Add sigrules to pass YARA signature with query
#6568
Conversation
osquery/tables/yara/yara.cpp
Outdated
| continue; | ||
| } | ||
|
|
||
| rules[rule_string] = tmp_rules; |
There was a problem hiding this comment.
I feel like this caching could be dangerous, strings can be extremely large and people might run arbitrary queries via the distributed APIs. I suggest that we hash the rule string before adding it to the map here, add a known prefix, and that we clear these and free the memory after the scanning occurs.
There was a problem hiding this comment.
Thanks, @theopolis for the review. I updated it to hash the rule string before adding to the cache and remove it after the scan to reduce/avoid the possibility of collision in case of multiple queries raised by distributed APIs. This is similar to not adding the sigrule string to the cache. Please let me know your thoughts.
f4a96c3
to
8dbcba4
Compare
|
I thought more about this and I'm worried the feature could be abused to read arbitrary content from files. The Edit: Ignore the next section, it seems too clunky Additionally, I am curious if the rule compilation and usage can be accomplished with a function instead of a column. For example could one write a query like: Then it's easier to disable/enable the |
Hrm. I was under the impression yara rules returned a boolean? Is there a way we can constrain the results to minimize the data leakage? |
|
From my understanding the |
8dbcba4
to
27ced24
Compare
|
@theopolis, I added an osquery flag I have not explored the possibility of using the function to enable this feature yet. I will check how to use functions with the query and if it will be a convenient approach. |
f2670c4
to
e5463b2
Compare
|
We talked a bit about this in office hours. A suggestion I made, which submitted for consideration and seemed to be supported, is to create 2 flag. One to enable the this feature. And another to include whether or not to populate the I think there's clear value in this, and in #6558, but I also think the data exfiltration is real. So thinking about how to allow the functionality, while not allowing easy extraction. |
osquery/tables/yara/yara.cpp
Outdated
| FLAG(uint32, | ||
| yara_delay, | ||
| 50, | ||
| "Time in ms to sleep after scan of each file (default 50) to reduce " | ||
| "memory spikes"); | ||
|
|
||
| FLAG(bool, | ||
| enable_yara_table_extension, |
There was a problem hiding this comment.
In osquery parlance, this is not an extension. Maybe enable_yara_sigrule?
Though probably should also gain enable_yara_string_return
There was a problem hiding this comment.
I updated the configuration flag to enable_yara_sigrule and the rule strings are set to private by default. The private strings does not show-up in the yara table. disable_yara_string_private flag can be used to disable making strings to private.
osquery/tables/yara/yara.cpp
Outdated
| // Check if this "ad-hoc" signature file has not been used/compiled. | ||
| if (rules.count(hashStr(file, YC_FILE)) == 0) { |
There was a problem hiding this comment.
This is cached based on filename, right? Short of restarting osquery, is there a way to clear that cache? I don't think there needs to be, but the limitation might need documenting.
There was a problem hiding this comment.
The rule cache based on filename does not get cleanup. It avoids recompilation of file if they are already compiled.
osquery/tables/yara/yara.cpp
Outdated
| auto groups = context.constraints["sig_group"].getAll(EQUALS); | ||
| auto sigfiles = context.constraints["sigfile"].getAll(EQUALS); | ||
| auto sigrules = context.constraints["sigrule"].getAll(EQUALS); | ||
| if (groups.empty() && sigfiles.empty() && sigrules.empty()) { |
There was a problem hiding this comment.
Feels odd. These are checked here, but also then checked in the genYaraRuleFrom... routines. Do you think it's cleaner to call the genYaraRuleFrom... routines, and then check if scanContext is gt 0?
(This is not a leading question, I don't know what feels cleaner)
There was a problem hiding this comment.
I updated the checks and it will get the rules compiled and add them to the scanContext. It checks if the scanContext is empty and return empty result.
46da858
to
3c2ed27
Compare
|
Thanks, @directionless for comments. I added two flags: If a query is generated with |
osquery/tables/yara/yara.cpp
Outdated
| static std::shared_ptr<YARAConfigParserPlugin> getYaraParser(void) { | ||
| auto parser = Config::getParser("yara"); | ||
| if (isNull(parser)) { | ||
| LOG(ERROR) << "YARA config parser plugin has no pointer"; |
There was a problem hiding this comment.
"YARA config parser plugin not found"
osquery/tables/yara/yara.cpp
Outdated
|
|
||
| Status genYaraRuleFromFile(QueryContext& queryContext, | ||
| YaraScanContext& scanContext) { | ||
| auto yaraParser = getYaraParser(); |
There was a problem hiding this comment.
The method getYaraParser may print an error then this function will "bubble up" a similar error but with a loss of precision. We should check that we do not unintentionally emit the same (or similar) error twice. For example, this status is passed up to genYara, do we end up printing a status message there too?
I suggest we avoid writing status messages in getYaraParser and allow the top-most calling method to choose to print.
There was a problem hiding this comment.
I removed the status log printing from the top-most calling function and let getYaraParser print the error logs. These logs are more useful to debug the specific issues. The top-most function returns if the parser is null.
|
Thanks for the update! I'll take a final look at this tomorrow :) |
| /** | ||
| * Compile yara rules from string and load it into rule pointer. | ||
| */ | ||
| Status compileFromString(const std::string& rule_defs, YR_RULES** rules) { |
There was a problem hiding this comment.
The function compileFromString is similar to compileSingleFile and there are common code creating the yara compiler and error handling. I kept it as separate function to have different path for compiling the signature files and signature strings. Please let me know your thoughts.
The PR adds a new column
sigrulesthat can be used to pass a small set of YARA signature with the query.