yara clarifications

Lee Chagolla-Christensen · Lee Chagolla-Christensen · commit e7adf3d2e320 · 2026-02-03T22:02:17.000-08:00
diff --git a/compose.yaml b/compose.yaml
@@ -238,9 +238,9 @@ services:
       interval: 5s
       timeout: 5s
       retries: 5
-    volumes:
-      # Uncomment the following line to use custom YARA rules
-      - ./libs/file_enrichment_modules/yara_rules/prod/:/yara_rules/:ro
+    volumes: []
+      # Uncomment the following line to use custom YARA rules (*.yar/*.yara files)
+      # - ./libs/file_enrichment_modules/yara_rules/prod/:/yara_rules/:ro
     environment: &file-enrichment-environment
       ENABLE_PII_DETECTION: ${ENABLE_PII_DETECTION:-false}
       PII_DETECTION_THRESHOLD: ${PII_DETECTION_THRESHOLD:-0.7}
diff --git a/docs/yara.md b/docs/yara.md
@@ -20,6 +20,8 @@ After rule creation, click the (now) green "Reload Yara Engine" button to ensure
 
 If you want to change the default set of rules _without_ having to add rules on each deployment, add a new yara file to `./libs/file_enrichment_modules/yara_rules/dev/` for development or `./libs/file_enrichment_modules/yara_rules/prod/` for production.
 
+**Note:** Rule files must use a `.yar` or `.yara` extension to be loaded. Files with other extensions (e.g., `.txt`) will be ignored. The example production rules shipped in `./libs/file_enrichment_modules/yara_rules/prod/` are distributed as `.txt` files and must be renamed to `.yar` or `.yara` before they will be picked up.
+
 ### Editing Existing Rules
 
 To edit an existing rule, click the "Edit Rule" button under actions, modify the rule as wanted, and click "Save":
diff --git a/libs/file_enrichment_modules/file_enrichment_modules/yara/yara_manager.py b/libs/file_enrichment_modules/file_enrichment_modules/yara/yara_manager.py
@@ -58,7 +58,7 @@ async def _process_disk_rules(self):
             disk_sources = {}
             disk_rules = {}  # Store rule name to content mapping
 
-            # First load and parse all disk rules
+            # First load and parse all disk rules (only .yar and .yara extensions are supported)
             yara_file_paths = glob.glob(f"{YARA_RULES_FOLDER_PATH}**/*.yar*", recursive=True)
             for path in yara_file_paths:
                 logger.info("Loading yara rules from disk", path=path)
diff --git a/libs/file_enrichment_modules/yara_rules/prod/NOTE.txt b/libs/file_enrichment_modules/yara_rules/prod/NOTE.txt
@@ -0,0 +1,6 @@
+YARA rule files in this directory must use a .yar or .yara extension to be
+loaded by the engine. The example rules are distributed as .txt files and
+must be renamed before they will be picked up.
+
+You must also uncomment the volume mount in compose.yaml for the
+file-enrichment service to mount this directory into the container.
