像这样开始osqueryi:sudo osqueryi --config_path /etc/osquery/osquery.conf --disable_events=false --enable_file_events=true
osquery.conf
{
// Description of the YARA feature.
"yara": {
"signatures": {
// Each key is an arbitrary group name to give the signatures listed
"sig_group_1": [ "/home/sablearjun/rules.yar", "/home/sablearjun/example_rule.yara" ],
"sig_group_2": [ "/home/sablearjun/eicar.yar" ]
},
"file_paths": {
// Each key is a key from file_paths
// The value is a list of signature groups to run when an event fires
// These will be watched for and scanned when the event framework
// fire off an event to yara_events table
"system_binaries": [ "sig_group_1" ],
"tmp": [ "sig_group_1", "sig_group_2" ]
}
},
// Paths to watch for filesystem events
"file_paths": {
"system_binaries": [ "/usr/bin/%", "/usr/sbin/%" ],
"tmp": [ "/tmp/%" ]
}
}
规则.yar
rule ExampleRule
{
strings:
$my_text_string = "malware"
condition:
$my_text_string
}
rule SecondRule
{
strings:
$my_text_strings = "ransom"
$my_hex_strings = {E2 34 A1 C8 23 FB}
condition:
$my_text_strings or $my_hex_strings
}
rule file_event
{
condition:
true
}
example_rules.yar
/*
* This will match any file containing "hello" anywhere.
*/
rule AsciiExample {
strings:
// A string to match -- default is ascii
$ascii_string = "hello"
condition:
// The condition to match
$ascii_string
}
/*
* This will match any file containing unicode "hello" anywhere.
*/
rule UnicodeExample {
strings:
// The 'wide' keyword indicates the string is unicode
$unicode_string = "hello" wide
condition:
$unicode_string
}
/*
* Match any file containing the 01 23 45 67 89 AB CD EF byte sequence.
*/
rule HexExample {
strings:
// A few hex definitions demonstrating
$hex_string1 = { 0123456789ABCDEF }
$hex_string2 = { 0123456789abcdef }
$hex_string3 = { 01 23 45 67 89 ab cd ef }
condition:
// Match any file containing
$hex_string1 or $hex_string2 or $hex_string3
}
/*
* Match any file containing the 01 23 45 ?? ?? AB CD EF byte sequence.
*/
rule WildcardHexExample {
strings:
// A few hex definitions demonstrating
$hex_string1 = { 012345????ABCDEF }
$hex_string2 = { 012345????abcdef }
$hex_string3 = { 01 23 45 ?? ?? ab cd ef }
condition:
// Match any file containing
$hex_string1 or $hex_string2 or $hex_string3
}
/*
* Match any file containing "MZ" (not zero terminated) at offset 0.
*/
rule OffsetExample {
strings:
$mz = "MZ"
condition:
$mz at 0
}
/*
* Match any file containing "PE" anywhere between offsets 32-100 (decimal)
*/
rule RangeExample {
strings:
$pe = "PE"
condition:
$pe in (32..100)
}
/*
* Match any file with "PE" within 0x200 bytes (decimal) of the first occurrence of "MZ"
*/
rule RelativeOffsetExample {
strings:
$mz = "MZ"
$pe = "PE"
condition:
$mz at 0 and $pe in (@mz[0]..0x200)
}
/*
* Match any PE file as defined by MZ and PE signatures at required locations.
*/
rule IsPeFile {
strings:
$mz = "MZ"
condition:
$mz at 0 and uint32(uint32(0x3C)) == 0x4550
}
/*
* Match any file with 55 8B EC (push ebp; mov ebp, esp) at the entry point.
*/
rule EntryPointExample {
strings:
$ep = { 55 8b ec }
condition:
$ep at entry_point
}
/*
* This will match any file containing "hello" anywhere.
*/
rule ConditionsExample {
strings:
$string1 = "hello"
$string2 = "hello"
$string3 = "hello"
condition:
any of them
/*
all of them
1 of them
any of ($string*)
2 of ($string*)
1 of ($string1,$string2)
*/
}
/*
* Any file containing at least 5 hello strings
*/
rule NumberStringsExample {
strings:
$hello = "hello"
condition:
#hello >= 5
}
/*
* Match any file containing hello that is also a PE file
*/
rule RuleReference {
strings:
$hello = "hello"
condition:
$hello and IsPeFile
}
/*
* Make YARA test only files less than 2MB for ALL rules.
*/
global rule GlobalRuleExample {
condition:
filesize < 2MB
}
使用上述规则和配置 osquery 不会检测到任何 yara_events。在少数系统中,相同的配置可以工作并检测 yara_events,但在少数系统中却没有。案例 1:系统检测到 file_events 而未检测到 yara_events。案例 2:系统未检测到 file_events 并且仅检测到 yara_events。案例 3:系统同时检测到 file_events 和 yara_events。这种不确定性背后的原因可能是什么。
