I'm trying to use yara rules with kolide across my...
# kolidet
Tim
04/21/2020, 8:14 PMI'm trying to use yara rules with kolide across my fleet. Has anyone messed around to see if there is a way to do this without having to place all the .sig file on each individual host?
s
sundsta
04/21/2020, 8:17 PMI don’t think that’s possible with the way the osquery tables are set up. You need to push the signatures separately. See https://osquery.readthedocs.io/en/stable/deployment/yara/
sundsta
04/21/2020, 8:18 PMOf course, you could write an extension that supports automatically downloading the signatures from the TLS endpoint
t
Tim
04/21/2020, 8:18 PMYeah, that's actually the exact page I was using to set up my test system.
Tim
04/21/2020, 8:19 PMI was hoping to not have to write another service or anything to get these files out there when we want to use a new rule
s
sundsta
04/21/2020, 8:25 PMPresumably, you have Ansible or similar for servers and MDM of some sort for endpoints. Either of those could push out new rules and then Fleet can update the osquery configuration
t
Tim
04/21/2020, 8:43 PMyeah we have a few ways to push out new rules. When pushing a new config using fleetctl will the new config overwrite the current config or append?
z
zwass
04/21/2020, 8:45 PM
Overwrite
zwass
04/21/2020, 8:45 PM
There was a PR to osquery that would allow defining the yara queries within the SQL. Unfortunately it didn't get merged. https://github.com/osquery/osquery/pull/5285
s
seph
04/21/2020, 9:46 PM
That PR could be revisted