Hi,I am performing malware detection using yara this is my config file

{

"options": {

"config_plugin": "filesystem",

"logger_plugin": "filesystem",

"logger_path": "/var/log/osquery",

"logger_snapshot_event_type": "true",

"schedule_splay_percent": "10"

},

"yara": {

"signatures": {

// Each key is an arbitrary group name to give the signatures listed

"sig_group_1": [ "/home/slyb/yara_rules/hello_worlds.yar" ]

// "sig_group_2": [ "/Users/wxs/sigs/baz.yar" ]

},

"file_paths": {

"system_binaries": [ "sig_group_1" ]

}

},

// Paths to watch for filesystem events

"file_paths": {

"system_binaries": [ "/home/slyb/%" ]

},

"packs": {

"osquery-monitoring": "/home/slyb/osquery/packs/osquery-monitoring.conf",

"fim": "/home/slyb/osquery/packs/fim.conf"

}

}

and this is my flag file

--config_plugin=filesystem

--config_path=/etc/osquery/osquery.conf

--enable_yara_sigurl=true

--logger_plugin=filesystem

--logger_path=/var/log/osquery

--disable_logging=false

--log_result_events=true

--schedule_splay_percent=10

--pidfile=/var/osquery/osquery.pidfile

--events_expiry=3600

--database_path=/var/osquery/osquery.db

--verbose=false

--worker_threads=2

--disable_events=false

--disable_audit=false

--audit_allow_config=true

--host_identifier=hostname

--enable_syslog=true

--audit_allow_sockets=true

--schedule_default_interval=3600

--enable_file_events=true

this is my yara rule file

rule ExampleRule

{

strings:

$my_text_string = "hello world"

$my_hex_string = { E2 34 A1 C8 23 FB }

condition:

$my_text_string or $my_hex_string

}

the problem is im getting no entry in yara_events table after testing for a file that has the same signature as mentioned in yara rule

Hi, @zahida naeem! Where is your test file located?