[BUG] "compiling_error_syntax_/etc/strelka/yara/rules/malware/MALW_Torte_ELF.yar(31): undefined identifier "is__elf""

[wl380zxh]

Trying to do everything by instruction (QuickStart in documents).
Everything works fine, except Yara rules. Base Yara repo not working OOTB with following error "compiling_error_syntax_/etc/strelka/yara/rules/malware/MALW_Torte_ELF.yar(31): undefined identifier "is__elf""

Even turning off this rule pack not making it working.

Screenshot

[GlennHD]

This is because of the default settings in configs/python/backend/backend.yaml. Under 'ScanYara', the location should be set to the rules.yara file. This should prevent Strelka from attempting to recursively compile all Yara files individually without their required imports. Example below. After making this change, just bounce your docker container for it to take effect.

  'ScanYara':
    - positive:
        flavors:
          - "*"
      priority: 5
      options:
        location: "/etc/strelka/yara/rules.yara"
        compiled:
          enabled: True
          filename: "/etc/strelka/yara/rules.compiled"
        category_key: "scope"
        categories:
          collection:
            show_meta: False
          detection:
            show_meta: True
          information:
            show_meta: False
        meta_fields:
          - "author"
          - "description"
          - "hash"
          - "intel"
        show_all_meta: False
        store_offset: True
        offset_meta_key: "StrelkaHexDump"
        offset_padding: 32

Alternatively, you can delete the rules.yara file and just opt for the significantly faster compiled rules.

# create an empty for for Docker bind mount (required!)
sudo touch configs/python/backend/yara/rules.compiled

# give strelka container user (run `id` command from w/in  container to get uid) permission to generate rules.compiled
sudo chown 1001:docker configs/python/backend/yara/rules.compiled

# modify whichever docker-compose.yaml you are using and add the compiled.rules file as a bind point
nano build/docker-compose.yaml

...
  backend:
    build:
      context: ..
      dockerfile: build/python/backend/Dockerfile
    command: strelka-backend
    shm_size: 512mb  # increase as necessary, required for some scanners
    networks:
      - net
    volumes:
      - ../configs/python/backend/:/etc/strelka/:ro
      - ../configs/python/backend/yara/rules.compiled:/etc/strelka/yara/rules.compiled:rw
    restart: unless-stopped
    depends_on:
      - coordinator
...

Finally, just bounce your containers and then once the backend container is up, exec into it and compile your rules using the container to ensure there are no complications.

docker exec -it strelka-backend-1 /bin/bash -c "yarac -w /etc/strelka/yara/rules_compileme.yara /etc/strelka/yara/rules.compiled"

I am not responsible if any of this breaks your SOC.