https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/535507#M1930 <P>I think the issue here is the arguments.&nbsp;</P> <P>&nbsp;</P> <P>The yaraRule parameter is supposed to be a raw YARA rule, and the entryIDs parameter is a list of files to evaluate with the yara rule. (ie, the files which may or may not match a rule) In normal usage I wouldn't expect any of the entryIDs to be a .yar file, and the rule name on it's own will not compile as a valid yara rule.</P> <P>&nbsp;</P> <P>If you need to use arbitrary rules inside yar files you'll need to read the data from the yar file first, then pass it to YaraScan eg with a wrapper script.</P> Thu, 23 Mar 2023 00:20:07 GMT chrking 2023-03-23T00:20:07Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/535231#M1920 <P>Hi,</P> <P>&nbsp;</P> <P>Trying to use yarascan automation from yara pack on marketplace, always receiving "HasMatch: false"</P> <P>&nbsp;</P> <P>Here it goes the printscreen with the command and the contextdata showing the entryid</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FabioFerreira_0-1679411632399.png" style="width: 764px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48924i7F64BE36966BD7BE/image-dimensions/764x188/is-moderation-mode/true?v=v2" width="764" height="188" role="button" title="FabioFerreira_0-1679411632399.png" alt="FabioFerreira_0-1679411632399.png" /></span></P> <P>&nbsp;</P> <P>The content has that rule</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FabioFerreira_1-1679411743582.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48925i58044E03C4EBB5DB/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="FabioFerreira_1-1679411743582.png" alt="FabioFerreira_1-1679411743582.png" /></span></P> <P>&nbsp;</P> <P>Could you help?</P> <P>&nbsp;</P> <P>Regards,</P> <P>Fábio</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 21 Mar 2023 15:17:11 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/535231#M1920 FabioFerreira 2023-03-21T15:17:11Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/535318#M1922 <P>In the context I see the yara file, What you are trying to accomplish is scan a file with a YARA rule to figure out if it matches right?</P> <P>&nbsp;</P> <P>Try with the below YARA rule. This will come true for any file.&nbsp;</P> <P>&nbsp;</P> <P><EM>rule match_any_file { <SPAN class="hljs-keyword">condition</SPAN>: <SPAN class="hljs-literal">true</SPAN> }</EM></P> <P>&nbsp;</P> <P>Let me know if it works, we'll try to troubleshoot further</P> Wed, 22 Mar 2023 07:13:34 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/535318#M1922 vidurasupun 2023-03-22T07:13:34Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/535382#M1926 <P>Hi,</P> <P>&nbsp;</P> <P>I changed the yara file and added the following</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FabioFerreira_1-1679482569709.png" style="width: 591px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48948iF4FBE4398D9A239A/image-dimensions/591x127/is-moderation-mode/true?v=v2" width="591" height="127" role="button" title="FabioFerreira_1-1679482569709.png" alt="FabioFerreira_1-1679482569709.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>And tried again with the same issue</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FabioFerreira_2-1679482960134.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48953i84E99E0EDFAEF0C1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="FabioFerreira_2-1679482960134.png" alt="FabioFerreira_2-1679482960134.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> <P>Fábio Ferreira</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 22 Mar 2023 11:02:58 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/535382#M1926 FabioFerreira 2023-03-22T11:02:58Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/535507#M1930 <P>I think the issue here is the arguments.&nbsp;</P> <P>&nbsp;</P> <P>The yaraRule parameter is supposed to be a raw YARA rule, and the entryIDs parameter is a list of files to evaluate with the yara rule. (ie, the files which may or may not match a rule) In normal usage I wouldn't expect any of the entryIDs to be a .yar file, and the rule name on it's own will not compile as a valid yara rule.</P> <P>&nbsp;</P> <P>If you need to use arbitrary rules inside yar files you'll need to read the data from the yar file first, then pass it to YaraScan eg with a wrapper script.</P> Thu, 23 Mar 2023 00:20:07 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/535507#M1930 chrking 2023-03-23T00:20:07Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/536487#M1942 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208030">@chrking</a>&nbsp;,</P> <P>&nbsp;</P> <P>Got it.</P> <P>Thank you for your help.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Fábio Ferreira</P> Sun, 26 Mar 2023 20:39:06 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/yara-rules-error/m-p/536487#M1942 FabioFerreira 2023-03-26T20:39:06Z