Title
#general
d

doteater

05/16/2019, 7:10 PM
hey folks working with yara_events. It seems like FIM works against both directories when I specify them like this: "file_paths": { "home": [ "/root/%%", "/home/%%" ] } ...but when I add the yara part like below, I'm only seeing yara_events related to the first path in the home "category" - in this example I can see events for files under /root, but not for files under /home: "file_paths": { "home": [ "/root/%%", "/home/%%" ] }, "yara": { "signatures": { "sig_group_1": [ "/root/rules.yara" ] }, "file_paths": { "home": [ "sig_group_1" ] } } Thanks in advance for any ideas. Does this syntax appear to be correct?
zwass

zwass

05/16/2019, 7:12 PM
I don't have experience configuring yara, but does this explain the behavior you were asking about in #kolide?
d

doteater

05/16/2019, 7:14 PM
may be related, I figured I'd see if I can get it to work with vanilla osquery before I try and move it into fleet
zwass

zwass

05/16/2019, 7:14 PM
That seems like a good idea. Sorry I can't be more helpful here.
ryanbreed

ryanbreed

05/16/2019, 7:27 PM
i've got this working on macos/debian - i think .
yara.signatures.sig_group_1
key needs to be named 'home' to match
.file_paths.home
. not sure how it's working at the moment.
7:28 PM
ah hell nm
7:31 PM
i'm using the same syntax (linux flavor):
"yara": {
    "signatures": {
      "sig_secrets": [ "secrets.yara" ]
    },
    "file_paths": {
      "system_config": ["sig_secrets"],
      "homes": ["sig_secrets"]
    }
  },
  "file_paths": {
    "system_config": [ "/etc/%%", "/usr/local/etc/%%" ],
    "homes":         [ "/home/%%" ]
  },
zwass

zwass

05/16/2019, 7:37 PM
The syntax looks correct to me
ryanbreed

ryanbreed

05/16/2019, 7:49 PM
i see the same behavior, the second+ path in any
file_paths
filter doesn't show in yara_events - deb
osquery 3.3.2-1.linux
. will verify w/ macos
packetzero

packetzero

05/16/2019, 8:01 PM
My example config looks similar: ```
8:01 PM
{
  "yara": {
    "signatures": {
      "linux_malware": [
        "./linux_malware.rules"
      ],
      "hunt_webshells": [
        "./hunt_webshells.rules"
      ]
    },
    "file_paths": {
      "webserver": [
        "linux_malware",
        "hunt_webshells"
      ],
      "binaries": [
        "linux_malware"
      ]
    }
  },
  "file_paths": {
    "webserver": [
      "/var/www/%%"
    ],
    "binaries": [
      "/bin/%%"
    ]
  }
}
ryanbreed

ryanbreed

05/16/2019, 8:21 PM
what's wild is that i can see the entries in
file_events
, just no yara results.
8:22 PM
and i do get yara findings running manually/recursive on the same paths
8:23 PM
and i'm getting the same on macos/debian
packetzero

packetzero

05/16/2019, 8:27 PM
oh, just re-read your question.
8:27 PM
Yes, it's likely first matching path wins, based on my memory of the code
ryanbreed

ryanbreed

05/16/2019, 8:32 PM
refactoring
file_paths
to point to single/uniquely-keyed entries produces expected results:
"yara": {
    "signatures": {
      "sig_secrets": [ "secrets.yara" ]
    },
    "file_paths": {
      "system_config": ["sig_secrets"],
      "system_local_config": ["sig_secrets"],
      "home_root": ["sig_secrets"],
      "home_users": ["sig_secrets"]
    }
  },
  "file_paths": {
    "system_config": [ "/etc/%%"],
    "system_local_config": [ "/usr/local/etc/%%"],
    "home_root":         [ "/root/%%" ],
    "home_users":         [ "/home/%%" ]
  },
8:34 PM
haven't tried duplicating
.yara.file_paths
sig group names across arraylen(
.file_paths
) yet, but my config isn't so crazy to need more than what i've got working
8:35 PM
@packetzero first matching path of the yara sig group?
packetzero

packetzero

05/16/2019, 9:48 PM
the yara_events.cpp file is not large. It could use some attention. Specifically, why it gets vector of file_paths for a category, and then iterates on the categories within?https://github.com/osql/osql/blob/5188ce5288abe0e323b8e8bd364f452134a62d00/osquery/tables/yara/yara_events.cpp#L173
ryanbreed

ryanbreed

05/16/2019, 11:17 PM
time to remember cpp collections