maybe someone here can help me? <https://osquery.s...
# fleet
@peanut butter Did you add the missing comma that @zwass pointed out and restart
? If you add a rule directly to the configuration file, does that rule work properly?
Can you also share what the response is when you attempt the scan?
Hey @peanut butter. I may have missed a response in here somewhere... are you able to scan using a rule defined in the configuration or an inline rule?
do you mean something like that? "signatures": { // Each key is an arbitrary group name to give the signatures listed "sig_group_1": [ "/Users/wxs/sigs/foo.yar", "/Users/wxs/sigs/bar.yar" ], "sig_group_2": [ "/Users/wxs/sigs/baz.yar" ] },
because it works
and also inline rule
And did you try this suggestion in the original thread? (I know that's relatively recent, but it's a good test!:;cid=C08V7KTJB
@Kathy Satterlee I think that my error is because, for some reason my osquery agent get do get request to that url properly, because the conf file is valid, and I get only that two lines of error: YARA signature url "{my ulr}" not allowed Failed to get YARA rule url: "{my ulr}", and that error is also happens when I give him some fake url. but this is strange because when I do curl "{my url}" it works.
Can you share your updated config?
not allowed
error leads me to believe that there's either still an error there or it isn't applying properly.
sorry i accidently writed not allowed
my only error is Failed to get YARA rule url: "{my ulr}", Query must specify sig_group, sigfile, or sigrule for scan
If you could send the updated config, that would be great! Feel free to DM it to me if you'd prefer. If you could also send me the actual url, I could test it out myself and hopefully save you some back and forth 🙂
I cant send you the URL, its a private network that not connected to the internet
we just tested it and it works, on http on localhost
any idea why this works on that url?
ye it works when do http urls
any idea what can I do make https URL also work
is the osquery configured to use the CA that issued the certificate for the web server you are trying to reach ?
Can you try applying the config like this? (from other thread in genearl?
Copy code
"yara": { 
   "signature_urls": [
yes didn't work