g) By design, due to performance reasons, the connector does not retroactively go back to rescan binaries for matches when a rule is uploaded. The db would need to be cleared and trigger a new scan from the beginning.
h) Reset and Restart.
systemctl stop cb-yara-manager
systemctl stop cb-yara-connector
cp /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES* /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES-bkup
rm /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES*
rm /var/cb/data/cb-yara-connector/feed.json
rm /var/cb/data/cb-yara-connector/feed_db/binary*
systemctl start cb-yara-connector
systemctl start cb-yara-manager
i) Yara-connector does not automatically start after reboot.
Check symlink from
/etc/systemd/system/multi-user.target.wants/cb-yara-connector.service to
etc/system/system/cb-yara-connector.sevicej) Debug mode. Add to
/etc/cb/integrations/cb-yara-connector/yaraconnector.conf then restart cb-yara-connector. k) Binary scan does not start so feed.json does not populate.
log_level=DEBUG
k) Verify the Threat Report is populated from the Yara Feed tile or run the following command on the EDR Primary server.
curl 'http://localhost:8080/solr/cbfeeds/select?q=id:"binary_<md5 hash lower case here>"'
l) The binary scan does not start and feed.json remains empty.
* Confirm the mode is set to 'standalone' (even in an EDR cluster on primary server)
* Confirm the token in the yara configuration has adequate permissions to access the binaries and the account is active.
j) The binary.db and feed.json are populated but alerts do not appear in the console. The connection with Solr may be broken.
* Check the Solr logs and yara-connector logs for errors.
* Consider resetting the yara-connector noted in step h.
