Yara config for multi pathes is not parsing correctly in platform

[syloktools]

EDIT THIS TITLE BEFORE POSTING. Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template except the first section (Request Type)

Request Type

Bug

Work Environment

(replace with N/A if not applicable)

Question	Answer
OS version (server)	Ubuntu
Cortex Analyzer Name	Yara
Cortex Analyzer Version	1.10.1
Cortex Version	2.0.4
Browser type & version	If applicable

Rules path is not parsing correctly in latest version.

[3c7]

This is due to a change in the Yara configuration items. It was not using the path item correctly, because it expected a list. Now cortex is pushing the available configuration in the list form. You just have to re-enter the path. (If you disable and re-enable the analyzer, you don't have to clear every list item)

Ref: #245

[syloktools]

I tried to disable and re-enable. The config stated. Also it will not let me remove the items or add more in the global config or the individual one.

[3c7]

That is quite strange. I had the same issue, but was able to just enter the correct path and could keep on using the analyzer. Need to think about that.

[syloktools]

Where is the config path saved? ElasticSearch? Can I just manually delete that record?

[syloktools]

I was able to do this to delete the config for the Yara analyzer and start over.

curl -X POST "localhost:9200/cortex_1/analyzerConfig/_delete_by_query" -H 'Content-Type: application/json' -d'
{
  "query": {
    "match": {
      "config" :"{\"rules\":\"/opt/Cortex-Analyzers/analyzers/Yara/rules/\"}"
    }
  }
}'

[syloktools]

It was successful.

[3c7]

Glad it worked and thanks for sharing your solution. I don't understand, why you weren't able to delete it in the UI.