This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Deleting custom YARA rules in the RSA NetWitness Platform

Deleting custom YARA rules in the RSA NetWitness Platform

JosephKavanaugh
JosephKavanaugh New Contributor
New Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2019-08-31 06:10 PM

An administrator uploads custom YARA content to the RSA NetWitness Platform per instructions in the documentation. Turns out they want to change or delete it, but the only options in the user interface are to disable or enable. The naming of the YARA custom files will be different, reflecting names given during upload.

 

Can anything be done?

 

The answer is yes. The steps below explain how to manage custom YARA content via the command-line.

 

  1. Connect to the malware appliance via SSH and change to the YARA directory.
[root@malwareserver yara]# cd /var/netwitness/malware-analytics-server/spectrum/yara

 

  1. Find the custom files you want to delete.
    Rules are merged into a single file. It is unknown if you can modify that file to remove a single rule.
[root@malwareserver yara]# ll
total 492
drwxr-xr-x. 2 netwitness netwitness 6 Aug 20 15:23 error
drwxr-xr-x. 2 netwitness netwitness 4096 Aug 29 14:02 processed
-rw-r--r--. 1 netwitness netwitness 587 Jul 15 16:49 rsa_mw_pdf_artifacts.yara
-rw-r--r--. 1 netwitness netwitness 76289 Jul 15 16:49 rsa_mw_pe_artifacts.yara
-rw-r--r--. 1 netwitness netwitness 96334 Jul 15 16:49 rsa_mw_pe_packers.yara
drwxr-xr-x. 2 netwitness netwitness 6 Aug 20 16:03 watch
-rw-r--r--. 1 netwitness netwitness 317666 Aug 20 16:05 custom_merged_static_rules.yar

 

  1. Remove the file(s) or move it/them to a different directory.
[root@malwareserver yara]# rm -i custom_merged_static_rules.yar

 

  1. Change directory to the YARA processed folder, and remove (or move) the processed files.
[root@malwareserver yara]# cd /var/netwitness/malware-analytics-server/spectrum/yara/processed [root@malwareserver yara]# rm -i custom_merged.yar

 

  1. Restart the Malware service.
systemctl restart rsa-nw-malware-analytics-server

 

After performing these steps, you can verify the remove in the RSA NetWitness Platform UI under Services → [name of malware server] → Config → Indicators of Compromise → YARA.

Labels:
  • Tutorials
  • Appliance
  • Command-Line
  • custom yara
  • How To
  • Malware Analysis
  • malware appliance
  • malware server
  • NetWitness
  • netwitness logs
  • netwitness logs & network
  • netwitness network
  • NetWitness Platform
  • NW
  • NWP
  • RSA NetWitness
  • RSA NetWitness Platform
  • Tutorial
  • Walkthrough
  • yara
  • yara rules
0 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.