Strelka yara errors

[EchoGangster]

I was looking through the Strelka logs today and noticed all scan.yara.flags had compiled error. I blew them all away and recompiled the rules. Also update with so-yara-update but still getting compile errors. Could anyone shed some light on what could be the issue? Thanks!

[weslambert]

Sounds like there is a bad YARA rule somewhere. There is an open issue to help with this here: #3419. In the meantime, I would check any custom rules you added (if any), and you can follow the process (quick script -- no guarantees 😄 ) below to validate against the rules directory:

yum install -y python3-yara

Create validate_yara.py:

#!/usr/bin/python3
import argparse
import yara
from pathlib import Path

parser = argparse.ArgumentParser()
parser.add_argument('--path', '-p', help='Path to YARA rules')
args = parser.parse_args()
rules_dir = args.path

def validate_yar(rules_dir):
  # Check all subdirs for YARA rules
  paths = Path(rules_dir).glob('**/*.yar*')
  for path in paths:
    path_str = str(path)
    if path_str.endswith(".yar"):
        rule = path_str
        print("Validating " + rule + "...")
        # Script will exit upon failed compilation
        yara.compile(filepath=rule)
    else:
        continue

validate_yar(rules_dir)

Then run it against the rule directory, like:

python3 validate_yara.py -p /opt/so/conf/strelka/rules