MAA Appliance not accepting YARA Rules

book

Article ID: 168267

calendar_today

Updated On:

Products

Malware Analysis Software - MA

Issue/Introduction

Resolution

To test whether your YARA rule compiles correctly, you can use the CLI on the MAA server and check the rule against a YARA compiler.  

1.  SSH to the MAA server as the g2 user.
2.  Run the following commands:

[email protected]:~$ python
>>> import yara
>>> s="""  
(these are 3 double quotes)
...   <paste yara rules here>
... """   (3 more double quotes)
>>> yara.compile(source=s)

If the code compiles correctly, you should get output like this:

<yara.Rules object at 0x7f4755c431e0>

Otherwise you will receive an error pointing to the problem in the rule.  You can also use the GUI syslog widget to look for errors when importing the YARA rule file by adding /rapi/widgets/syslog to the MAA URL like the following:

https://maa_ip_address/rapi/widgets/syslog