https://github.com/osquery/osquery logo
Title
k

Kathy Satterlee

11/04/2022, 3:55 PM
@peanut butter Did you add the missing comma that @zwass pointed out and restart
osquery
? If you add a rule directly to the configuration file, does that rule work properly?
Can you also share what the response is when you attempt the scan?
k

Kathy Satterlee

11/09/2022, 5:11 PM
Hey @peanut butter. I may have missed a response in here somewhere... are you able to scan using a rule defined in the configuration or an inline rule?
p

peanut butter

11/09/2022, 6:51 PM
do you mean something like that? "signatures": { // Each key is an arbitrary group name to give the signatures listed "sig_group_1": [ "/Users/wxs/sigs/foo.yar", "/Users/wxs/sigs/bar.yar" ], "sig_group_2": [ "/Users/wxs/sigs/baz.yar" ] },
because it works
and also inline rule
k

Kathy Satterlee

11/09/2022, 6:57 PM
And did you try this suggestion in the original thread? (I know that's relatively recent, but it's a good test!: https://osquery.slack.com/archives/C08V7KTJB/p1668008703107579?thread_ts=1667417810.607959&cid=C08V7KTJB
p

peanut butter

11/09/2022, 9:19 PM
@Kathy Satterlee I think that my error is because, for some reason my osquery agent get do get request to that url properly, because the conf file is valid, and I get only that two lines of error: YARA signature url "{my ulr}" not allowed Failed to get YARA rule url: "{my ulr}", and that error is also happens when I give him some fake url. but this is strange because when I do curl "{my url}" it works.
k

Kathy Satterlee

11/09/2022, 9:31 PM
Can you share your updated config?
The
not allowed
error leads me to believe that there's either still an error there or it isn't applying properly.
p

peanut butter

11/09/2022, 9:42 PM
sorry i accidently writed not allowed
my only error is Failed to get YARA rule url: "{my ulr}", Query must specify sig_group, sigfile, or sigrule for scan
k

Kathy Satterlee

11/10/2022, 12:19 AM
If you could send the updated config, that would be great! Feel free to DM it to me if you'd prefer. If you could also send me the actual url, I could test it out myself and hopefully save you some back and forth 🙂
p

peanut butter

11/10/2022, 6:11 AM
I cant send you the URL, its a private network that not connected to the internet
j

jimmy

11/10/2022, 7:53 AM
we just tested it and it works, on http on localhost
any idea why this works on that url?
ye it works when do http urls
any idea what can I do make https URL also work
k

Keith Swagler

11/11/2022, 3:18 PM
is the osquery configured to use the CA that issued the certificate for the web server you are trying to reach ?
j

jimmy

11/12/2022, 10:08 AM
yes
k

Keith Swagler

11/14/2022, 6:12 PM
Can you try applying the config like this? (from other thread in genearl?
"yara": { 
   "signature_urls": [
     "<https://dev.prod.rules/.*>"
   ]
 }
j

jimmy

11/26/2022, 8:31 AM
yes didn't work