https://github.com/osquery/osquery logo
Powered by
Title
p

peanut butter

11/02/2022, 7:36 PM
does this yara config looks valid?
osquery.conf
z

zwass

11/02/2022, 8:03 PM
Line 130 you are missing a comma
p

peanut butter

11/03/2022, 5:53 PM
@zwass I have build https yara server, but it is still not working for me, I don't get any output from fleet. when I run curl to https://dev.prod.rules/rule/test it retunes me the output: "rule test { condition: true }" but when i run from fleet: SELECT * FROM yara WHERE path="C:/test.txt" AND sigurl="https://dev.prod.rules/rule/test" it doesn't work.
k

Keith Swagler

11/09/2022, 3:43 PM
hey @peanut butter @jimmy check out this issue that we opened for some confusion around the signature_urls confusion https://github.com/osquery/osquery/issues/7308
The error message that I see makes me think that there is a problem in your yara rule can you try adding the url in your config and loading this rule ? https://raw.githubusercontent.com/kswagler-rh/yara-rulez/main/yara/2.yar
p

peanut butter

11/09/2022, 7:38 PM
@Keith Swagler sadly it is not possible for me because I am at private network
https://osquery.slack.com/archives/C08V7KTJB/p1668008703107579?thread_ts=1667417810.607959&cid=C08V7KTJB I think that my error is because, for some reason my osquery agent get do get request to that url properly, because the conf file is valid, and I get only that two lines of error: Failed to get YARA rule url: "{my ulr}",Query must specify sig_group, sigfile, or sigrule for scan and that error is also happens when I give him some fake url. but this is strange because when I do curl "{my url}" it works.
k

Keith Swagler

11/10/2022, 4:08 PM
Can you try updating the config to 
"yara": { 
   "signature_urls": [
     "<https://dev.prod.rules/.*>"
   ]
 }
2 Views
#generalJoin Slack
Powered by