0

我正在尝试使用“模式”约束在 osqueryi 中运行按需 yara 扫描,但该列不存在并且在下面出现错误。我是否遗漏了有关如何使用模式约束的内容?

select * from yara where pattern="/bin/%sh" and sig_group="sig_group_1";
Error: no such column: pattern

只需在此处引用我遵循的 osquery yara 文档: https ://osquery.readthedocs.io/en/stable/deployment/yara/

osquery> SELECT * FROM yara WHERE pattern="/bin/%sh" AND sigfile="/Users/wxs/sigs/baz.sig";
+-----------+---------+-------+-----------+-------------------------+----------+
| path      | matches | count | sig_group | sigfile                 | pattern  |
+-----------+---------+-------+-----------+-------------------------+----------+
| /bin/bash |         | 0     |           | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/csh  |         | 0     |           | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/ksh  |         | 0     |           | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/sh   |         | 0     |           | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/tcsh |         | 0     |           | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/zsh  |         | 0     |           | /Users/wxs/sigs/baz.sig | /bin/%sh |
+-----------+---------+-------+-----------+-------------------------+----------+
osquery>

并且 yara 的表模式也没有列“模式”: https ://osquery.io/schema/4.8.0/#yara

4

1 回答 1

0

Those linked docs appear to be out of date. As you point out, there is no pattern column.

It looks like you should be able to use a pattern on path. From the examples in the source code:

select * from yara where path LIKE '/etc/%'

(I don't use yara, and can't easily confirm this)

于 2021-05-08T00:56:41.907 回答