Skip to main content
Version: Spectra Detect 5.2.1

YARA sync

The YARA Sync page (Administration ‣ YARA Synchronization) allows users to easily track the status of YARA ruleset synchronization between connected appliances, and trigger a manual synchronization if rules are not up-to-date. The Manager stores all synchronized rules in a local database and becomes the single source of truth for all connected appliances.

When YARA ruleset synchronization is enabled, the YARA Sync page displays a table of all appliances connected to the Manager and their YARA ruleset synchronization status. Any connected Spectra Analyze appliances must have YARA Synchronization enabled (Administration ‣ Spectra Detect Manager ‣ General ‣ Synchronization) to properly display the current status and synchronize rulesets.

Appliances can show one of the following statuses:

  • InSync
  • OutOfSync
  • Error
  • Unavailable
  • PendingNew
  • Disabled
  • NoRules

Workers poll the Manager for rule changes every minute. Spectra Analyze appliances push new rules to the Manager as soon as they are created, and pull new rules every 5 minutes. Appliances that are Not In Sync can be manually synchronized at any time by clicking the Start YARA Sync button in the far right column of the table.

Rulesets created on Spectra Analyze appliances before YARA synchronization was enabled will not synchronize to the Manager until the user changes their status or modifies them in any way. Rules present on the Manager, however, will synchronize to newly connected Spectra Analyze appliances regardless of when they were created.

Apart from new rulesets, changes in existing rulesets will be synchronized as well. If a ruleset is disabled or deleted on one appliance, its status will be distributed to other appliances.

In case of Workers, disabled rulesets will be removed until re-enabled on another appliance. When enabled again, rulesets will be synchronized on the Worker as if they have been newly created.

Since all rulesets have owners, their user accounts will be mirrored to other connected appliances, but won’t be able to log into that instance until an administrator enables their account by assigning it a password.

YARA Ruleset Restrictions

  • Naming restrictions:
    • YARA ruleset names must be between 3 and 48 characters.
    • The underscore ( _ ) should be used instead of spaces, and any other special characters should be avoided. Ruleset names should only use numbers (0-9) and a-z/A-Z letters.
  • Ruleset size restrictions:
    • A ruleset file should not be larger than 4 MB.
    • A ruleset file should not contain more than 5000 individual rules.
    • A ruleset larger than 1 MB (1048576 bytes) cannot be saved and run in the Spectra Intelligence cloud.
  • File size restrictions:
    • YARA rulesets on Spectra Analyze are not applied to files larger than 700 MB.

Only rules that have been successfully compiled on Spectra Analyze can be synchronized.