MA: Enable Custom YARA Content

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

This topic provides instructions for enabling custom YARA content on the Security Analytics appliance on which the Malware Analysis service is installed.

In addition to the built-in indicators of compromise, Security Analytics Malware Analysis supports indicators of compromise written in YARA. YARA is a rule language that allows malware researchers to identify and classify malware samples. RSA makes built-in YARA-based Indicators of Compromise (IOCs) available in RSA Live; these are automatically downloaded and activated on subscribed appliances.

Customers with advanced skills and knowledge can add detection capabilities to RSA Malware Analysis by authoring YARA rules and publishing them in RSA Live or placing YARA rules in a watched folder for the appliance to consume. This section provides instructions for the Administrator who configures appliances to enable the creation of custom YARA content.

Prerequisites

This is an advanced configuration task, which requires sufficient privilege and knowledge to set up a GNU Compiler Collection (GCC) and C++ Python development library to build YARA. In addition, you must be thoroughly familiar with the standard YARA documentation. The following components are required:

  • The Perl-Compatible Regular Expression (PCRE) library: pcre-8.33.tar.bz2
  • The yara 1.7 (rev:167) stand-alone YARA command line: yara-1.7.tar
  • The YARA extension for Python: yara-python-1.7.tar.gz
  • YARA rules documentation: YARA User's Manual 1.6.pdf

The components are available for download here: https://code.google.com/p/yara-project/downloads/list

Note: As of writing, YARA 2.0 is available but not supported for Security Analytics Malware Analysis 10.5.

Install Libraries and Applications Required to Build YARA on a CentOs-Based Appliance

As a prerequisite to building YARA on an appliance that is running CentOS, you must install make, the GNU Compiler Collection, and C++ Python Development Library on the appliance. To install the applications and libraries required to build YARA:

  1. To ensure the standard YUM repo and no other repo files are in the  /etc/yum.repos.d folder, enter the following command:
    ls -al /etc/yum.repos.d
    The results should be similar to the following:
    -rw-r-r-. 1 root root 1926 Jun 26  2012 CentOS-Base.repo
    -rw-r-r-. 1 root root  637 Jun 26  2012 CentOS-Debuginfo.repo
    -rw-r-r-. 1 root root  626 Jun 26  2012 CentOS-Media.repo
    -rw-r-r-. 1 root root 2593 Jun 26  2012 CentOS-Vault.repo
  2. To install make on the appliance, enter the following commands:
    1. yum search make
      The following message is returned: make.x86_64 : A GNU tool which simplifies the build process for user
    2. yum install make.x86_64
  3. To install and test GCC on the appliance, enter the following commands:
    1. yum search gcc
      The following messages are displayed:
      gcc-c+.x86_64 : C+ support for GCC
      gcc.x86_64 : Various compilers (C, C++, Objective-C, Java, ...)
    2. Enter the following commands:
      yum install gcc.x86_64
      yum install gcc-c++.x86_64
    3. To test the gcc commands, enter the following commands:
      gcc -v
      cc -v
  4. To install the C++ Python development library on the appliance, enter the following commands:
    1. yum search python dev
      The following message is returned:
      python-devel.x86_64 : The libraries and header files needed for Python development
    2. yum install python-devel.x86_64

Set Up Yara

To create a GCC and C++ Python development library in which you can build YARA on the Security Analytics appliance that is running Malware Analysis:

  1. Do one of the following:
    1. If the appliance on which you are installing is running Mac OS, install xCode for Mac OS.
    2. If the appliance on which you are installing is running CentOS, install make, GCC and C++ Python development library using the YUM command line.
  2. To install the PCRE library on the appliance, open a terminal window and enter the following commands:
    tar -xvf pcre-8.33.tar.bz2
    cd pcre-8.33
    ./configure
    make
    sudo make install
  3. To install the stand-alone YARA command line, enter the following commands:
    tar -xvf yara-1.7.tar
    cd yara-1.7
    ./configure
    make
    sudo make install
  4. To test the stand-alone YARA command line:
    1. Enter the following command:
      yara
    2. If the command succeeds, continue with Step 7. If the command fails and returns the yara: error while loading shared libraries: libpcre.so.1: cannot open shared object file: No such file or directory error, enter the following command to check the /etc/ld.so.conf file or LD_LIBRARY_PATH environment variable.
      ldconfig -v
  5. To install the YARA extension for Python, enter the following commands:
    tar -xvf yara-python-1.7.tar.gz
    cd yara-python-1.7
    python setup.py build
    sudo python setup.py install
  6. To test the YARA extension:
    1. Enter the following command: python
    2. At the Python prompt (>>>), enter the following commands:
      import yara
      exit()


When this configuration is complete, analysts  can create custom YARA IOCs for consumption on a Malware Analysis appliance as described in Implement Custom YARA Content in the Investigation and Malware Analysis Guide.

You are here: Additional Procedures > Enable Custom YARA Content

Attachments

    Outcomes