EDR: Yara binary.db Contains 'NoneType'
search cancel

EDR: Yara binary.db Contains 'NoneType'

book

Article ID: 287641

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • /var/log/cb/integrations/cb-yara-connector/yaraconnector.log contains:
yara.SyntaxError: /etc/cb/integrations/cb-yara-connector/yara_rules/<rule>: undefined identifier <value>
  • sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "select * from binarydetonatiionresults;" contains:
AttributeError: 'NoneType' object has no attribute 'match'

 

Environment

  • EDR Server: 7.x
  • Yara Connector: 2.2+

Cause

One of the Yara rules is incorrectly formatted.   The Yara rule name should be in the yaraconnector.log.
 

Resolution

From the EDR Primary server command line:
  • Stop cb-yara-connector.
  • Remove the Yara rule with that name from the /etc/cb/integrations/cb-yara-connector/yara_rules/ directory.
  • Move the compiled Yara rules if it exists. /etc/cb/integrations/cb-yara-connector/yara_rules/.YARARULES.xxx
  • Remove cb-yara-connector invalid reports   feed.json and feed_db/binary*
  • Start cb-yara-connector.  This should recompile the rules and create the .YARARULES
Powered by Wolken Software