About to dig into some testing with yara on window...
# windowsc
clong
12/02/2020, 7:35 PMAbout to dig into some testing with yara on windows. Does anyone know if the sigfile accepts more than one file? Can I use
sigfile LIKE 'c:\path\to\yara\%.yarj
Juan Alvarez
12/02/2020, 7:49 PMIt does not seem to like the LIKE 😄 Tried on my side...
Copy code
Dec 2 19:46:52 ubuntu-bionic osqueryd[1098]: I1202 19:46:52.229655 1590 distributed.cpp:121] Executing distributed query: kolide_distributed_query_245: SELECT * FROM yara where path LIKE "/home/%" and sigfile LIKE '/vagrant/tmp/%.sig'
Dec 2 19:46:52 ubuntu-bionic osqueryd[1098]: I1202 19:46:52.230664 1590 yara.cpp:333] Query must specify sig_group, sigfile, or sigrule for scanc
clong
12/02/2020, 7:52 PM@Juan Alvarez thanks!
j
Juan Alvarez
12/02/2020, 7:52 PMi saw you were asking about windows, and i actually did linux but im guessing it will be the same thing...
c
clong
12/02/2020, 7:52 PMoh, sig_group allows you to specify many signature files under a specific name
☝️ 1
j
Juan Alvarez
12/02/2020, 7:52 PMyes, you can do that
c
clong
12/02/2020, 7:53 PMthat should work well enough. i dont need to be super lazy and rely on wildcarding 🙂
2 Views