EDR: CB-Yara-Manager Error Unable to Upload Rule File
search cancel

EDR: CB-Yara-Manager Error Unable to Upload Rule File

book

Article ID: 284950

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • When uploading a known good Yara Rule though the CB-Yara-Manager UI this error is received:
User-added image 
  • This error is observed in the /var/log/cb/integrations/cb-yara-manager/cb-yara-manager.log with some variation based on the field name attempting to be loaded:
127.0.0.1 - - [21/Oct/2021 12:17:47] "[[33mGET /connector/yara/vendor/themes/default/assets/fonts/icons.ttf HTTP/1.1[[0m" 404 -
Traceback (most recent call last):
File "src/app/routes.py", line 71, in validate_yara_rule
yara.SyntaxError: /etc/cb/integrations/cb-yara-connector/yara_rules/<rule_name>.yar(104): invalid field name "<field_name>"

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "src/app/routes.py", line 198, in upload_rules
File "src/app/routes.py", line 73, in validate_yara_rule
AttributeError: 'SyntaxError' object has no attribute 'message'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "src/app/routes.py", line 204, in upload_rules
AttributeError: 'AttributeError' object has no attribute 'message'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "src/app/routes.py", line 60, in wrapped_f
File "src/app/routes.py", line 208, in upload_rules
AttributeError: 'AttributeError' object has no attribute 'message'

Environment

  • EDR Server: 7.5.x +
  • CB-Yara-Manager: 2.1.3
  • RHEL/CentOS: 7.x

Cause

Defect in 2.1.3 version of the CB-Yara-Manger when used with RHEL/CentOS 7.x .

Resolution

  • This item is resolved in the 2.2.0 CB-Yara-Manager release.
  • To work around this issue in 2.1.3, the rule can be placed into the /etc/cb/integrations/cb-yara-connector/yara_rules/ directory using the EDR instances command line interface.