Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unit tests failing with latest yara rules #74

Closed
crobo1337 opened this issue Oct 26, 2017 · 7 comments · Fixed by #85
Closed

unit tests failing with latest yara rules #74

crobo1337 opened this issue Oct 26, 2017 · 7 comments · Fixed by #85
Labels
documentation YARA
Milestone
v1.1.0

Comments

@crobo1337
Copy link

Background

It looks like the latest build of neo23x0's yara ruleset is breaking this build? Based on what i've been able to find it looks like there is possibly some type of version mismatch with the yara-python packages used. Any time a yara rule has a condition that calls pe.imphash the unit tests fail on build_analyzer and compile_rules with [yara.syntaxerror invalid field name"imphash"]
I've tried to clone a fresh copy of everything and rebuild from scratch, but I get the same error. I've also tried to pull the latest yara repos down, but no joy there either.

Has anyone successfully implemented newly released yara rules on this build?
@austinbyers
Copy link
Collaborator

austinbyers commented Oct 26, 2017
edited

@crobo1337 problems with *hash can happen if your system doesn't have the OpenSSL development libraries. I just cloned the repo and compiled all the rules with no issue on MacOS. What system are you running on? If it's linux-based, try installing the openssl-devel.x86_64 package before a pip install of the dependencies.

Thanks for flagging! We'll update the documentation once your problem is resolved

@crobo1337
Copy link
Author

crobo1337 commented Oct 26, 2017
edited

cool, ill give it a go and let you know what I find out, thanks.

edit: and to answer your question, i'm running this on amazon linux

@austinbyers
Copy link
Collaborator

austinbyers commented Oct 26, 2017
edited

Yeah, in that case you should be able to yum install openssl-devel.x86_64

BinaryAlert is Python3.6, so you may also need to install that (if you haven't already). The analyzer README lists the full steps we had to take to install yara-python in Amazon linux.

@crobo1337
Copy link
Author

I just nuked the entire ec2 instance i was working on and started fresh, followed the install docs to the letter, with the exception of installing openssl and gcc via yum before running the pip requirements install. once i got all of that installed before building the first time everything seems to work.

The python environment seems to be pretty 'sticky'.... annoying.

All good now, thanks for your help!

@austinbyers
Copy link
Collaborator

Happy to help - I'm glad you got it working! I'll leave the issue open until we update BinaryAlert's documentation accordingly.

What do you mean by the environment is 'sticky'?

@crobo1337
Copy link
Author

By sticky, I mean that even after nuking the virtual environment, and installing the correct packages on my build agent, any new virtual environments built after that are still building as if the openssl module isn't installed.

This behavior is sort of detailed here: VirusTotal/yara-python#28

@austinbyers
Copy link
Collaborator

Oh weird. Again, thanks for letting us know!

@austinbyers austinbyers added this to the v1.1.0 milestone Nov 20, 2017
@austinbyers austinbyers mentioned this issue Dec 12, 2017
Merged
@austinbyers austinbyers mentioned this issue Dec 13, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation YARA
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging a pull request may close this issue.

Add documentation for IAM policy and openssl header installation airbnb/binaryalert
2 participants
@austinbyers @crobo1337