Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi everyone,

the documentation at <https://osquery.readthedocs.io/en/stable/deployment/yara/#retrieving-yara-rules-at-runtime> says that I can not only deploy YARA rules by putting rule files in the correct location, but also:
>  to manage your YARA rules in one location, and have the `yara` table fetch those rules at runtimeto manage your YARA rules in one location, and have the `yara` table fetch those rules at runtime
However, the documentation suggests that the rules fetched at runtime can only be used by directly referencing them in an SQL query. What I'd rather do is put them all together in one signature group below the `signatures:` key and use that just like local signatures.

I'm thinking of something like:
```{
  // Description of the YARA feature.
  "yara": {
    "signatures": {
      // Each key is an arbitrary group name to give the signatures listed
      "sig_group_1": [ "/Users/wxs/sigs/foo.yar", "/Users/wxs/sigs/bar.yar" ],
      "sig_group_2":
        //////////////// 8>< /////////////////   HERE !!!   //////////////// ><8 /////////////////
        "signature_urls": [
          "<https://raw.githubusercontent.com/Yara-Rules/rules/master/cve_rules/CVE-2010-0805>\\.yar",
          "<https://raw.githubusercontent.com/Yara-Rules/rules/master/crypto/crypto_signatures>\\.yar",
          "<https://raw.githubusercontent.com/Yara-Rules/rules/master/malware/APT_APT3102>\\.yar",
          "<https://raw.githubusercontent.com/Yara-Rules/rules/devel/CVE_Rules/CVE-.*>"
        ]
    },
    "file_paths": {
      // Each key is a key from file_paths
      // The value is a list of signature groups to run when an event fires
      // These will be watched for and scanned when the event framework
      // fire off an event to yara_events table
      "system_binaries": [ "sig_group_1" ],
      "tmp": [ "sig_group_1", "sig_group_2" ]
    }
  },

  // Paths to watch for filesystem events
  "file_paths": {
    "system_binaries": [ "/usr/bin/%", "/usr/sbin/%" ],
    "tmp": [ "/Users/%/tmp/%%", "/tmp/%" ]
  }
}```
Is that possible at all? Could someone provide a suitable documentation and/or example on how to implement this?
Thanks y'all!

Are you trying to have sig urls grouped together and have them be called at the query run time ?

Hi <@U02EJ4J6Y0J>,
yes, that's exactly what I'm trying to do. Basically, I would like to use URLs to remote repositories ("`sig_group_2`" in my code example) just like I would use filenames for local files that contain YARA rules ("`sig_group_1`").

Did you ever get something like this to work <@U04CVGSJ4S3>?