Access official resources from Carbon Black experts
cd /etc/yum.repos.d curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo2. Install the cb-yara-connector
yum install python-cb-yara-connector3. Install the cb-yara-manager (optional)
yum install python-cb-yara-manager
psql cb -p 5002 -c “select username, auth_token from cb_user where global_admin=true;”2. Create the yara-configuration file
cd /etc/cb/integrations/cb-yara-connector mv connector.conf.example yaraconnector.conf vi /etc/cb/integrations/cb-yara-connector/yaraconnector.conf3. Modify yaraconnector.conf
mode=standalone (for EDR cluster and EDR standalone environments distribution comms now use EDR redis) cb_server_url=https://127.0.0.1 cb_server_token=< API TOKEN from step B1 GOES HERE > broker_url=redis://127.0.0.1:6379 num_days_binaries=365 (default is best; initial scan span) database-scanning_interval=900 (default is best; cannot be less than 360)4. Use the default rule (already included) to get cb-yara-connector working, then add rules later.
systemctl stop cb-yara-connector systemctl status cb-yara-connector systemctl start cb-yara-connector6. Enable the Threat Intelligence Yara Feed tile.
EDR Console > Threat Intelligence > Yara tile Click "Enabled". Notifications > "Create Alert"
cd /etc/cb/integrations/cb-yara-manager cp config.py.example config.py2. Create the authentication file.
vi /etc/cb/integrations/cb-yara-manager/auth.conf [auth] api_token=< create a unique adequately_long_and_complex_password >(where adequately_long_and_complex_password_or_token is any passphrase.)
YaraManagerEnabled=true YaraManagerToken=< insert the unique adequately_long_and_complex_password >4. To invoke the new cb.conf changes run
/usr/share/cb/cbservice cb-coreservices restart5. Start the service.
systemctl start cb-yara-manager6. Confirm that it is running.
ps -ef | grep -i manager (there should be 2 instances running)7. View Yara Manager in the browser after authenticating to the EDR server.
https://<EDR server IP>/connector/yara
/var/log/cb/integrations/cb-yara-connector/yaraconnector.log journalctl -fexu cb-yara-connectorb) Yara Manager logs
/var/log/cb/integrations/cb-yara-manager/cb-yara-manager.logc) Monitor binary.db. Does it grow in size as new binaries arrive to EDR? First command presents the total binaries scanned (should increase). The second command identifies any missing binaries, perhaps aged out or uploaded to Alliance (should be 0).
sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "select count(*) from binarydetonationresult;" sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "select count(*) from binarydetonationresult where ‘binary_not_available’ and ‘score’>0;”d) Run a Process Search in EDR console and expand the time range to "All available".
alliance_score_yara:*e) Check for new binaries in Postgres. Modify the timestamp as needed.
psql -p 5002 cb -c “select md5hash,node_id from storefiles where present_locally=true and timestamp>=’2023-05-19 00:00:00’ order by timestamp desc;”f) Feed tile does not appear on Threat Intelligence page.
client-output-buffer-limit pubsub 0 0 0
URL: file://var/cb/data/cb-yara-connector/feed.jsong) By design, due to performance reasons, the connector does not retroactively go back to rescan binaries for matches when a rule is uploaded. The db would need to be cleared and trigger a new scan from the beginning.
systemctl stop cb-yara-manager systemctl stop cb-yara-connector cp /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES* /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES-bkup rm /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES* rm /var/cb/data/cb-yara-connector/feed.json rm /var/cb/data/cb-yara-connector/feed_db/binary* systemctl start cb-yara-connector systemctl start cb-yara-managerj) Debug mode. Add to /etc/cb/integrations/cb-yara-connector/yaraconnector.conf then restart cb-yara-connector.
log_level=DEBUGk) Verify the Threat Report is populated from the Yara Feed tile or run the following command on the EDR Primary server.
curl 'http://localhost:8080/solr/cbfeeds/select?q=id:"binary_<md5 hash lower case here>"'l) The binary scan does not start and feed.json remains empty.
* Confirm the mode is set to 'standalone' (even in an EDR cluster on primary server) * Confirm the token in the yara configuration has adequate permissions to access the binaries and the account is active.j) The binary.db and feed.json are populated but alerts do not appear in the console. The connection with Solr may be broken.
* Check the Solr logs and yara-connector logs for errors. * Consider resetting the yara-connector noted in step h.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.