-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
YARA UI & Service Updates #55
Comments
for number 1 you can do: source:reversinglabs (case sensitive) |
Regex seems wrong, should be |
Refer to my recent messages re: 1. https://discord.com/channels/908084610158714900/908084610624274494/1086247172724510843 |
Sorry, I did have the dot in front |
Issue partially resolved by clearing the cached entries in Redis. Adding a cache-less update mechanism has been created as a ticket. |
Documenting what @cccs-rs and I have discussed in chat (and also a reminder). The Redis cache resolved 2 of my 3 issues with the yara repositories. The last repo reported an error of The line causing the exception is here: https://github.com/CybercentreCanada/assemblyline-service-yara/blob/3061ac084004db4cb514d192ab88fd142ad9d09e/yara_/update_server.py#L96 The What I guess I'd suggest is maybe a couple things...
|
Based on these comments, I recommend ignoring any encoding errors. I expect that the offending files are CP1252, but the invalid characters are in comments, which YARA ignores. |
I did have one that appeared in the rule itself. Don't know if it was intentional or not, but it looked like this.
|
Do you have a link to the source, or can you upload that portion of the rule here? Strings pasted inline won't retain the source encoding. |
It's not public, but here is a modified file based on that rule. I have 4 yara files that fail on the reading due to a character encoding. |
The character in the file you uploaded includes the Unicode replacement character. It appears that the original character was lost. I can replicate the issue by converting the file to CP-1252 and adding the 0xBB byte in that position, but any successful compilation and matches with YARA with rule files using non UTF8 encodings should not be relied upon. |
Yeah, it was a |
I'm not overly concerned if one rule in a thousand doesn't work - just wasn't sure what the best way to handle it is. It does need to be handled in some way though so it doesn't cause an exception and abort the entire repo read. |
Looks like I was behind on the status of the rule encodings. But there appears to be a consistent desire from the development team to only support UTF-8 in the future.
try:
with open(file, 'r') as f:
f_lines = f.readlines()
except UnicodeDecodeError as exc:
with open(file, 'r', encoding='iso-8859-1') as f:
f_lines = f.readlines()
self.log.error(f"File could not be loaded as UTF-8: {file}") |
v4.4.0.stable5 of the YARA service will include performing a Services w/ updaters built from v4.4.0.stable5 of Assemblyline will now be able to instruct the Scaler about when to scale a service. If a service depends on the bundle sent by the updater, indicated by If you notice this issue still persists, feel free to re-open the issue with more information! 😁 |
It would be nice if the Signature Search also searched on
Source
. So if I search bartblaze or reversinglabs, I'd get some Yara hits for Signatures. I couldn't find the Yara (perhaps due to a 10,000 limit on Signatures) so I was searching on the Source and kept getting 0 hits. I didn't realize I needed to search Yara. I did end up finding them by clicking on the source fingerprint.Some of my yara source updates don't appear to be processing the yara rules. Here are couple public repositories that I've added that say they've downloaded, but show no signatures.
The text was updated successfully, but these errors were encountered: