Add sigurl to get the YARA signature from https server for scan
#6607
Conversation
|
I feel really ambivalent about this. It seems like it's adding a layer of indirection in the config, and I don't understand why the complexity is valuable. I'm not opposed, but I am skeptical.
I'm going through the thought exercise of using this. And it has a lot of moving parts for a site admin. |
4ef5f2d to
370f046
Compare
370f046 to
ffafe82
Compare
|
Thanks @directionless for the comments. The reason I added signature urls to config file to allow only a set of url from where the rules can be downloaded. I had concern about passing them with query. Someone can pass arbitrary url's with the query and download data into the memory. |
837b9ca to
4f52202
Compare
|
To review office hours:
Just that the user doesn't have to include the URL or URLs in the query every time. The URL may never (or rarely) change, so it can be "remembered" in the config. Also there might be URL length limitations in a SQL statement but I don't know for sure.
We weren't assuming a difference in access privilege of query delivery and of osquery config changes. Supplying the signature URL(s) in the config was the chosen approach for the reason above.
Protecting against an untrusted query wasn't in our requirements, so no. And we weren't thinking that there were two privilege levels here (role in which it is possible to change the config; role in which they cannot change the config but they can issue arbitrary queries). If this is definitely a thing, we can add the allow_list string in the config to mitigate risk from the latter. But if it's unknown if it's a thing, I suggest not holding up this PR to write a mitigation for an imagined problem. Let me see if @directionless would agree that these changes would get us to mergeable state:
|
|
I think we're having a UI/UX conversation, not a functionality or security one. Specifically, I think office hours was pretty clearly in favor of the functionality, even if it duplicates joining So, I think that means:
I think the correct way to achieved (2) is to use a glob or regex based I do not think we should be naming URLs and then querying by name. I think the indirection is more trouble than good. I imagine this would looks something like: Notable undiscussed here is what, if any, authentication happens. Or how often osquery re-fetches the URL content. |
TLS-client authentication is the only kind of authentication I see support for in osquery's http_client (osquery/osquery/remote/http_client.cpp). If additional authentication schemes for http_client are desired can we address that in a separate enhancement issue? Other than that, what is the desired error handling behavior if the URL returns a
In the PR, osquery/tables/yara/yara.cpp#121-ff implement a check of the "Last-Modified" HTTP header, which is to say it re-fetches the content only when the content has changed since it was last cached in the client.
Besides the aforementioned HTTP caching, I also don't believe the hypothetical |
@kumarak do you think this could be avoided in an update to this PR? |
| @@ -177,6 +222,21 @@ Status getYaraRules(YARAConfigParser parser, | |||
| break; | |||
| } | |||
|
|
|||
| case YC_URL: { | |||
There was a problem hiding this comment.
Speaking of caching... This is all inside the compiled cache block, isn't it? Which, is probably desired to keep from re-compiling these rules. /However/ doesn't that mean that the URL content will be cached for the life of the osquery process?
There was a problem hiding this comment.
The compiled cache blocks gets cleaned for YC_RULE and YC_URL type after the scan and will not be there for the life-time of the osquery process.
// possibilities of collision when arbitrary queries are executed
// with distributed API. Clear the hash string from the cache
// Also cleanup the cache block if rules are downloaded from url
for (const auto& sign : scanContext) {
if (sign.first == YC_RULE || sign.first == YC_URL) {
auto it = rules.find(hashStr(sign.second, sign.first));
if (it != rules.end()) {
rules.erase(hashStr(sign.second, sign.first));
}
}
}
There was a problem hiding this comment.
Ah. Hrm. I know that's in a different PR, but it seems weird.
If we're storing these with a key based on the hash of the rule body, why delete? (I know it's existing code)
There was a problem hiding this comment.
The reason I throw them out of the cache after scanning is to avoid having the recompiled rule for the lifetime of the osquery process. It fits with the URL, if we are going to re-fetch the updated contents.
100%. future work.
Some kind of log line seems reasonable here, yeah.
I think one of us is missing something. (And there's a good chance I'm confused about something) the |
172a0d0 to
842c747
Compare
|
Thanks, @mike-myers-tob, @directionless for the comments. I updated the PR to implement the allowed list in the config and the URL will be matched against them. It checks for scheme, host match, and does the regexp match for the path. This will provide more flexibility in populating the allowed list.
It does not support the authentication schema and it will be done with future enhancements.
It uses the same code path as |
4cc8814 to
25e4143
Compare
25e4143 to
4ba3402
Compare
| @@ -177,6 +222,21 @@ Status getYaraRules(YARAConfigParser parser, | |||
| break; | |||
| } | |||
|
|
|||
| case YC_URL: { | |||
There was a problem hiding this comment.
Ah. Hrm. I know that's in a different PR, but it seems weird.
If we're storing these with a key based on the hash of the rule body, why delete? (I know it's existing code)
Moved to allow set for checking the sigurl Update comments and check for response code
5f38564 to
65177d9
Compare
|
@kumarak How to use this function? I config same your config but It return: Pls share me your document? thank you |
has to be an array @MinhKMA, my yara config block |
…0 to master * commit 'ab092654b8b027e35a91ef19feb74f9eeec0fc2b': (98 commits) osquery-4.5.0: merge updates and fix conflicts osquery-4.5.0: merge updates and fix conflicts Add 4.5.0 CHANGELOG (osquery#6646) Add sigurl column to pass yara signatures with the queries (osquery#6607) Update process auditing docs schema link (osquery#6645) Support for Background Activity Moderator (osquery#6585) database: Remove read only concept (osquery#6637) Parsing of user data in Windows event log (osquery#6643) events: Remove selectAllFrom from linux process events callback (osquery#6638) libs: Set glog and gflags includes as SYSTEM (osquery#6635) tests: Fix flaky test_2_daemon_with_option (osquery#6634) tests: Improve the reliability of TLSServerRunner (osquery#6632) database: Move initialization retry logic into DB API (osquery#6633) libs/smartmontools: Add aarch64 support libs/lzma: Add aarch64 support libs/lldpd: Add aarch64 support libs/librdkafka: Add aarch64 support libs/libgpg-error: Add aarch64 support libs/libgcrypt: Add aarch64 support libs/libdpkg: Add aarch64 support ...
The PR adds a new column
sigurlthat can be used to pass the url from where the YARA signature can be downloaded for the scan. The signature urls need to be pre-registered with the configuration file.The feature will be disabled by default and can be enabled with a hidden flag
enable_yara_sigurl. It also forces all the strings to be private, if the rules are downloaded from url unless . The private string will not show up in the yara table. the feature can be disabled withdisable_yara_string_privateflag. A query with signature urls: