I want to have a server that manage all the yara queries. the problem is that I don't want to add every time new rule to the conf file like at the example at the osquery site. because it means I will need to deploy the new file evry time at all the agents. example: "yara": { "signature_urls": { "sig_url_1": "https://raw.githubusercontent.com/Yara-Rules/rules/master/cve_rules/CVE-2010-0805.yar", "sig_url_2": "https://raw.githubusercontent.com/Yara-Rules/rules/master/crypto/crypto_signatures.yar", "sig_url_3": "https://raw.githubusercontent.com/Yara-Rules/rules/master/malware/APT_APT3102.yar" } } I wanted to know if there is any way that I will have yara server that manage all the queries without modifying the conf file every time I add the server new query. maybe regex like ".*"?

Hi, @jimmy! I see you've been chatting with @seph about this a little over in general. I'll see if I can get you some more clarification. Are you also using Fleet?

Hey Jimmy we're going through something similar at the moment. What we've found is that you can set the config_plugin to tls and have configure Fleet to host the configs and just update the sig urls there

Thanks for including that! I didn't want to assume Fleet was involved 🙂

Hey @Keith Swagler I'm a bit curious about your solution, are you using the

Global agent options

config on Fleet to do this?

I'm using fleet 3.5.1, does it possible also at that version?

Hey @Saulo Guilhermino yea we are. though you probably will have to use overrides for each platform

Interesting, thanks @Keith Swagler! If it's not too much to ask, could you post part of your config so we can have a reference?

@Keith Swagler but does it work at fleet 3.5.1?

@Saulo Guilhermino I'll put together some example ones but there are some docs here https://fleetdm.com/docs/using-fleet/configuration-files#agent-options