Is there a way to push YARA config using fleet 1.0.9?

if you upgrade to fleet 2.0.0, you can distribute any osquery configurations you need with the

fleetctl

CLI

that's great! and is 2.0.0 backwards compatible with osquery 2.x versions? we are still running 2.11.2.

i haven’t tested that exactly if i’m being honest, but i would expect it to be ok

we definitely will, it will just take time cos we have many thousands of endpoints haha. say we stick with fleet 1.0.9 for now, will yara config still be possible there?

if you could independently distribute the yara sigs, you might be able to do some tom foolery at the database shell to make it happen

hmm yeah sounds like a good opportunity to upgrade to 2.0. looking forward to fleetctl, btw 🙂 thanks Mike!

How would you get the yara signature file into fleet so that you could it get to endpoints?

yara signatures are loaded from disk, always

Am I misunderstanding if i think that one would not be able to get the signature file out there with the help of only fleet[ctl]?

yeah, that is more of a matter of how you deploy and configure osquery on individual hosts. this is more of a problem that launcher aims to help with, although launcher doesn’t currently have any features that enable distributing and maintaining yara signatures.

👍 thanks for clarifying!

of course, happy to help, this whole ecosystem can be pretty confusing at times