Tuesday, April 3, 2018

Installing YARA from Source Code on CentOS 7

A short post - really more of a reminder to myself - on how to install YARA on CentOS Linux 7.

CentOS is an enterprise Linux distribution, and as a consequence aims for stability - it tends to have older versions of many software packages. This can make installing some software a bit of a challenge.

YARA is a pattern-matching program for use by malware analysts - it's a kind of Swiss Army Knife that can calculate hashes, perform string and regular expression matching, and understands various binary executable formats, like PE - most of the techniques that are useful for finding and investigating malware.

Preparation


Installing the various required packages can only be done as root. Rather than prefixing each command with sudo, just su to root
# sudo su -
Many of the packages required by YARA are also a little ahead of the standard CentOS releases - but that's common for up-to-date versions of many programs, like PHP and others. So you may already have the first requirement - a Yum configuration for the EPEL (Extra Packages for Enterprise Linux) repository. If you have, then you're good to go - otherwise, enable EPEL with the command
# yum install epel-release

If that doesn't work, because you don't have the CentOS Extras repository enabled, then try this:
# rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
Now you're ready to start installing the required packages. Start with GNU Autoconf and libtool:

# yum install autoconf libtool

Then add the OpenSSL development files:

# yum install openssl-devel

If you intend to use the YARA cuckoo and magic modules:

# yum install file-devel
# yum install jansson jansson-devel

Finally, the latest YARA rules require Python 3.6, so if you don't have it:

# yum install python36 python36-devel

Installing YARA itself


From this point, everything goes as per the instructions at http://yara.readthedocs.io/en/v3.7.1/gettingstarted.html. You should drop your root privileges (exit or switch to another session) then download the latest version of YARA. From that point, it goes something like this:

$ tar xzvf yara-3.7.1.tar.gz
$ cd yara-3.7.1
$ ./bootstrap.sh
$ ./configure --enable-cuckoo --enable-magic
$ make
$ sudo make install

Finally, run the YARA tests:

$ make check

Among the output that follows, you should see:

PASS: test-alignment
PASS: test-api
PASS: test-rules
PASS: test-pe
PASS: test-elf
PASS: test-version
PASS: test-exception

[...]
============================================================================
Testsuite summary for yara 3.7.1
============================================================================
# TOTAL: 7
# PASS:  7
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================

If all is correct, you're good to go! Have fun, and nail that malware!