valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 09:58:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a9f66fa38b
osquery-1/osquery
History
Wesley Shields a9f66fa38b Major YARA refactor and enhancements 
1. Rename yara_matches to yara_events.

2. Add support for Config::getParser().
- This returns a ConfigPluginRef, which is the ConfigParser for the
  given key.
- Being able to get the parser is useful because the
  YARAConfigParserPlugin uses it to store the compiled rules as an
  attribute.

3. Finish rename and use ConfigParserPlugin.
- Finish the table rename to yara_events.
- Use the new ConfigParserPlugin interface to parse the YARA
  configuration. The file_paths and signatures are stored in the
  ConfigParserPlugin named "yara" under the key "yara". The rules are
  compiled and stored as a private attribute of the same
  ConfigParserPlugin object.

Here is an example config using this new structure:

{
  // Description of the YARA feature.
  "yara": {
    "signatures": {
      // Each key is an arbitrary group name to give the signatures listed
      "sig_group_1": [ "/Users/wxs/foo.sig", "/Users/wxs//bar.sig" ],
      "sig_group_2": [ "/Users/wxs/baz.sig" ]
    },
    "file_paths": {
      // Each key is a key from file_paths
      // The value is a list of signature groups to run when an event fires
      // These will be watched for and scanned when the event framework
      // fire off an event to yara_events table
      "system_binaries": [ "sig_group_1" ],
      "tmp": [ "sig_group_1", "sig_group_2" ]
    }
  },

  // Paths to watch for filesystem events
  "file_paths": {
    "system_binaries": [ "/usr/bin/%", "/usr/sbin/%" ],
    "tmp": [ "/Users/wxs/tmp/%%" ]
  }
}

- Currently the signature file must be an absolute path.

3. Move common YARA code to yara_utils.
- In preparation for the yara table (different from yara_events) I'm
  moving the common YARA code into a separate place which is shared
  between the two tables.

4. Add yara table.
- This allows you to do things like:

```sql
select * from yara where path="/bin/ls" and sigfile="/tmp/foo.sig";
select * from yara where path="/bin/ls" and sig_group="sig_group_1";
```

- The latter will use the signature grouping from the config.

5. Check for keys not existing.
2015-04-26 03:01:28 -07:00
..
config Major YARA refactor and enhancements 2015-04-26 03:01:28 -07:00
core Fix dameon flags loading from options 2015-04-24 11:37:51 -07:00
database Restrict permissions on RocksDB paths 2015-04-14 21:07:21 -07:00
devtools Fix --csv flag in osqueryi shell 2015-04-23 21:32:14 +00:00
dispatcher RHEL6 provisioning 2015-04-06 23:43:01 -07:00
distributed Extensions autoloading prequel 2015-03-04 18:51:41 -08:00
events Lint fixes and clang analyze 2015-04-17 09:18:46 -07:00
examples Ability to configure osquery from multiple files 2015-03-13 17:19:02 -07:00
extensions Performance linting 2015-04-11 19:50:35 -07:00
filesystem Add launchd_overrides table 2015-04-15 23:19:23 -07:00
logger [Fix #907] Use glog to log to data-identified files 2015-03-30 12:49:57 -07:00
main Documentation updates 2015-04-10 14:31:34 -07:00
registry Declare extension registries 'external' 2015-03-30 02:03:26 -07:00
remote Creating interfaces for remote logging 2015-04-17 14:48:46 -07:00
sql [Fix #953] Check sqlite predicate expression passing 2015-04-07 01:20:05 -07:00
tables Major YARA refactor and enhancements 2015-04-26 03:01:28 -07:00
CMakeLists.txt Add rpm_package_files table 2015-04-25 01:18:55 -07:00