https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi everyone. For some reason, yara_events table ev...
# general
s
Hi everyone. For some reason, yara_events table events generated ONLY for first item of the 
file_path
 list, for the rest 
file_events
  are generated
Copy code
{
    "file_paths": {
        "binaries": [                   
            "/usr/bin/%%",     <-- Yara events generated
            "/usr/sbin/%%",       # <-- file_events generated, but NOT yara_events!
            "/bin/%%",            # <--|
            "/sbin/%%",           # <--|
            "/usr/local/bin/%%",  # <--|
            "/usr/local/sbin/%%"  # <--|
        ],
        "configuration": [
            "/etc/init/%%", <-- Yara events generated
            "/etc/passwd",
            "/etc/shadow",
            "/etc/ld.so.preload",
            "/etc/ld.so.conf",
            "/etc/ld.so.conf.d/%%",  # <--  file_events generated, but NOT yara_events!
            "/etc/pam.d/%%",         # <--| file_events generated, but NOT yara_events!
            "/etc/resolv.conf",
            "/etc/rc%/%%",           # <--  file_events generated, but NOT yara_events!
            "/etc/my.cnf",
            "/etc/modules",
            "/etc/hosts",
            "/etc/hostname",
            "/etc/fstab",
            "/etc/crontab",
            "/etc/cron%/%%",         # <--  file_events generated, but NOT yara_events!
            "/etc/rsyslog.conf"
        ]
    },
    "yara": {
        "file_paths": {
            "binaries": [
                "eicar",
                "custom"
            ],
            "configuration": [
                "eicar",
                "custom"
            ]
        },
        "signatures": {
            "custom": [
                "/opt/osquery/yara/custom.yar"
            ],
            "eicar": [
                "/opt/osquery/yara/eicar.yar"
            ]
        }
    }
}
@Stefano Bonicatti Hi, sorry for tagging you directly. You were person who fixed most osquery-yara related issues I could find judging by Github commit history. If you have a spare moment could draw your attention to an issue described above ?
s
s
It seems to be known, for around two years. Do you know are there any plans to deprecate yara support ? I'm asking because this bug blocks osquery yara usage for quite long time
s
There’s no plan about that. I think time is lacking a bit; there have been plans to refactor/rewrite the inotify event publisher to fix also other issues, but this was all being done in the spare/free time. There’s also to say that the technologies that Linux makes available and how the kernel intrinsically works with files makes it difficult to write something really robust or not performance intensive. We have an office hours today at 10am PST if you’re interested in discussing these topics, everyone is welcome!
Check the #C6PNW4528 channel and the link should be https://meet.google.com/joi-ukxw-zvv
s
@Stefano Bonicatti Thanks for an invitation, sorry was busy so missed it. As for my interest, I just want to understand if I can rely on yara features in long-run. From your words I can conclude that I kinda can, but would it possible alteast to make inotify work with yara instead of file_events when yara table is configured ? As I understood, this how it supposed to work
Or maybe there're any workarounds for this case ?
7 Views
Open in Slack
PreviousNext
Powered by