Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
slevchenko
01/31/2022, 8:17 AMHi everyone. For some reason, yara_events table events generated ONLY for first item of the
file_pathfile_events{
"file_paths": {
"binaries": [
"/usr/bin/%%", <-- Yara events generated
"/usr/sbin/%%", # <-- file_events generated, but NOT yara_events!
"/bin/%%", # <--|
"/sbin/%%", # <--|
"/usr/local/bin/%%", # <--|
"/usr/local/sbin/%%" # <--|
],
"configuration": [
"/etc/init/%%", <-- Yara events generated
"/etc/passwd",
"/etc/shadow",
"/etc/ld.so.preload",
"/etc/ld.so.conf",
"/etc/ld.so.conf.d/%%", # <-- file_events generated, but NOT yara_events!
"/etc/pam.d/%%", # <--| file_events generated, but NOT yara_events!
"/etc/resolv.conf",
"/etc/rc%/%%", # <-- file_events generated, but NOT yara_events!
"/etc/my.cnf",
"/etc/modules",
"/etc/hosts",
"/etc/hostname",
"/etc/fstab",
"/etc/crontab",
"/etc/cron%/%%", # <-- file_events generated, but NOT yara_events!
"/etc/rsyslog.conf"
]
},
"yara": {
"file_paths": {
"binaries": [
"eicar",
"custom"
],
"configuration": [
"eicar",
"custom"
]
},
"signatures": {
"custom": [
"/opt/osquery/yara/custom.yar"
],
"eicar": [
"/opt/osquery/yara/eicar.yar"
]
}
}
}@Stefano Bonicatti Hi, sorry for tagging you directly. You were person who fixed most osquery-yara related issues I could find judging by Github commit history. If you have a spare moment could draw your attention to an issue described above ?
s
Stefano Bonicatti
01/31/2022, 3:18 PMHi, seems a known issue: https://github.com/osquery/osquery/issues/7366
s
slevchenko
01/31/2022, 3:44 PMIt seems to be known, for around two years. Do you know are there any plans to deprecate yara support ? I'm asking because this bug blocks osquery yara usage for quite long time
s
Stefano Bonicatti
02/01/2022, 12:01 PMThere’s no plan about that. I think time is lacking a bit; there have been plans to refactor/rewrite the inotify event publisher to fix also other issues, but this was all being done in the spare/free time.
There’s also to say that the technologies that Linux makes available and how the kernel intrinsically works with files makes it difficult to write something really robust or not performance intensive.
We have an office hours today at 10am PST if you’re interested in discussing these topics, everyone is welcome!
Check the #officehours channel and the link should be https://meet.google.com/joi-ukxw-zvv
s
slevchenko
02/01/2022, 3:12 PM@Stefano Bonicatti Thanks for an invitation, sorry was busy so missed it. As for my interest, I just want to understand if I can rely on yara features in long-run. From your words I can conclude that I kinda can, but would it possible alteast to make inotify work with yara instead of file_events when yara table is configured ? As I understood, this how it supposed to work
Or maybe there're any workarounds for this case ?