New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unit tests failing with latest yara rules #74

Closed
crobo1337 opened this Issue Oct 26, 2017 · 7 comments

Comments

Projects
None yet
2 participants
@crobo1337

crobo1337 commented Oct 26, 2017

Background

It looks like the latest build of neo23x0's yara ruleset is breaking this build? Based on what i've been able to find it looks like there is possibly some type of version mismatch with the yara-python packages used. Any time a yara rule has a condition that calls pe.imphash the unit tests fail on build_analyzer and compile_rules with [yara.syntaxerror invalid field name"imphash"]
I've tried to clone a fresh copy of everything and rebuild from scratch, but I get the same error. I've also tried to pull the latest yara repos down, but no joy there either.

Has anyone successfully implemented newly released yara rules on this build?

@austinbyers austinbyers added the YARA label Oct 26, 2017

@austinbyers

This comment has been minimized.

Contributor

austinbyers commented Oct 26, 2017

@crobo1337 problems with *hash can happen if your system doesn't have the OpenSSL development libraries. I just cloned the repo and compiled all the rules with no issue on MacOS. What system are you running on? If it's linux-based, try installing the openssl-devel.x86_64 package before a pip install of the dependencies.

Thanks for flagging! We'll update the documentation once your problem is resolved

@crobo1337

This comment has been minimized.

crobo1337 commented Oct 26, 2017

cool, ill give it a go and let you know what I find out, thanks.

edit: and to answer your question, i'm running this on amazon linux

@austinbyers

This comment has been minimized.

Contributor

austinbyers commented Oct 26, 2017

Yeah, in that case you should be able to yum install openssl-devel.x86_64

BinaryAlert is Python3.6, so you may also need to install that (if you haven't already). The analyzer README lists the full steps we had to take to install yara-python in Amazon linux.

@crobo1337

This comment has been minimized.

crobo1337 commented Oct 27, 2017

I just nuked the entire ec2 instance i was working on and started fresh, followed the install docs to the letter, with the exception of installing openssl and gcc via yum before running the pip requirements install. once i got all of that installed before building the first time everything seems to work.

The python environment seems to be pretty 'sticky'.... annoying.

All good now, thanks for your help!

@austinbyers

This comment has been minimized.

Contributor

austinbyers commented Oct 27, 2017

Happy to help - I'm glad you got it working! I'll leave the issue open until we update BinaryAlert's documentation accordingly.

What do you mean by the environment is 'sticky'?

@crobo1337

This comment has been minimized.

crobo1337 commented Oct 27, 2017

By sticky, I mean that even after nuking the virtual environment, and installing the correct packages on my build agent, any new virtual environments built after that are still building as if the openssl module isn't installed.

This behavior is sort of detailed here: VirusTotal/yara-python#28

@austinbyers

This comment has been minimized.

Contributor

austinbyers commented Oct 30, 2017

Oh weird. Again, thanks for letting us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment