invalid field name "imphash"

[dbarzin]

I have this error when starting Pandora :

2022-06-28 08:12:08,023 yara INFO:Initializing yara-1
2022-06-28 08:12:08,024 yara INFO:Initializing yara-2
2022-06-28 08:12:08,024 yara_signature_base INFO:Initializing yara_signature_base-1
2022-06-28 08:12:08,038 yara_signature_base CRITICAL:Unable to initialize rules: /home/didier/pandora/yara_repos/signature-base/yara/apt_tick_weaponized_usb.yar(34): invalid field name "imphash"
2022-06-28 08:12:08,038 yara_signature_base INFO:Initializing yara_signature_base-2
2022-06-28 08:12:08,046 yara_signature_base CRITICAL:Unable to initialize rules: /home/didier/pandora/yara_repos/signature-base/yara/apt_tick_weaponized_usb.yar(34): invalid field name "imphash"

[Rafiot]

You have a few options to solve this problem:

• use ubuntu 22.04
• compile yara manually and reinstall yara python
• disable the yara_signature_base module by removing yara_signature_base.yml

[dbarzin]

As I user Ubuntu 22.04, I have disabled the yara_signature_base module.

[Rafiot]

Hmm, that's weird, the version of yara should work fine on 22.04. I'll investigate.

[Foxi352]

I can confirm Didier's findings. I installed on brand new Ubuntu 22.04 VM exactly following your readme.md and have the same result, except for a different .yar file:

2022-06-30 10:32:43,700 yara_signature_base INFO:Initializing yara_signature_base-1
2022-06-30 10:32:43,905 yara_signature_base CRITICAL:Unable to initialize rules: /opt/pandora/yara_repos/signature-base/yara/gen_mimikatz.yar(149): invalid field name "imphash"
2022-06-30 10:32:43,905 yara_signature_base INFO:Initializing yara_signature_base-2
2022-06-30 10:32:43,947 yara_signature_base CRITICAL:Unable to initialize rules: /opt/pandora/yara_repos/signature-base/yara/gen_mimikatz.yar(149): invalid field name "imphash"

[Rafiot]

Can you try what is listed here: VirusTotal/yara-python#179

There might be a missing dependency in the install guide.

Weirdly enough, the worker starts fine in the github action, so if thatś the problem, the dependency is installed there: https://github.com/pandora-analysis/pandora/runs/7116339334?check_suite_focus=true#step:9:281

[dbarzin]

To fix :

pip install yara-python

[Rafiot]

This is weird, yara-python is in the pyproject.toml file. Did you install the project with poetry install?

[dbarzin]

Yes, I have. Le mar. 5 juil. 2022 à 22:30, Raphaël Vinot ***@***.***> a écrit :

…

This is weird, yara-python is in the pyproject.toml file. Did you install the project with poetry install? — Reply to this email directly, view it on GitHub <#77 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKJU4KHIYDLUANQFHX6RLNDVSSLNJANCNFSM52BHY4BA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[Rafiot]

and you ran pip install yara-python from inside the virtualenv (after running poetry shell)?

[dbarzin]

I do not have installed yara-python from the virtualenv

[Foxi352]

@Rafiot I did a new clean install as per your readme instructions, only without the apparmor part for now.
But before installing and running poetry, i did sudo apt install libssl-dev as found in the link you provided VirusTotal/yara-python#179 (comment)

This seems to solve the problem

2022-07-06 07:20:24,243 yara INFO:Initializing yara-1
2022-07-06 07:20:24,283 yara INFO:Initializing yara-2
2022-07-06 07:20:24,288 yara_signature_base INFO:Initializing yara_signature_base-1
2022-07-06 07:20:25,263 yara_signature_base INFO:Initializing yara_signature_base-2

[Rafiot]

nice, good catch!