Yara Connector Continues to Send Alerts After Rules Have Been Removed
search cancel

Yara Connector Continues to Send Alerts After Rules Have Been Removed

book

Article ID: 287418

calendar_today

Updated On:

Products

Carbon Black Hosted EDR (formerly Cb Response Cloud) Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Alerts continue to fire despite rules being removed.

Environment

  • EDR Server: All Supported Versions
  • CB-Yara-Connector/Manager: All Supported Versions

Cause

  • Binaries are tagged in SOLR
  • Until the binaries are untagged, they will continue to alert upon rules.

Resolution

  1. Stop the cb-yara-connector service:
systemctl stop cb-yara-connector
  1. Backup the current JSON feed file: 
    mv /var/cb/data/cb-yara-connector/feed.json /var/cb/data/cb-yara-connector/feed.json.bkp
  2. Remove the matching rule binaries from the DB :

    1. Find the last_success_msg returned, for example we are removing matchover100kb 
      sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "select last_success_msg from binarydetonationresult where last_success_msg like '%matchover100kb%' group by last_success_msg;"
    2. The last_success_msg lists all rules that matched the binary. 
      Matched yara rules: matchover100kb
Matched yara rules: matchover100kb, matchover600kb
    3. In the example output, we have some binaries that also matched the "matchover600kb" rule. From there we can either UPDATE (if multiple matches) or DELETE (if single match)
      • To handle "Matched yara rules: matchover100kb, matchover600kb" and keep 'matchover600kb': 
        sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "UPDATE binarydetonationresult SET last_success_msg = 'Matched yara rules: matchover600kb' WHERE last_success_msg = 'Matched yara rules: matchover100kb, matchover600kb';"
      • To handle just "Matched yara rules: matchover100kb": 
        sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "DELETE FROM binarydetonationresult WHERE last_success_msg = 'Matched yara rules: matchover100kb';"
  3. Run feed scrubber and scrub existing feed, as per How to tag/untag feed binaries and events.  There is no need to retag the events as mentioned in the article. 
    /usr/share/cb/cbfeed_scrubber --untag yara
  4. Restart the EDR services and then start the cb-yara-connector service:
systemctl restart cb-enterprise
systemctl start cb-yara-connector


 

Additional Information

  • Yara scans the binaries that are stored locally to match against the rule set given. Deleting the binary.db is an option to start fresh, however binaries previously seen will not match unless they still exist locally on the EDR server.
  • By updating the binary.db to remove the specific rule, this will generate a new feed.json file that will be updated in the threat intel page during the next incremental sync. 
  • Untagging will remove the binaries that were previously tagged by the Yara feed in order to stop tagged alerting. 
Powered by Wolken Software