Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Tim
04/21/2020, 8:14 PMI'm trying to use yara rules with kolide across my fleet. Has anyone messed around to see if there is a way to do this without having to place all the .sig file on each individual host?
s
sundsta
04/21/2020, 8:17 PMI don’t think that’s possible with the way the osquery tables are set up. You need to push the signatures separately. See https://osquery.readthedocs.io/en/stable/deployment/yara/
Of course, you could write an extension that supports automatically downloading the signatures from the TLS endpoint
t
Tim
04/21/2020, 8:18 PMYeah, that's actually the exact page I was using to set up my test system.
I was hoping to not have to write another service or anything to get these files out there when we want to use a new rule
s
sundsta
04/21/2020, 8:25 PMPresumably, you have Ansible or similar for servers and MDM of some sort for endpoints. Either of those could push out new rules and then Fleet can update the osquery configuration
t
Tim
04/21/2020, 8:43 PMyeah we have a few ways to push out new rules. When pushing a new config using fleetctl will the new config overwrite the current config or append?
z
zwass
04/21/2020, 8:45 PMOverwrite
There was a PR to osquery that would allow defining the yara queries within the SQL. Unfortunately it didn't get merged. https://github.com/osquery/osquery/pull/5285
s
seph
04/21/2020, 9:46 PMThat PR could be revisted