does this yara config looks valid?
# generalp
peanut butter
11/02/2022, 7:36 PMdoes this yara config looks valid?
z
zwass
11/02/2022, 8:03 PM
Line 130 you are missing a comma
p
peanut butter
11/03/2022, 5:53 PM@zwass
I have build https yara server, but it is still not working for me, I don't get any output from fleet.
when I run curl to https://dev.prod.rules/rule/test
it retunes me the output:
"rule test { condition: true }"
but when i run from fleet:
SELECT * FROM yara WHERE path="C:/test.txt" AND sigurl="https://dev.prod.rules/rule/test" it doesn't work.
k
Keith Swagler
11/09/2022, 3:43 PMhey @peanut butter @jimmy check out this issue that we opened for some confusion around the signature_urls confusion
https://github.com/osquery/osquery/issues/7308
Keith Swagler
11/09/2022, 3:45 PMThe error message that I see makes me think that there is a problem in your yara rule can you try adding the url in your config and loading this rule ?
https://raw.githubusercontent.com/kswagler-rh/yara-rulez/main/yara/2.yar
p
peanut butter
11/09/2022, 7:38 PM@Keith Swagler
sadly it is not possible for me because I am at private network
peanut butter
11/09/2022, 9:43 PMhttps://osquery.slack.com/archives/C08V7KTJB/p1668008703107579?thread_ts=1667417810.607959&cid=C08V7KTJB
I think that my error is because, for some reason my osquery agent get do get request to that url properly, because the conf file is valid, and I get only that two lines of error:
Failed to get YARA rule url: "{my ulr}",Query must specify sig_group, sigfile, or sigrule for scan
and that error is also happens when I give him some fake url.
but this is strange because when I do curl "{my url}" it works.
k
Keith Swagler
11/10/2022, 4:08 PMCan you try updating the config to
Copy code
"yara": {
"signature_urls": [
"<https://dev.prod.rules/.*>"
]
}2 Views