CentOS is an enterprise Linux distribution, and as a consequence aims for stability - it tends to have older versions of many software packages. This can make installing some software a bit of a challenge.
YARA is a pattern-matching program for use by malware analysts - it's a kind of Swiss Army Knife that can calculate hashes, perform string and regular expression matching, and understands various binary executable formats, like PE - most of the techniques that are useful for finding and investigating malware.
Preparation
Installing the various required packages can only be done as root. Rather than prefixing each command with sudo, just su to root
# sudo su -
Many of the packages required by YARA are also a little ahead of the standard CentOS releases - but that's common for up-to-date versions of many programs, like PHP and others. So you may already have the first requirement - a Yum configuration for the EPEL (Extra Packages for Enterprise Linux) repository. If you have, then you're good to go - otherwise, enable EPEL with the command
# yum install epel-release
If that doesn't work, because you don't have the CentOS Extras repository enabled, then try this:
# rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
Now you're ready to start installing the required packages. Start with GNU Autoconf and libtool:# yum install autoconf libtool
Then add the OpenSSL development files:
# yum install openssl-devel
If you intend to use the YARA cuckoo and magic modules:
# yum install file-devel
# yum install jansson jansson-devel
Finally, the latest YARA rules require Python 3.6, so if you don't have it:
# yum install python36 python36-devel
Installing YARA itself
From this point, everything goes as per the instructions at http://yara.readthedocs.io/en/v3.7.1/gettingstarted.html. You should drop your root privileges (exit or switch to another session) then download the latest version of YARA. From that point, it goes something like this:
$ tar xzvf yara-3.7.1.tar.gz
$ cd yara-3.7.1
$ ./bootstrap.sh
$ ./configure --enable-cuckoo --enable-magic
$ make
$ sudo make install
Finally, run the YARA tests:
$ make check
Among the output that follows, you should see:
PASS: test-alignment
PASS: test-api
PASS: test-rules
PASS: test-pe
PASS: test-elf
PASS: test-version
PASS: test-exception
[...]
============================================================================
Testsuite summary for yara 3.7.1
============================================================================
# TOTAL: 7
# PASS: 7
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
If all is correct, you're good to go! Have fun, and nail that malware!
1 comment:
also needed to install some additional lexers for make to work (CentOS 7):
sudo yum install flex bison byacc
or just `sudo yum group install "Development Tools"`
Post a Comment