SOLD OUT - Cb Connect 2018 Developer Day | Power of You

Cb Yara Manager guide for Cb Response

The Cb Yara Manager allow users to perform administrative actions on the Cb Yara Connector installed on their Cb Response server. With the Cb Yara Manager users can perform the following operations:

  • Get current status of the Yara Connector
  • Restart the Yara Connector
  • Delete all threat reports
  • Upload new Yara Rules
  • View The Cb Yara Connector configuration

Installation

1) Install the CbOpenSource repository if it isn’t already present

cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo

2) Use Yum to install the yara manager:

yum install python-cb-yara-manager

3) Copy the example config file:

cp /etc/cb/integrations/cb-yara-manager/config.py.example /etc/cb/integrations/cb-yara-manager/config.py

4) Verify the config file

5) Start the Cb Yara Manager:

service cb-yara-manager start

6) Add to Cb Response Nginx config /etc/cb/nginx/conf.d/includes/cb.server.custom:

location /connector/ {
    proxy_pass http://localhost:8082;
}

7) Restart Cb Response Nginx:

service cb-nginx restart

8) To Access the Cb Yara Manager, login to your Cb Response Web UI, then browse to https://<cb_server_url>/connector/yara.

Yara Status Page

This page is used to display yara connector status information. The output is directly taken from the linux service command.

Get Yara Status - Retrieves the current status of the yara connector and displays the results in the StdOut and StdErr text boxes. Reset Output - Resets the output within StdOut and StdErr text boxes. Restart Yara - Restarts the Yara connector. Reset DB - Resets the threat reports database to its empty state. This is typically used after adding yara rules.

Yara Rules Manager

Upload a new Yara rule by clicking Choose File button, select the appropriate .yar file, and click the Upload Rule button.
To delete all yara rules click the Purge all Rules button. Each yara rule can be individually downloaded or deleted.

The Yara Manager supports upload of multiple yara rules. A zip file containing multiple yara rules may be uploaded.
The Yara Manager will unzip the zip file and place all the rules in the path specified by the Yara connector configuration file.

Yara Configuration Page

This page displays the current configuration of the yara connector. This information is gathered from the yara connector’s configuration file. Nothing is editable, and must be changed through the connector.conf file.

Last modified on October 24, 2017