Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
p
peanut butter
11/04/2022, 3:48 PMmaybe someone here can help me?
https://osquery.slack.com/archives/C08V7KTJB/p1667498031761929?thread_ts=1667417810.607959&cid=C08V7KTJB
k
Kathy Satterlee
11/04/2022, 3:55 PM@peanut butter Did you add the missing comma that @zwass pointed out and restart
osqueryCan you also share what the response is when you attempt the scan?
p
peanut butter
11/05/2022, 11:26 AMhttps://osquery.slack.com/archives/C01DXJL16D8/p1667577609807479?thread_ts=1667576895.324369&cid=C01DXJL16D8
the fleet responded that no result was found
k
Kathy Satterlee
11/09/2022, 5:11 PMHey @peanut butter. I may have missed a response in here somewhere... are you able to scan using a rule defined in the configuration or an inline rule?
p
peanut butter
11/09/2022, 6:51 PMdo you mean something like that?
"signatures": {
// Each key is an arbitrary group name to give the signatures listed
"sig_group_1": [ "/Users/wxs/sigs/foo.yar", "/Users/wxs/sigs/bar.yar" ],
"sig_group_2": [ "/Users/wxs/sigs/baz.yar" ]
},
because it works
and also inline rule
k
Kathy Satterlee
11/09/2022, 6:57 PMAnd did you try this suggestion in the original thread? (I know that's relatively recent, but it's a good test!:
https://osquery.slack.com/archives/C08V7KTJB/p1668008703107579?thread_ts=1667417810.607959&cid=C08V7KTJB
p
peanut butter
11/09/2022, 9:19 PM@Kathy Satterlee
I think that my error is because, for some reason my osquery agent get do get request to that url properly, because the conf file is valid, and I get only that two lines of error:
YARA signature url "{my ulr}" not allowed
Failed to get YARA rule url: "{my ulr}",
and that error is also happens when I give him some fake url.
but this is strange because when I do curl "{my url}" it works.
https://osquery.slack.com/archives/C01DXJL16D8/p1668020279991959?thread_ts=1667576895.324369&cid=C01DXJL16D8
I am at private network so I cant try it
k
Kathy Satterlee
11/09/2022, 9:31 PMCan you share your updated config?
The
not allowedp
peanut butter
11/09/2022, 9:42 PMsorry i accidently writed not allowed
my only error is
Failed to get YARA rule url: "{my ulr}",
Query must specify sig_group, sigfile, or sigrule for scan
k
Kathy Satterlee
11/10/2022, 12:19 AMIf you could send the updated config, that would be great! Feel free to DM it to me if you'd prefer. If you could also send me the actual url, I could test it out myself and hopefully save you some back and forth 🙂
p
peanut butter
11/10/2022, 6:11 AMI cant send you the URL, its a private network that not connected to the internet
j
jimmy
11/10/2022, 7:53 AMwe just tested it and it works, on http on localhost
any idea why this works on that url?
ye it works when do http urls
any idea what can I do make https URL also work
k
Keith Swagler
11/11/2022, 3:18 PMis the osquery configured to use the CA that issued the certificate for the web server you are trying to reach ?
j
jimmy
11/12/2022, 10:08 AMyes
k
Keith Swagler
11/14/2022, 6:12 PMCan you try applying the config like this? (from other thread in genearl?
"yara": {
"signature_urls": [
"<https://dev.prod.rules/.*>"
]
}j
jimmy
11/26/2022, 8:31 AMyes didn't work