https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
d

doteater

05/16/2019, 7:10 PM
hey folks working with yara_events. It seems like FIM works against both directories when I specify them like this: "file_paths": { "home": [ "/root/%%", "/home/%%" ] } ...but when I add the yara part like below, I'm only seeing yara_events related to the first path in the home "category" - in this example I can see events for files under /root, but not for files under /home: "file_paths": { "home": [ "/root/%%", "/home/%%" ] }, "yara": { "signatures": { "sig_group_1": [ "/root/rules.yara" ] }, "file_paths": { "home": [ "sig_group_1" ] } } Thanks in advance for any ideas. Does this syntax appear to be correct?
z

zwass

05/16/2019, 7:12 PM
I don't have experience configuring yara, but does this explain the behavior you were asking about in #kolide?
d

doteater

05/16/2019, 7:14 PM
may be related, I figured I'd see if I can get it to work with vanilla osquery before I try and move it into fleet
z

zwass

05/16/2019, 7:14 PM
That seems like a good idea. Sorry I can't be more helpful here.
r

ryanbreed

05/16/2019, 7:27 PM
i've got this working on macos/debian - i think .
yara.signatures.sig_group_1
key needs to be named 'home' to match 
.file_paths.home
. not sure how it's working at the moment.
ah hell nm
i'm using the same syntax (linux flavor):
Copy code
"yara": {
    "signatures": {
      "sig_secrets": [ "secrets.yara" ]
    },
    "file_paths": {
      "system_config": ["sig_secrets"],
      "homes": ["sig_secrets"]
    }
  },
  "file_paths": {
    "system_config": [ "/etc/%%", "/usr/local/etc/%%" ],
    "homes":         [ "/home/%%" ]
  },
z

zwass

05/16/2019, 7:37 PM
The syntax looks correct to me
r

ryanbreed

05/16/2019, 7:49 PM
i see the same behavior, the second+ path in any 
file_paths
filter doesn't show in yara_events - deb 
osquery 3.3.2-1.linux
. will verify w/ macos
p

packetzero

05/16/2019, 8:01 PM
My example config looks similar: ```
Copy code
{
  "yara": {
    "signatures": {
      "linux_malware": [
        "./linux_malware.rules"
      ],
      "hunt_webshells": [
        "./hunt_webshells.rules"
      ]
    },
    "file_paths": {
      "webserver": [
        "linux_malware",
        "hunt_webshells"
      ],
      "binaries": [
        "linux_malware"
      ]
    }
  },
  "file_paths": {
    "webserver": [
      "/var/www/%%"
    ],
    "binaries": [
      "/bin/%%"
    ]
  }
}
r

ryanbreed

05/16/2019, 8:21 PM
what's wild is that i can see the entries in 
file_events
, just no yara results.
and i do get yara findings running manually/recursive on the same paths
and i'm getting the same on macos/debian
p

packetzero

05/16/2019, 8:27 PM
oh, just re-read your question.
Yes, it's likely first matching path wins, based on my memory of the code
r

ryanbreed

05/16/2019, 8:32 PM
refactoring 
file_paths
to point to single/uniquely-keyed entries produces expected results:
Copy code
"yara": {
    "signatures": {
      "sig_secrets": [ "secrets.yara" ]
    },
    "file_paths": {
      "system_config": ["sig_secrets"],
      "system_local_config": ["sig_secrets"],
      "home_root": ["sig_secrets"],
      "home_users": ["sig_secrets"]
    }
  },
  "file_paths": {
    "system_config": [ "/etc/%%"],
    "system_local_config": [ "/usr/local/etc/%%"],
    "home_root":         [ "/root/%%" ],
    "home_users":         [ "/home/%%" ]
  },
haven't tried duplicating 
.yara.file_paths
sig group names across arraylen(
.file_paths
) yet, but my config isn't so crazy to need more than what i've got working
@packetzero first matching path of the yara sig group?
p

packetzero

05/16/2019, 9:48 PM
the yara_events.cpp file is not large. It could use some attention. Specifically, why it gets vector of file_paths for a category, and then iterates on the categories within? https://github.com/osql/osql/blob/5188ce5288abe0e323b8e8bd364f452134a62d00/osquery/tables/yara/yara_events.cpp#L173
🤔 1
r

ryanbreed

05/16/2019, 11:17 PM
time to remember cpp collections
3 Views
Powered by