04/21/2020, 8:14 PM
I'm trying to use yara rules with kolide across my fleet. Has anyone messed around to see if there is a way to do this without having to place all the .sig file on each individual host?
04/21/2020, 8:17 PM
I don’t think that’s possible with the way the osquery tables are set up. You need to push the signatures separately. See
Of course, you could write an extension that supports automatically downloading the signatures from the TLS endpoint
04/21/2020, 8:18 PM
Yeah, that's actually the exact page I was using to set up my test system.
I was hoping to not have to write another service or anything to get these files out there when we want to use a new rule
04/21/2020, 8:25 PM
Presumably, you have Ansible or similar for servers and MDM of some sort for endpoints. Either of those could push out new rules and then Fleet can update the osquery configuration
04/21/2020, 8:43 PM
yeah we have a few ways to push out new rules. When pushing a new config using fleetctl will the new config overwrite the current config or append?
04/21/2020, 8:45 PM
There was a PR to osquery that would allow defining the yara queries within the SQL. Unfortunately it didn't get merged.
04/21/2020, 9:46 PM
That PR could be revisted