Issue running proc_yara() plugin in 0.7.1 #3225
Comments
|
This issue appears to be resolved in #3226 |
|
Windows.Detection.Yara.Process - #3233 Testing proc_yara under linux seems to error out with: |
|
That is expected there is no pid 0 |
|
I thought this may be a generic error in linux as I specified a pid (and a name regex). Here is targeting yara(accessor='process.... here is same artifact using proc_yara() in linux Both targeting is the same, im not filtering out pid via self exclusions. |
|
This works for me --- a/artifacts/definitions/Linux/Detection/Yara/Process.yaml
+++ b/artifacts/definitions/Linux/Detection/Yara/Process.yaml
@@ -92,13 +92,13 @@ sources:
file='String.Data',
name=format(format="%v-%v_%v_%v",
args=[ ProcessName, Pid, String.Offset, ContextBytes ]
)) as HitContext
- FROM yara(files=format(format="/%d", args=Pid),
- accessor='process',rules=yara_rules,
+ FROM proc_yara(pid=Pid,
+ rules=yara_rules,
context=ContextBytes, number=NumberOfHits )
})
Write <
8000
pre class="notranslate">
velociraptor-v0.7.1-1-linux-amd64 -v artifacts collect Linux.Detection.Yara.Process --args PidRegex=3145944 --args YaraRule="ascii wide: secret"
|
|
this makes sense as in my artifact I was running int(int=Pid) - if this has failed it would explain why the 0 was being scanned. |
|
Interesting - running explain on the query shows So maybe int() function is not handling int32 properly |
|
Confirmed working in head release - thank you! |
Im getting a repeatable exception running proc_yara() plugin in 0.7.1.
replicate with in artifact or notebook:
SELECT * FROM proc_yara(pid=TargetPid,rules=YaraRule)Im testing this plugin as the standard yara(accessor='process'...) is causing some false negatives in some advanced rules due to block scanning and I want to test this older plugin performs as expected. We can then update Windows.Detection.Yara.Process and other artifacts as needed.
The text was updated successfully, but these errors were encountered: