Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
p
poisonous97
01/25/2021, 9:41 AMHi everyone, How to update yara files from kolide fleet server to all client?
i want to use yara table but i must create sig files in client. How to mgt it for 1000 clients?
s
seph
01/25/2021, 2:40 PMAre you asking about Kolide’s SaaS, or about Fleet?
regarding launcher — we do not maintain a mechanism to distribute yara configuration. You may be able to use other tool, or to use the newer yara rule funtions
(Yara rules can be distributed by URL or embeded in the queries)
p
poisonous97
01/27/2021, 1:55 AMYara rules can be distributed by URLi am using kolile fleet + launcher
s
seph
01/27/2021, 1:58 AMp
poisonous97
01/27/2021, 1:58 AMthank you, great =)))
s
seph
01/27/2021, 1:59 AMKolide no longer maintains fleet. You may wish to loo at #fleet for the community and vendors there.
We do maintain launcher, it is the agent for our SaaS.
p
poisonous97
01/27/2021, 9:20 AMW0127 09:17:21.964015 60020 yara.cpp:247] Failed to get YARA rule url: sig_url_2@seph i dont find flag to enable it
s
seph
01/28/2021, 4:34 AMI don’t understand your question.
Launcher has nothing related to this.
If you need to pass a flag to osquery, set it in osquery’s config, or use launcher’s
osquery_flagp
poisonous97
01/28/2021, 4:35 AMW0127 09:17:21.964015 60020 yara.cpp:247] Failed to get YARA rule url: sig_url_2The feature will be disabled by default and can be enabled with a hidden flag
enable_yara_sigurlbut i dont find enable_yara_sigurl flag
s
seph
01/28/2021, 4:39 AMThat’s an osquery flag
p
poisonous97
01/28/2021, 4:41 AMbut osquery dont have this flag 🙂
s
seph
01/28/2021, 5:56 AMI’m not sure that flag is needed. Have you either read the PR, or tried this?
p
poisonous97
01/28/2021, 7:26 AMi tried it. return err is:
W0127 09:17:21.964015 60020 yara.cpp:247] Failed to get YARA rule url: sig_url_2