Test your knowledge!Take a quiz to access yourself.

Cuckoo- Yara Match Warning

This post is related to one of the issues faced while installing/using Cuckoo sandbox for malware sample analysis. Day by day, The Cuckoo Sandbox Developers Team is working on resolving issues faced by it’s users and making it a promising and most advanced automated malware analysis tool. So far, a good number of warnings, bugs and issues have been taken care by them that helped cuckoo in performing better and effectively.

Let’s discuss on one of the issues faced while using Cuckoo to run against a sample.  If your cuckoo installation hangs up on the warning:

“WARNING:lib.cuckoo.common.objects:Unable to match Yara signatures: /opt/maddie/cuckoo/data/yara/binaries/ye_memory.yar(26): $file contains .*, consider using .{N} with a reasonable value for N”

This issue is actually related to proper installation of cuckoo on the system. Please note, no warning should be ignored while installing any setup as it’ll come back to you with bigger problem one day or another.

Please follow the steps one by one carefully to resolve the issue:

Steps:

  1. Change into your cuckoo directory: cd ~/cuckoo for me)
  2. Edit the objects.py library file: vi lib/cuckoo/common/objects.py). Note: MAKE A BACKUP FIRST
  3. Search for the error_on_warning argument: rules = yara.compile(rulepath, error_on_warning=True)
  4. Remove that entire argument from the function call: rules = yara.compile(rulepath)
  5. Save the changes and try processing a report again.

 

If it doesn’t work that way, try this too:

  1. Just go into the python code and remove the “error_on_warning” argument from the yara.compile() call. This is not the best fix to do but it worked for me.
  2. The removing the error_on_warning argument won’t break anything from what I can see. You can read what it does here: http://yara.readthedocs.org/en/latest/yarapython.html

Hope it helps.

Add a Comment

Your email address will not be published. Required fields are marked *