CB Response: No threat reports in the Yara connector in the web console
search cancel

CB Response: No threat reports in the Yara connector in the web console

book

Article ID: 286333

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • No threat reports showing in the Yara connector. but connector is running.
  • The below error is shown in the /var/log/integration/yara/yara.log. 
ERROR: /usr/share/cb/integrations/yara/example_rules/generic_anomalies.yar(272): undefined identifier "filename" (Please note that file name 'generic_anomalies.yar' could be different according to customer's environment.)
 

Environment

  • CB Response all versions

Cause

  • The error means /usr/share/cb/integrations/yara/example_rules/generic_anomalies.yar file is corrupted or not properly coded. 

Resolution

  • Stop the connector by running the "service cb-yara-connector stop" command in the CBR cli.
  • Move the corrupt 'generic_anomalies.yar' (though the file name will vary according to implementation) to another location from /usr/share/cb/integrations/yara/example_rules/
  • Start the connector by running "service cb-yara-connector start"
  • Now verify in yara log if it has started synchronizing the data without errors.
  • Verify threat reports are getting updated by going to the Yara connector in the CBR webconsole and clicking on threat reports. If data is still not shown follow the steps below. 
  1. Stop the service: service cb-yara-connector stop
  2. Remove the database file: rm /usr/share/cb/integrations/yara/db/sqlite.db
  3. Remove the feed from your Cb server's Threat Intelligence page
  4. Restart the service: service cb-yara-connector start
  • Now verify the threat reports again.
Powered by Wolken Software