Carbon Black - Yara Connector
Yara is the linga franca of malware analysts. With a robust language to define byte strings and clean, well-designed interfaces, many IR and security operations shops keep the results of their analysis in a local repository of yara rules.
However, monitoring activity across your network for matches to your yara rules is
difficult. If possible at all, it usually involves infrequent, time-consuming scans.
Since Carbon Black collects all executed binaries and has a robust API, it is possible to configure your Carbon Black server to act as a "Yara Monitor" and automatically trigger notification for any binary executed across your network matching any of your Yara rules.
As root on your Carbon Black or other RPM based 64-bit Linux distribution server:
cd /etc/yum.repos.d curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo yum install python-cb-yara-connector
Once the software is installed via YUM, copy the
/etc/cb/integrations/yara/connector.conf.example file to
/etc/cb/integrations/yara/connector.conf. Edit this file and place your Carbon Black API key into the
carbonblack_server_token variable and your Carbon Black server's base URL into the
Also, point the Yara connector to a directory of yara rule files by editing the
yara_rule_directory variable. A set
of example rules are included in the
To start the service, run
service cb-yara-connector start as root. Any errors will be logged into
If you suspect a problem, please first look at the Yara connector logs found here:
(There might be multiple files as the logger "rolls over" when the log file hits a certain size).
If you want to re-run the analysis across your binaries:
- Stop the service:
service cb-yara-connector stop
- Remove the database file:
- Remove the feed from your Cb server's Threat Intelligence page
- Restart the service:
service cb-yara-connector start
Building yara-python with crypto
This is only needed if you are building the connector from scratch.
git clone --recursive https://github.com/VirusTotal/yara-python
python setup.py build --dynamic-linking
python setup.py install
Contacting Carbon Black Developer Relations Support
When you contact Bit9 Developer Relations Technical Support with an issue, please provide the following:
- Your name, company name, telephone number, and e-mail address
- Product name/version, CB Server version, CB Sensor version
- Hardware configuration of the Carbon Black Server or computer (processor, memory, and RAM)
- For documentation issues, specify the version of the manual you are using.
- Action causing the problem, error message returned, and event log output (as appropriate)
- Problem severity