I recently imported some custom yara rules into the Malware Analysis appliance. These particular rules had a large condition set that relied on pe.imphash() so first off the .yara file has an import for pe, just to be sure:
import pe
--------
A test of the rules compiles fine:
]# yara -v
yara 3.5.0
]# yara NW_imphash_test.yara dummy.txt
]#
--------
However when I dropped these yara sigs into the /watch folder they error on any lines that attempt to use the pe.imphash() yara function. The conditions are all pretty simple:
condition:
( pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" or 8 of them )
--------
I can't find any documentation that would indicate the 'import pe' shouldn't work, and the yara binary compiled fine in a test run, yet MA throws an error.
YaraFileWatch - Failed to process /var/lib/rsamalware/spectrum/yara/watch/NW_imphash_test.yara file. Reason: Traceback (most recent call last):
File "<stdin>", line 6, in <module>
yara.SyntaxError: /var/lib/rsamalware/spectrum/yara/tmp1234567890123(87): invalid field name "imphash"
--------
Is there a trick to getting this level of pe inspection to work?
