<!-- Put the link to this slide here so people can follow slide: https://hackmd.io/p/template-Talk-slide --> # YARA with osquery and Fleet --- ## RECAP: What is YARA - YARA describes itself pattern-matching swiss army knife - Aimed at malware analysis, but it's so much more - YARA: - A language to describe rules, patterns and conditions - Enables Remote Forensics --- ## RECAP: Why use YARA - Traditionally detection strategies have revolved around static IOCs (MD5, SHA256 and similar signatures) - YARA: move to a dynamic-style analysis: - describe patterns (aka heuristics) - Example: detection of Log4J vuln jars in the wild --- ## YARA tables - Two types: ad-hoc and evented - ad-hoc: `yara` for on-demand scanning - requires `PATH` and either one of `sig_group`, `sigfile` or `sigrule` - evented: `yara_events` table, used in conjunction with FIM - like with other evented tables, requires configuration --- ## Ad-hoc: `yara` table - on-demand scanning - need to specifiy path the rule inline with `sigrule` - if the yara rule file exists on disk of the endpoint can use `sigfile` - `sig_group` if used as a configuration option --- ## evented: `yara_events` table - To be used in conjuction with `file_events` (FIM) table - Does a YARA scan when a file event is triggered - Requires configuration --- ## `yara_events` configuration ```yaml yara: file_paths: tmp: - sig_group_1 signatures: sig_group_1: - /path/to/yara/file ``` --- ## Caveats - YARA itself is CPU intensive - Pattern matches entire files