• clong

    clong

    1 year ago
    About to dig into some testing with yara on windows. Does anyone know if the sigfile accepts more than one file? Can I use
    sigfile LIKE 'c:\path\to\yara\%.yar
    ?
  • j

    Juan Alvarez

    1 year ago
    It does not seem to like the LIKE 😄 Tried on my side...
    Dec  2 19:46:52 ubuntu-bionic osqueryd[1098]: I1202 19:46:52.229655  1590 distributed.cpp:121] Executing distributed query: kolide_distributed_query_245: SELECT * FROM yara where path LIKE "/home/%" and sigfile LIKE '/vagrant/tmp/%.sig'
    Dec  2 19:46:52 ubuntu-bionic osqueryd[1098]: I1202 19:46:52.230664  1590 yara.cpp:333] Query must specify sig_group, sigfile, or sigrule for scan
  • clong

    clong

    1 year ago
    @Juan Alvarez thanks!
  • j

    Juan Alvarez

    1 year ago
    i saw you were asking about windows, and i actually did linux but im guessing it will be the same thing...
  • clong

    clong

    1 year ago
    oh, sig_group allows you to specify many signature files under a specific name
  • j

    Juan Alvarez

    1 year ago
    yes, you can do that
  • clong

    clong

    1 year ago
    that should work well enough. i dont need to be super lazy and rely on wildcarding 🙂