Add Yara rules to EDR Server.

A.  Adding Yara Rules

• Rules are contained within *.yar files.
• The .yar files are placed in the following directory:

  /etc/cb/integrations/cb-yara-connector/yara_rules/

• Yara Manager can add rules by uploading the .yar files into Yara Manager browser.  This action performs rudimentary checks on the file.  

  Yara Manager > Yara Rules > Choose File > Upload Rule

• Yara-connector monitors the directory for new rules.  No need to restart cb-yara-connector to ingest new rules.
• Tips: 

1. Get yara-connector working with the default rule first. (/etc/cb/integrations/cb-yara-connector/yara_rules/sample.yar)
2. Only add a few rules at a time. 
3. Cut-n-paste can add extra characters and cause troubleshooting issues.  If cut-n-paste, copy from a text editor.
4. Validate they are working – Currently by reviewing the logs. Validate tool should be fixed in next release
5. Review yara.readthedocs.io (see link below) for additional information.

B.  Validating the Yara Rules

Note:  The option ./yaraconnector --validate-yara-rules is currently broken.  The fix is expected in the next release post version 2.2.0
      1.  Run: 

yara <yar file name> <directory>
Example: 
  yara /tmp/sample.yar .

      2.  No output indicates the rule compiled without error.  Any errors encountered may note the line number and error encountered. Example errors:

error: rule "sample" in /tmp/sample.yar(3): non-ascii character
error: rule "sample" in /tmp/sample.yar(3): syntax error, unexpected end of file

      3.  Yara syntax errors may also appear in the Yara Connector logs.

less /var/log/cb/integrations/cb-yara-connector/yaraconnector.log

      4.  To verify the compiled Yara rules are actually tagging binaries, run this search query in the Process Search page:

alliance_score_yara:*