Title
#kolide
Tim

Tim

04/21/2020, 8:14 PM
I'm trying to use yara rules with kolide across my fleet. Has anyone messed around to see if there is a way to do this without having to place all the .sig file on each individual host?
sundsta

sundsta

04/21/2020, 8:17 PM
I don’t think that’s possible with the way the osquery tables are set up. You need to push the signatures separately. See https://osquery.readthedocs.io/en/stable/deployment/yara/
8:18 PM
Of course, you could write an extension that supports automatically downloading the signatures from the TLS endpoint
Tim

Tim

04/21/2020, 8:18 PM
Yeah, that's actually the exact page I was using to set up my test system.
8:19 PM
I was hoping to not have to write another service or anything to get these files out there when we want to use a new rule
sundsta

sundsta

04/21/2020, 8:25 PM
Presumably, you have Ansible or similar for servers and MDM of some sort for endpoints. Either of those could push out new rules and then Fleet can update the osquery configuration
Tim

Tim

04/21/2020, 8:43 PM
yeah we have a few ways to push out new rules. When pushing a new config using fleetctl will the new config overwrite the current config or append?
zwass

zwass

04/21/2020, 8:45 PM
Overwrite
8:45 PM
There was a PR to osquery that would allow defining the yara queries within the SQL. Unfortunately it didn't get merged. https://github.com/osquery/osquery/pull/5285
s

seph

04/21/2020, 9:46 PM
That PR could be revisted