diff --git a/README.md b/README.md index 521c9287..f5f7dccf 100644 --- a/README.md +++ b/README.md @@ -224,7 +224,15 @@ Guidelines for contributing can be found [here](https://github.com/target/strelk ## Known Issues -See [issues labeled `bug`](https://github.com/target/strelka/issues?q=is%3Aissue+is%3Aopen+label%3Abug) in the tracker for any potential known issues. + +### Issues with Loading YARA Rules +Users are advised to precompile their YARA rules for optimal performance and to avoid potential issues during runtime. +Using precompiled YARA files helps in reducing load time and resource usage, especially in environments with a large +set of rules. Ensure to use the [compiled option in the Strelka configuration](https://github.com/target/strelka/blob/master/configs/python/backend/backend.yaml) +to point to the precompiled rules file. + +### Other Issues +See [issues labeled `bug`](https://github.com/target/strelka/issues?q=is%3Aissue+is%3Aopen+label%3Abug) in the tracker for any additional issues. ## Related Projects * [Laika BOSS](https://github.com/lmco/laikaboss) diff --git a/build/docker-compose.yaml b/build/docker-compose.yaml index 78d46702..6f74df53 100644 --- a/build/docker-compose.yaml +++ b/build/docker-compose.yaml @@ -75,11 +75,11 @@ services: networks: - net ports: - - 16686:16686 # HTTP query frontend UI - - 6831:6831/udp # UDP agent accept jaeger.thrift over Thrift-compact protocol (used by most SDKs) - - 4317:4317 # HTTP collector accept OpenTelemetry Protocol (OTLP) over gRPC - - 4318:4318 # HTTP collector accept OpenTelemetry Protocol (OTLP) over HTTP - - 14268:14268 # HTTP collector accept jaeger.thrift + - "16686:16686" # HTTP query frontend UI + - "6831:6831/udp" # UDP agent accept jaeger.thrift over Thrift-compact protocol (used by most SDKs) + - "4317:4317" # HTTP collector accept OpenTelemetry Protocol (OTLP) over gRPC + - "4318:4318" # HTTP collector accept OpenTelemetry Protocol (OTLP) over HTTP + - "14268:14268" # HTTP collector accept jaeger.thrift ui: image: target/strelka-ui:latest @@ -104,3 +104,5 @@ services: - POSTGRESQL_USERNAME=postgres networks: - net + ports: + - "5432:5432" diff --git a/src/python/strelka/scanners/scan_yara.py b/src/python/strelka/scanners/scan_yara.py index aedc75e3..add115a6 100644 --- a/src/python/strelka/scanners/scan_yara.py +++ b/src/python/strelka/scanners/scan_yara.py @@ -1,4 +1,5 @@ import glob +import logging import os import yara @@ -40,6 +41,10 @@ def init(self): self.loaded_configs = False self.rules_loaded = 0 + self.warn_user = False + self.warned_user = False + self.warn_message = "" + def scan(self, data, file, options, expire_at): """Scans the provided data with YARA rules. @@ -123,7 +128,7 @@ def load_yara_rules(self, options): """ # Retrieve location of YARA rules. location = options.get("location", "/etc/strelka/yara/") - compiled = options.get("compiled") + compiled = options.get("compiled", {"enabled": False}) try: # Load compiled YARA rules from a file. @@ -133,6 +138,7 @@ def load_yara_rules(self, options): ) except yara.Error as e: self.flags.append(f"compiled_load_error_{e}") + self.warn_user = True try: # Compile YARA rules from a directory. @@ -153,15 +159,40 @@ def load_yara_rules(self, options): self.compiled_yara = yara.compile(filepath=location) else: self.flags.append("yara_location_not_found") - except yara.Error as e: - self.flags.append(f"compiling_error_general_{e}") + self.warn_user = True + self.warn_message = "YARA Location Not Found" + except yara.SyntaxError as e: self.flags.append(f"compiling_error_syntax_{e}") + self.warn_user = True + self.warn_message = str(e) + + except yara.Error as e: + self.flags.append(f"compiling_error_general_{e}") + self.warn_user = True + self.warn_message = str(e) # Set the total rules loaded. if self.compiled_yara: self.rules_loaded = len(list(self.compiled_yara)) + if not self.compiled_yara: + if not self.warned_user and self.warn_user: + logging.warning( + "\n" + "*************************************************\n" + "* WARNING: YARA File Loading Issue Detected *\n" + "*************************************************\n" + "There was an issue loading the compiled YARA file. Please check that all YARA rules can be\n" + "successfully compiled. Additionally, verify the 'ScanYara' configuration in Backend.yaml to\n" + "ensure the targeted path is correct. This issue needs to be resolved for proper scanning\n" + "functionality.\n" + "\n" + f"Error: {self.warn_message}\n" + "*************************************************\n" + ) + self.warned_user = True + def extract_match_hex(self, rule, offset, matched_string, data, offset_padding=32): """ Extracts a hex dump of a matched string in the data, with padding. diff --git a/src/python/strelka/tests/test_scan_yara.py b/src/python/strelka/tests/test_scan_yara.py index a6266d48..1a294317 100644 --- a/src/python/strelka/tests/test_scan_yara.py +++ b/src/python/strelka/tests/test_scan_yara.py @@ -50,7 +50,7 @@ def test_scan_bad_yara(mocker): test_scan_event = { "elapsed": mock.ANY, "flags": [ - 'compiling_error_general_/strelka/strelka/tests/fixtures/test_elk_linux_torte.yara(31): undefined identifier "is__elf"', + 'compiling_error_syntax_/strelka/strelka/tests/fixtures/test_elk_linux_torte.yara(31): undefined identifier "is__elf"', "no_rules_loaded", ], "matches": [],