-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add sigrules
to pass YARA signature with query
#6568
Add sigrules
to pass YARA signature with query
#6568
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(nits)
osquery/tables/yara/yara.cpp
Outdated
continue; | ||
} | ||
|
||
rules[rule_string] = tmp_rules; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like this caching could be dangerous, strings can be extremely large and people might run arbitrary queries via the distributed APIs. I suggest that we hash the rule string before adding it to the map here, add a known prefix, and that we clear these and free the memory after the scanning occurs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @theopolis for the review. I updated it to hash the rule string before adding to the cache and remove it after the scan to reduce/avoid the possibility of collision in case of multiple queries raised by distributed APIs. This is similar to not adding the sigrule
string to the cache. Please let me know your thoughts.
f4a96c3
to
8dbcba4
Compare
I thought more about this and I'm worried the feature could be abused to read arbitrary content from files. The Edit: Ignore the next section, it seems too clunky Additionally, I am curious if the rule compilation and usage can be accomplished with a function instead of a column. For example could one write a query like:
Then it's easier to disable/enable the |
Hrm. I was under the impression yara rules returned a boolean? Is there a way we can constrain the results to minimize the data leakage? |
From my understanding the |
8dbcba4
to
27ced24
Compare
@theopolis, I added an osquery flag I have not explored the possibility of using the function to enable this feature yet. I will check how to use functions with the query and if it will be a convenient approach. |
f2670c4
to
e5463b2
Compare
We talked a bit about this in office hours. A suggestion I made, which submitted for consideration and seemed to be supported, is to create 2 flag. One to enable the this feature. And another to include whether or not to populate the I think there's clear value in this, and in #6558, but I also think the data exfiltration is real. So thinking about how to allow the functionality, while not allowing easy extraction. |
osquery/tables/yara/yara.cpp
Outdated
FLAG(uint32, | ||
yara_delay, | ||
50, | ||
"Time in ms to sleep after scan of each file (default 50) to reduce " | ||
"memory spikes"); | ||
|
||
FLAG(bool, | ||
enable_yara_table_extension, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In osquery parlance, this is not an extension. Maybe enable_yara_sigrule
?
Though probably should also gain enable_yara_string_return
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the configuration flag to enable_yara_sigrule
and the rule strings are set to private by default. The private strings does not show-up in the yara table. disable_yara_string_private
flag can be used to disable making strings to private.
osquery/tables/yara/yara.cpp
Outdated
// Check if this "ad-hoc" signature file has not been used/compiled. | ||
if (rules.count(hashStr(file, YC_FILE)) == 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is cached based on filename, right? Short of restarting osquery, is there a way to clear that cache? I don't think there needs to be, but the limitation might need documenting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rule cache based on filename does not get cleanup. It avoids recompilation of file if they are already compiled.
osquery/tables/yara/yara.cpp
Outdated
auto groups = context.constraints["sig_group"].getAll(EQUALS); | ||
auto sigfiles = context.constraints["sigfile"].getAll(EQUALS); | ||
auto sigrules = context.constraints["sigrule"].getAll(EQUALS); | ||
if (groups.empty() && sigfiles.empty() && sigrules.empty()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feels odd. These are checked here, but also then checked in the genYaraRuleFrom...
routines. Do you think it's cleaner to call the genYaraRuleFrom...
routines, and then check if scanContext
is gt 0?
(This is not a leading question, I don't know what feels cleaner)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the checks and it will get the rules compiled and add them to the scanContext
. It checks if the scanContext
is empty and return empty result.
46da858
to
3c2ed27
Compare
Thanks, @directionless for comments. I added two flags: If a query is generated with |
osquery/tables/yara/yara.cpp
Outdated
static std::shared_ptr<YARAConfigParserPlugin> getYaraParser(void) { | ||
auto parser = Config::getParser("yara"); | ||
if (isNull(parser)) { | ||
LOG(ERROR) << "YARA config parser plugin has no pointer"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"YARA config parser plugin not found"
osquery/tables/yara/yara.cpp
Outdated
|
||
Status genYaraRuleFromFile(QueryContext& queryContext, | ||
YaraScanContext& scanContext) { | ||
auto yaraParser = getYaraParser(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The method getYaraParser
may print an error then this function will "bubble up" a similar error but with a loss of precision. We should check that we do not unintentionally emit the same (or similar) error twice. For example, this status is passed up to genYara
, do we end up printing a status message there too?
I suggest we avoid writing status messages in getYaraParser
and allow the top-most calling method to choose to print.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed the status log printing from the top-most calling function and let getYaraParser
print the error logs. These logs are more useful to debug the specific issues. The top-most function returns if the parser is null.
Thanks for the update! I'll take a final look at this tomorrow :) |
/** | ||
* Compile yara rules from string and load it into rule pointer. | ||
*/ | ||
Status compileFromString(const std::string& rule_defs, YR_RULES** rules) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The function compileFromString
is similar to compileSingleFile
and there are common code creating the yara compiler and error handling. I kept it as separate function to have different path for compiling the signature files and signature strings. Please let me know your thoughts.
The PR adds a new column
sigrules
that can be used to pass a small set of YARA signature with the query.