Can't open include file when compiling multiple rules

[jdsnape]

1. Checkout https://github.com/Yara-Rules/rules (this also happens with other rulesets, but this is convenient to demonstrate the issue)
2. from the rules directory, run 'rules = yara.compile('./malware_index.yar')

Yara raises a syntax

  File "yara-python-test.py", line 3, in <module>
    rules = yara.compile('./malware_index.yar')
yara.SyntaxError: ././malware/MALW_AZORULT.yar(377): can't open include file: ./malware/TOOLKIT_exe2hex_payload.yar

The rule MALW_AZORULT.yar doesn't refer to the exe2hex payload rule:

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/

import "cuckoo"
rule Windows_Malware : Azorult_V2
    {
            meta:
                    author = "Xylitol [email protected]"
                    date = "2017-09-30"
                    description = "Match first two bytes, strings, and parts of routines present in Azorult"
                    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819&p=30867"
                    // May only the challenge guide you
            strings:
                    $mz = {4D 5A}
                    $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" wide ascii // Azorult custom base64-like alphabet
                    $string2 = "SYSInfo.txt"
                    $string3 = "CookieList.txt"
                    $string4 = "Passwords.txt"
                    $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
                    $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
            condition:
                    ($mz at 0 and all of ($string*) and ($constant1 or $constant2) or cuckoo.sync.mutex(/Ad48qw4d6wq84d56as|Adkhvhhydhasdasashbc/))
    }

running the same command with yara itself works fine (albeit with warnings):

yarac malware_index.yar malware_index
./malware/APT_DPRK_ROKRAT.yar(43): warning: $b2 in rule ROKRAT_loader is slowing down scanning
./malware/MALW_IcedID.yar(18): warning: $magic1 in rule IceID_Bank_trojan is slowing down scanning
./malware/Operation_Blockbuster/sharedcode.yara(155): warning: $a in rule DynamicAPILoading is slowing down scanning
./malware/Operation_Blockbuster/sharedcode.yara(181): warning: $a in rule DNSCalcStyleEncodeAndDecode is slowing down scanning
./malware/RAT_DarkComet.yar(123): warning: $data contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N

On a different machine, I get the same error but with different files. If I remove the MALW_AZORULT.yar file I get the same error with a different rule each time. This error also happens with https://github.com/Neo23x0/signature-base

[netspooky]

The workaround I've used for this is to just use absolute paths in your include files, the yara-python parser doesn't like relative paths. So switch from ./malware/MALW_AZORULT.yar to /path/to/rules/malware/MALW_AZORULT.yar until there is some fix.

[Te-k]

Same bug here, and somehow all the rules that are triggering this issue are rules using androguard. Any clue where that could come from ?

[loganasherjones]

I was also running into this issue, and started playing around with MALW_AZORULT.yar when compiling it alone, I got an error about not being able to find cuckoo. My problem was related to #28

The solution for me was to re-install with:

pip install --global-option="build" --global-option="--enable-cuckoo" --global-option="--enable-magic" yara-python