About to dig into some testing with yara on windows. Does anyone know if the sigfile accepts more than one file? Can I use

sigfile LIKE 'c:\path\to\yara\%.yar

?

It does not seem to like the LIKE 😄 Tried on my side...

Dec  2 19:46:52 ubuntu-bionic osqueryd[1098]: I1202 19:46:52.229655  1590 distributed.cpp:121] Executing distributed query: kolide_distributed_query_245: SELECT * FROM yara where path LIKE "/home/%" and sigfile LIKE '/vagrant/tmp/%.sig'
Dec  2 19:46:52 ubuntu-bionic osqueryd[1098]: I1202 19:46:52.230664  1590 yara.cpp:333] Query must specify sig_group, sigfile, or sigrule for scan

@Juan Alvarez thanks!

i saw you were asking about windows, and i actually did linux but im guessing it will be the same thing...

oh, sig_group allows you to specify many signature files under a specific name

yes, you can do that

that should work well enough. i dont need to be super lazy and rely on wildcarding 🙂