Enable Custom YARA Content

This topic provides instructions for enabling custom YARA content on the NetWitness host on which the Malware Analysis service is installed. In addition to the built-in Indicators of Compromise, Malware Analysis supports indicators of compromise written in YARA. YARA is a rule language that allows malware researchers to identify and classify malware samples. NetWitness makes built-in YARA-based Indicators of Compromise (IOCs) available in NetWitness Live; these are automatically downloaded and activated on subscribed appliances.

Customers with advanced skills and knowledge can add detection capabilities to NetWitness Malware Analysis by authoring YARA rules and publishing them in Live or placing YARA rules in a watched folder for the appliance to consume. This section provides instructions for the Administrator who configures appliances to enable the creation of custom YARA content.

Prerequisites

This is an advanced configuration task, which requires sufficient privilege and knowledge to set up a GNU Compiler Collection (GCC) and C++ Python development library to build YARA. In addition, you must be thoroughly familiar with the standard YARA documentation. The following components are required:

  • The Perl-Compatible Regular Expression (PCRE) library: pcre-8.33.tar.bz2
  • The yara 1.7 (rev:167) stand-alone YARA command line: yara-1.7.tar
  • The YARA extension for Python: yara-python-1.7.tar.gz
  • YARA rules documentation: YARA User's Manual 1.6.pdf

The components are available for download here: https://code.google.com/p/yara-project/downloads/list

Note: As of writing, YARA 2.0 is available but not supported for Malware Analysis 10.5.

Install Libraries and Applications Required to Build YARA on a CentOs-Based Appliance

As a prerequisite to building YARA on a host that is running CentOS, you must install make, the GNU Compiler Collection, and C++ Python Development Library on the appliance. To install the applications and libraries required to build YARA:

  1. To ensure the standard YUM repo and no other repo files are in the /etc/yum.repos.d folder, enter the following command:
    ls -al /etc/yum.repos.d
    The results should be similar to the following:
    -rw-r-r-. 1 root root 1926 Jun 26 2012 CentOS-Base.repo
    -rw-r-r-. 1 root root 637 Jun 26 2012 CentOS-Debuginfo.repo
    -rw-r-r-. 1 root root 626 Jun 26 2012 CentOS-Media.repo
    -rw-r-r-. 1 root root 2593 Jun 26 2012 CentOS-Vault.repo
  2. To install make on the appliance, enter the following commands:
    1. yum search make
      The following message is returned: make.x86_64 : A GNU tool which simplifies the build process for user
    2. yum install make.x86_64
  3. To install and test GCC on the host, enter the following commands:
    1. yum search gcc
      The following messages are displayed:
      gcc-c+.x86_64 : C+ support for GCC
      gcc.x86_64 : Various compilers (C, C++, Objective-C, Java, ...)
    2. Enter the following commands:
      yum install gcc.x86_64
      yum install gcc-c++.x86_64
    3. To test the gcc commands, enter the following commands:
      gcc -v
      cc -v
  4. To install the C++ Python development library on the appliance, enter the following commands:
    1. yum search python dev
      The following message is returned:
      python-devel.x86_64 : The libraries and header files needed for Python development
    2. yum install python-devel.x86_64

Set Up YARA

To create a GCC and C++ Python development library in which you can build YARA on the NetWitness host that is running Malware Analysis:

  1. Do one of the following:
    1. If the host on which you are installing is running Mac OS, install xCode for Mac OS.
    2. If the host on which you are installing is running CentOS, install make, GCC and C++ Python development library using the YUM command line.
  2. To Install the PCRE library on the host, open a terminal window and enter the following commands:
    tar -xvf pcre-8.33.tar.bz2
    cd pcre-8.33
    ./configure
    make
    sudo make install
  3. To install the stand-alone YARA command line, enter the following commands:
    tar -xvf yara-1.7.tar
    cd yara-1.7
    ./configure
    make
    sudo make install
  4. To test the stand-alone YARA command line:
    1. Enter the following command:
      yara
    2. If the command succeeds, continue with Step 7. If the command fails and returns the yara: error while loading shared libraries: libpcre.so.1: cannot open shared object file: No such file or directory error, enter the following command to check the /etc/ld.so.conf file or LD_LIBRARY_PATH environment variable.
      ldconfig -v
  5. To install the YARA extension for Python, enter the following commands:
    tar -xvf yara-python-1.7.tar.gz
    cd yara-python-1.7
    python setup.py build
    sudo python setup.py install
  6. To test the YARA extension:
    1. Enter the following command: python
    2. At the Python prompt (>>>), enter the following commands:
      import yara
      exit()

When this configuration is complete, analysts can create custom YARA IOCs for consumption on a Malware Analysis host as described in "Implement Custom YARA Content" in the Malware Analysis User Guide