https://github.com/osquery/osquery logo
Powered by
#kolide
Title
t

Tim

04/21/2020, 8:14 PM
I'm trying to use yara rules with kolide across my fleet. Has anyone messed around to see if there is a way to do this without having to place all the .sig file on each individual host?
s

sundsta

04/21/2020, 8:17 PM
I don’t think that’s possible with the way the osquery tables are set up. You need to push the signatures separately. See https://osquery.readthedocs.io/en/stable/deployment/yara/
Of course, you could write an extension that supports automatically downloading the signatures from the TLS endpoint
t

Tim

04/21/2020, 8:18 PM
Yeah, that's actually the exact page I was using to set up my test system.
I was hoping to not have to write another service or anything to get these files out there when we want to use a new rule
s

sundsta

04/21/2020, 8:25 PM
Presumably, you have Ansible or similar for servers and MDM of some sort for endpoints. Either of those could push out new rules and then Fleet can update the osquery configuration
t

Tim

04/21/2020, 8:43 PM
yeah we have a few ways to push out new rules. When pushing a new config using fleetctl will the new config overwrite the current config or append?
z

zwass

04/21/2020, 8:45 PM
Overwrite
There was a PR to osquery that would allow defining the yara queries within the SQL. Unfortunately it didn't get merged. https://github.com/osquery/osquery/pull/5285
s

seph

04/21/2020, 9:46 PM
That PR could be revisted
Powered by