Skip to content

Implement yara_events table for Windows #8580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zwass merged 4 commits into from
Apr 2, 2025
Merged

Implement yara_events table for Windows #8580

zwass merged 4 commits into from
Apr 2, 2025

Conversation

@zwass
Copy link
Member

@zwass zwass commented Mar 25, 2025

Uses the ntfs_journal_events publisher under the hood to get file modifications. Otherwise this is pretty similar to the macOS/Linux implementations.

@zwass zwass added virtual tables events Related to osquery's evented tables or eventing subsystem Windows labels Mar 25, 2025
@zwass zwass requested review from a team as code owners March 25, 2025 19:24
zwass
zwass commented Mar 25, 2025
View reviewed changes
specs/yara_events.table
Comment on lines +14 to +16
extended_schema(DARWIN, [
Column("transaction_id", BIGINT, "ID used during bulk update"),
])
Copy link
Member Author

@zwass zwass Mar 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR didn't make any changes to this column, but I noticed that the code comments indicate it is only ever returned on macOS.

@zwass
Copy link
Member Author

zwass commented Mar 25, 2025

I used the following for manual testing of this:

osquery command

 .\osquery\RelWithDebInfo\osqueryd.exe --disable_events=false --pidfile osquery.pid --allow_unsafe --database_path .\osquery.db --logger_path .\logs --enable_ntfs_event_publisher=true --config_path=config.json -S --verbose

config.json

{
    "schedule": {
      "file_events": {
        "query": "SELECT * FROM ntfs_file_events;",
        "removed": false,
        "interval": 10
      }
    },
    "file_paths": {
      "osquery": [
        "C:\\osquery\\"
      ],
      "test":[
        "C:\\osquery\\test\\"
      ]
    },
    "yara": {
      "signatures": {
        "test": ["C:\\osquery\\.github\\true.yara", "C:\\osquery\\.github\\false.yara", "C:\\osquery\\.github\\foo.yara"]
      },
      "file_paths": {
        "osquery": ["test"],
        "test": ["test"]
      }
    }
}

true.yara

rule match_any_file {
    condition:
        true
}

false.yara

rule match_no_file {
    condition:
        false
}

foo.yara

rule TextExample : Foo Bar Baz
{
    strings:
        $text_string = "foobar"

    condition:
        $text_string
}

@zwass zwass mentioned this pull request Mar 27, 2025
Closed
20 tasks
directionless
directionless approved these changes Mar 29, 2025
View reviewed changes
osquery/tables/yara/windows/yara_events.cpp
Comment on lines +105 to +108
// NOTE(woodruffw): This will remove nonexistent paths, even if
// they aren't patterns. For example, C:\foo\bar won't
// be monitored if it doesn't already exist at table/event
// creation time. Is that what we want?
Copy link
Member

@directionless directionless Mar 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mmmm. That is a good question. My hunch is that we want to let people monitor things that don't exist yet, but I don't know if that's really possible in the bounds of FIM

Copy link
Member Author

@zwass zwass Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. This is copied from the ntfs_journal_events table and so shares the same behavior.

@zwass zwass merged commit 11dacee into osquery:master Apr 2, 2025
22 checks passed
@zwass zwass deleted the yara-events-windows branch April 2, 2025 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@directionless directionless directionless approved these changes

Assignees

No one assigned

Labels

events Related to osquery's evented tables or eventing subsystem virtual tables Windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zwass @directionless