Yara analyzer doesn't recognize 'sha1' field name from Yara-rules

[lctrcl]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu
OS version (client)	16.04
Cortex Analyzer Name	Yara
Cortex Analyzer Version	1.0
Cortex Version	1.1.3-1

Problem Description

On fresh install of TheHive + Cortex I've tried to use Yara analyzer on https://github.com/Yara-Rules/rules, however, it gives me following report error:

{
  "errorMessage": "Error: Invalid output\nTraceback (most recent call last):\n  File \"./yara_analyzer.py\", line 57, in <module>\n    YaraAnalyzer().run()\n  File \"./yara_analyzer.py\", line 28, in __init__\n    self.ruleset.append(yara.compile(rulepath + '/index.yar'))\nyara.SyntaxError: /opt/rules/./malware/MALW_Mirai.yar(166): invalid field name \"sha1\"\n",
  "success": false
}

Steps to Reproduce

1. Install Ubuntu 16.04
2. Install fresh thehive and cortex from deb files
3. git clone https://github.com/Yara-Rules/rules /opt/rules
4. snippet of application.conf for cortex

Yara {
rules=["/opt/rules"]
}

5. Analyze some file

[saadkadhi]

@3c7 can you please look into it? Thanks.

[3c7]

Didn't forgot this one. Will check it in the next days, lot's of things to do right now. This issue has nothing to do with the analyzer itself, but with yara-python and the static linked library (I suppose, at least...):

>>> import yara
>>> rule = yara.compile('F:\\_work\\MALW_mirai.yar') # Yeah, windows, I know...
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
yara.SyntaxError: F:\_work\MALW_mirai.yar(166): invalid field name "sha1"

A possible solution could be compiling YARA from source and using the shared lib when installing the yara analyzer - I'll check that.

[3c7]

The lib needs to get built with crypto support, so building yara itself from src is necessary: VirusTotal/yara-python#27

[3c7]

Fresh Ubuntu 16.04.2

user@ubuntu:~$ git clone https://github.com/Yara-Rules/rules
Cloning into 'rules'...
remote: Counting objects: 5536, done.
remote: Compressing objects: 100% (73/73), done.
remote: Total 5536 (delta 55), reused 79 (delta 35), pack-reused 5427
Receiving objects: 100% (5536/5536), 3.62 MiB | 938.00 KiB/s, done.
Resolving deltas: 100% (3396/3396), done.
Checking connectivity... done.
user@ubuntu:~$ python3 -c "import yara;yara.compile('rules/index.yar')"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
yara.SyntaxError: rules/./malware/MALW_Mirai.yar(166): invalid field name "sha1"

Fresh Ubuntu 16.04.2 with libssl-dev

user@ubuntu:~$ git clone https://github.com/Yara-Rules/rules
Cloning into 'rules'...
remote: Counting objects: 5536, done.
remote: Compressing objects: 100% (73/73), done.
remote: Total 5536 (delta 55), reused 79 (delta 35), pack-reused 5427
Receiving objects: 100% (5536/5536), 3.62 MiB | 938.00 KiB/s, done.
Resolving deltas: 100% (3396/3396), done.
Checking connectivity... done.
user@ubuntu:~$ python3 -c "import yara;yara.compile('rules/index.yar')"
user@ubuntu:~$

So, the solution is installing openssl dev libs before: sudo apt install libssl-dev && sudo pip install -I yara-python or sudo apt install libssl-dev && sudo pip3 install -I yara-python. The installation through pip will take care of the crypto build options, if libssl-dev is installed.

[lctrcl]

Thanks, just tested your proposed solution, it's working

[3c7]

You're welcome. Glad it works.