Use Yara custom rules with Osquery-Manager

Hello Team,

Is It possible to use yara custom rules with osquery manager integration ??
I'm using version 7.17.1

Many thanks.

Hey, yes. This is totally possible.

Sorry, meant to reply with some additional detail. Here's an example:

SELECT * FROM yara WHERE path LIKE '/var/www/html/images/%' AND count > 0 AND sigrule IN ( 'rule Mozi { strings: $a = { 55 50 58 21 [4] 00 00 00 00 00 00 00 00 00 00 00 00 } condition: all of them and $a in (0 .. 255) }');

If you want to include the strings in the tabular output, you'll need to add the following to the osquery manager integration config:

{
  "options": {
    "enable_yara_string": true
  },
  "packs": {}
}

2 Likes

Thank you very much, I'm going to try it.

thank you very much.
It's working great but noticed that path LIKE 'dir1/%' is not recursive, can I do anything about this ?

1 Like

You would need something like path LIKE 'dir1/%/%' I believe.

Thank you very much.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.