EDR: Troubleshoot Yara Components
Article ID: 285265
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Troubleshoot Yara Components.
Environment
- EDR Server: 7.7.x
- Yara Connector: 2.2.0
- Yara Manager: 2.2.0
Resolution
Stepping through the Yara process:
- Validate the services are running:
systemctl restart cb-yara-connector systemctl restart cb-yara-manager systemctl status cb-yara-connector systemctl status cb-yara-manager
- Troubleshoot broken services:
Yara Manager is in the left menu column of EDR Console after cb.conf changes. Look for errors: less /var/log/cb/integrations/cb-yara-connector/yaraconnector.log less /var/log/cb/integrations/cb-yara-manager/cb-yara-manager.log
- Was the binary uploaded?
psql -d cb -p 5002 -c "select * from storefiles where md5hash='\x<hash>';"
- Did Yara analyze the file?
select md5,last_scan_date from binarydetonationresult where md5="<hash>"
- Was there a match?
grep <hash> /var/cb/data/cb-yara-connector/feed.json
- Where is the Yara alert?
curl 'http://localhost:8080/solr/cbfeeds/select?q=id:"binary_<md5 hash lower case here>"'
Additional Troubleshooting
a) Yara Connector logs/var/log/cb/integrations/cb-yara-connector/yaraconnector.log journalctl -fexu cb-yara-connectorb) Yara Manager logs
/var/log/cb/integrations/cb-yara-manager/cb-yara-manager.logc) Monitor binary.db. Does it grow in size as new binaries arrive to EDR? First command presents the total binaries scanned (should increase).
The second command identifies any missing binaries, perhaps aged out or uploaded to Alliance (should be 0).
sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "select count(*) from binarydetonationresult;" sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "select count(*) from binarydetonationresult where ‘binary_not_available’ and ‘score’>0;”d) Run a Process Search in EDR console and expand the time range to "All available".
alliance_score_yara:*e) Check for new binaries in Postgres. Modify the timestamp as needed.
psql -p 5002 cb -c “select md5hash,node_id from storefiles where present_locally=true and timestamp>=’2023-05-19 00:00:00’ order by timestamp desc;”f) Feed tile does not appear on Threat Intelligence page.
- Redis could be overwhelmed. Remove the client output buffer limit in /etc/cb/redis.conf.template. Change to
client-output-buffer-limit pubsub 0 0 0
- OR using EDR Console > Threat Intelligence > Add New Feed
URL: file://var/cb/data/cb-yara-connector/feed.jsong) By design, due to performance reasons, the connector does not retroactively go back to rescan binaries for matches when a rule is uploaded. The db would need to be cleared and trigger a new scan from the beginning.
h) Reset and Restart.
systemctl stop cb-yara-manager systemctl stop cb-yara-connector cp /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES* /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES-bkup rm /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES* rm /var/cb/data/cb-yara-connector/feed.json rm /var/cb/data/cb-yara-connector/feed_db/binary* systemctl start cb-yara-connector systemctl start cb-yara-manageri) Yara-connector does not automatically start after reboot.
Check symlink from /etc/systemd/system/multi-user.target.wants/cb-yara-connector.service to etc/system/system/cb-yara-connector.sevice
j) Debug mode. Add to /etc/cb/integrations/cb-yara-connector/yaraconnector.conf then restart cb-yara-connector. k) Binary scan does not start so feed.json does not populate.
log_level=DEBUGk) Verify the Threat Report is populated from the Yara Feed tile or run the following command on the EDR Primary server.
curl 'http://localhost:8080/solr/cbfeeds/select?q=id:"binary_<md5 hash lower case here>"'l) The binary scan does not start and feed.json remains empty.
* Confirm the mode is set to 'standalone' (even in an EDR cluster on primary server) * Confirm the token in the yara configuration has adequate permissions to access the binaries and the account is active.j) The binary.db and feed.json are populated but alerts do not appear in the console. The connection with Solr may be broken.
* Check the Solr logs and yara-connector logs for errors. * Consider resetting the yara-connector noted in step h.
Additional Information
Troubleshoot Yara Services
- Yara Complete: https://community.carbonblack.com/t5/Knowledge-Base/EDR-Understanding-and-Deploying-Yara-Components/ta-p/118591
- Yara Connector Fails to Start: https://community.carbonblack.com/t5/Knowledge-Base/EDR-yara-connector-fails-to-start/ta-p/99650
- Yara Manager does not start: https://community.carbonblack.com/t5/Knowledge-Base/EDR-CB-Yara-Manager-Will-Not-Start-Error-DuplicateOptionError/ta-p/109355
- Yara Manager HTTP 401 Unauthorized. https://community.carbonblack.com/t5/Knowledge-Base/EDR-Yara-Manager-401-Unauthorized-Message/ta-p/96349
- Yara Manager does not start: https://community.carbonblack.com/t5/Knowledge-Base/EDR-CB-Yara-Manager-Will-Not-Start-Error-DuplicateOptionError/ta-p/109355
- Yara Manager HTTP 404 Refused: https://community.carbonblack.com/t5/Knowledge-Base/EDR-CB-Yara-Manager-404-Error-or-Connection-Refused/ta-p/107937
- Yara Manager HTTP 502 Bad Gateway: https://community.carbonblack.com/t5/Knowledge-Base/EDR-Bad-gateway-Error-502-when-accessing-Yara-manager-url/ta-p/97127
Troubleshoot Yara Scanning and Alerting
- Yara Feed is not visible: https://community.carbonblack.com/t5/Knowledge-Base/EDR-Yara-Feed-Not-Visible-on-Threat-Intelligence-Feed-Page/tap/91250
- Binary scans https://community.carbonblack.com/t5/Knowledge-Base/EDR-Yara-Connector-New-Yara-Rule-Does-Not-Running-on-Binaries/ta-p/107538
- Yara not firing on binary: https://community.carbonblack.com/t5/Knowledge-Base/EDR-Yara-is-Not-Alerting-On-Expected-Binary/ta-p/117779
- No Threat Report: https://community.carbonblack.com/t5/Knowledge-Base/EDR-No-threat-report-for-yara-feed/ta-p/94527
- Threat Report data missing due to rule syntax: https://community.carbonblack.com/t5/Knowledge-Base/CB-Response-No-threat-reports-in-the-Yara-connector-in-the-web/ta-p/67453
Troubleshoot Yara Scanning and Reporting
Feedback
Yes
No
Powered by
