mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 01:18:42 +00:00
02437a098e
Closes: #19271 Closes: #19286 Changes: - Updated the example in the schema folder readme - Updated the block scalar used in Fleet's osquery override documentation (`>-` » `|-`) and removed extra newlines - Updated the block scalar used in URLs used to create new yaml override files - Regenerated osqeury_fleet_schema.json
14 lines
448 B
YAML
14 lines
448 B
YAML
name: yara
|
|
examples: |-
|
|
Look for files under `/root` that match a Yara signature. This example uses the [EICAR test file](https://www.eicar.org/download-anti-malware-testfile/).
|
|
|
|
```
|
|
SELECT * FROM yara WHERE path like '/root/%%' AND sigrule IN (
|
|
'rule eicar {
|
|
strings:
|
|
$s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
|
|
condition:
|
|
all of them
|
|
}'
|
|
) AND matches='eicar';
|
|
```
|