NetWitness Community

An administrator uploads custom YARA content to the RSA NetWitness Platform per instructions in the documentation. Turns out they want to change or delete it, but the only options in the user interface are to disable or enable. The naming of the YARA custom files will be different, reflecting names given during upload.

Can anything be done?

The answer is yes. The steps below explain how to manage custom YARA content via the command-line.

1. Connect to the malware appliance via SSH and change to the YARA directory.
   

[root@malwareserver yara]# cd /var/netwitness/malware-analytics-server/spectrum/yara

2. Find the custom files you want to delete.
   

   Rules are merged into a single file. It is unknown if you can modify that file to remove a single rule.

[root@malwareserver yara]# ll
total 492
drwxr-xr-x. 2 netwitness netwitness 6 Aug 20 15:23 error
drwxr-xr-x. 2 netwitness netwitness 4096 Aug 29 14:02 processed
-rw-r--r--. 1 netwitness netwitness 587 Jul 15 16:49 rsa_mw_pdf_artifacts.yara
-rw-r--r--. 1 netwitness netwitness 76289 Jul 15 16:49 rsa_mw_pe_artifacts.yara
-rw-r--r--. 1 netwitness netwitness 96334 Jul 15 16:49 rsa_mw_pe_packers.yara
drwxr-xr-x. 2 netwitness netwitness 6 Aug 20 16:03 watch
-rw-r--r--. 1 netwitness netwitness 317666 Aug 20 16:05 custom_merged_static_rules.yar

3. Remove the file(s) or move it/them to a different directory.
   

[root@malwareserver yara]# rm -i custom_merged_static_rules.yar

4. Change directory to the YARA processed folder, and remove (or move) the processed files.

[root@malwareserver yara]# cd /var/netwitness/malware-analytics-server/spectrum/yara/processed [root@malwareserver yara]# rm -i custom_merged.yar

5. Restart the Malware service.

systemctl restart rsa-nw-malware-analytics-server

After performing these steps, you can verify the remove in the RSA NetWitness Platform UI under Services → [name of malware server] → Config → Indicators of Compromise → YARA.