EDR: CB-Yara-Manager 404 Error or Connection Refused
search cancel

EDR: CB-Yara-Manager 404 Error or Connection Refused

book

Article ID: 287434

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Unable to browse to Yara Manager page after installation of CB-Yara-Connector and CB-Yara-Manager.
  • /var/log/cb/nginx/access.log :
::ffff:<ip_address> - - [14/Oct/2021:10:42:05 +0200(0.017)] "GET /connector/yara HTTP/1.1" 308 281 917 841 "-" "" ">[::1]:8082, 127.0.0.1:8082" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36 Edg/94.0.992.38" "-"
::ffff:<ip_address> - - [14/Oct/2021:10:42:05 +0200(0.003)] "GET /connector/yara/ HTTP/1.1" 401 338 553 842 "-" "" ">127.0.0.1:8082" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36 Edg/94.0.992.38" "-"
  • /var/log/cb/nginx/error.log :
2021/10/14 10:42:05 [error] 10699#10699: *348352190 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:<ip_address>, server: , request: "GET /connector/yara HTTP/1.1", upstream: "http://[::1]:8082/connector/yara", host: "edr.localdomain.com:443"
2021/10/14 10:42:05 [warn] 10699#10699: *348352190 upstream server temporarily disabled while connecting to upstream, client: ::ffff:<ip_address>, server: , request: "GET /connector/yara HTTP/1.1", upstream: "http://[::1]:8082/connector/yara", host: "edr.localdomain.com:443"
  • /var/log/cb/integrations/cb-yara-manager/cb-yara-manager.log :
<ip_address> - - [14/Oct/2021 10:59:59] code 400, message Bad request version ('\x00\x00')
<ip_address> - - [14/Oct/2021 10:59:59] "^[[35m^[[1m^V^C^A^B^@^A^@^Aü^C^C^NjHsHóøÌ-ÐQ%è^_h.<8b>ÄTYnnR1&<9a><80>GJ<83>^SÏ ûÔº«¬å1Ç^V4^E dcð^K7Ö^V^P^O<8f>Ø<96>ýïB×*¿<85>~^@ êê^S^A^S^B^S^CÀ+À/À,À0̨̩À^SÀ^T^@<9c>^@<9d>^@/^@5^A^@^A<93>ºº^@^@^@^@^@^O^@^M^@^@^[[0m" HTTPStatus.BAD_REQUEST -

 

Environment

  • EDR Server: 7.5.x +
  • CB-Yara-Manager: 2.x +

Cause

Incomplete setup as defined on page 271 of the VMware Carbon Black EDR 7.5 User Guide.

Resolution

  • Add these parameters into the /etc/cb/cb.conf file:
YaraManagerEnabled=true
YaraManagerToken=<token created in the yara manager auth.conf file>
  • Restart the following services :
sudo systemctl restart cb-yara-connector
sudo systemctl restart cb-yara-manager
sudo /usr/share/cb/cbservice cb-coreservices restart
Powered by Wolken Software