Issue: (Exception: error: YARA not installed solution)

Hello guys, The other day I was testing some DFIR tools and I came across this linux live forensic tool called linux-explorer. The reason why I am writing this tutorial is due to the lack of documentation or tutorial out on the internet that helps people with common issues that you might encounter during installation. I spend quite some time trying to find a solution for an issue I encountered and I want to show you guys how I solved it and hopefully this might save you some time.

Linux Explorer is an Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask.

The link to the Github repo : https://github.com/intezer/linux-explorer

This tool can be used to get information from linux such as :

process list, Inspect process memory map & fetch memory strings easly, Dump process memory in one click, Automatically search hash in public services, users list etc.

Other capabilities include: Scan a file or directory using YARA signatures by @Neo23x0, Scan a running process memory address space, Upload your own YARA signature.

###Installation

git clone https://github.com/intezer/linux-explorer.git

This will clone the repository to your local machine.

Before any installation make sure to install

1) YARA 2) Chkrootkit

On an ubuntu machine you can install these by:

sudo apt install yara

sudo apt install chkrootkit

Now cd into the repo

cd linux-explorer/

The repository have a requirement.txt file that specify all python modules needed for this to work, so go ahead and install that by:

pip install -r requirement.txt

now start the script by

./start_server.sh

This script is intended to deploy the linux_explorer.py for you.

So, this is where I encountered an error:

Traceback (most recent call last):
File "linux_explorer.py", line 21, in
toolbox = dict({'yara': tools.YARA(),
File "/home/linux_expl0rer/tools.py", line 16, in __init__
raise Exception('error: %s not installed' % self.__class__.__name__)
Exception: error: YARA not installed

Intresting, I installed YARA but I still got the error. I tried searching to find a solution for this error but eventually after snooping through all clutters I gave and decide to read the source code.

class YARA(Tool):
  def _is_installed(self):
    return os.path.isfile('/usr/bin/yara')
    
  def set_cmdline(self, rule_file, dir='/', recursive=True, pid=None):
    if pid:
          self._proc_cmdline = ['/usr/bin/yara', rule_file, pid]
          
    else:
        self._proc_cmdline = ['/usr/bin/yara'] + ['-r',rule_file, dir] if recursive els
        
       

so this code is looking for yara at the predefined location /usr/bin/yara.

Lets see where our yara is installed:

find / -name yara 2> /dev/null

In the result I noticed that yara is installed in:

/usr/local/bin/yara

Okay !! so now we just have to edit the code to point the correct location in our OS.

Now the source code will look as follow :

class YARA(Tool):
  def _is_installed(self):
    return os.path.isfile('/usr/local/bin/yara')
    
  def set_cmdline(self, rule_file, dir='/', recursive=True, pid=None):
    if pid:
          self._proc_cmdline = ['/usr/local/bin/yara', rule_file, pid]
          
    else:
        self._proc_cmdline = ['/usr/local/bin/yara'] + ['-r',rule_file, dir] if recursive els
        
       

Now start the script again and it should work and you can navigate to the browser view by:

start firefox http://127.0.0.1:8080