I want to have a server that manage all the yara q...
# generalj
jimmy
07/28/2022, 12:02 PMI want to have a server that manage all the yara queries. the problem is that I don't want to add every time new rule to the conf file like at the example at the osquery site. because it means I will need to deploy the new file evry time at all the agents.
example:
"yara": {
"signature_urls": {
"sig_url_1": "https://raw.githubusercontent.com/Yara-Rules/rules/master/cve_rules/CVE-2010-0805.yar",
"sig_url_2": "https://raw.githubusercontent.com/Yara-Rules/rules/master/crypto/crypto_signatures.yar",
"sig_url_3": "https://raw.githubusercontent.com/Yara-Rules/rules/master/malware/APT_APT3102.yar"
}
}
I wanted to know if there is any way that I will have yara server that manage all the queries without modifying the conf file every time I add the server new query.
s
seph
07/28/2022, 12:47 PM
I thought those supported wildcards? Try adding a
*seph
07/28/2022, 12:48 PM
Checking the source code, this should be a regex. So you might need
.*seph
07/28/2022, 12:48 PM
Doc updates are welcome!
j
jimmy
07/29/2022, 11:04 AM@seph I'm sorry I didn't understand what do you mean. do you mean that is 100% possible with regex?
k
Keith Swagler
08/01/2022, 7:46 PMThat will actually help me greatly, so I will pay it forward and submit a PR once I confirm 👍
Keith Swagler
08/02/2022, 4:44 PMHmm I'm not able to load any rules from URL at all keep getting
yara_utils.cpp:429] YARA rule compile error: YARA load error 3Keith Swagler
08/02/2022, 5:40 PMnvm I am a fool, I was still using signatures instead of signatures_url 😒
i
Ignacio
08/05/2022, 10:46 AMYou should be able to use the regex like this:
Copy code
"yara": {
"signature_urls": [
"<https://raw.githubusercontent.com/Yara-Rules/rules/master/.+>"
]
}j
jimmy
08/07/2022, 6:55 PMthanks
@Ignacio
6 Views