-
Notifications
You must be signed in to change notification settings - Fork 464
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add YARA queries to osquery-perf #25272
Conversation
// Switch based on contents of the query. | ||
lcQuery := strings.ToLower(query) | ||
switch { | ||
case strings.Contains(lcQuery, "from yara") && strings.Contains(lcQuery, "sigurl"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the query isn't using sigurl
then it's not a remote Yara rule, so it won't cause any extra load on the Fleet server.
|
||
func (a *agent) runLiveYaraQuery(query string) (results []map[string]string, status *fleet.OsqueryStatus, message *string, stats *fleet.Stats) { | ||
// Get the URL of the YARA rule to request (i.e. the sigurl). | ||
urlRegex := regexp.MustCompile(`sigurl=(["'])([^"']*)["']`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically this would allow mismatched single and double quotes but Go regex doesn't support backreferences and I don't think it's worth validating.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #25272 +/- ##
==========================================
- Coverage 63.84% 63.82% -0.03%
==========================================
Files 1616 1616
Lines 153829 153893 +64
Branches 3975 3975
==========================================
- Hits 98218 98217 -1
- Misses 47797 47861 +64
- Partials 7814 7815 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
cmd/osquery-perf/agent.go
Outdated
} | ||
request.Header.Add("Content-type", "application/json") | ||
|
||
// Make the request. For load testing purposes we don't actually care about the response. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should still read the body to better simulate clients:
if _, err := io.Copy(io.Discard, response.Body); err != nil {
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great. Left a nit comment about reading the response body.
cmd/osquery-perf/agent.go
Outdated
if _, err := io.Copy(io.Discard, response.Body); err != nil { | ||
ss := fleet.OsqueryStatus(1) | ||
return []map[string]string{}, &ss, ptr.String(fmt.Sprintf("error reading response from yara API: %v", err)), nil | ||
} | ||
defer response.Body.Close() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
defer response.Body.Close()
should be before the io.Copy
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch, fixed
for #25220
Overview
This PR adds support for remote YARA queries to osquery-perf, so that remote YARA queries can be load-tested.
Details
The existing
runLiveQuery()
is updated to branch off into different query running functions based on the content of the query. If the query containsfrom yara
andsigurl
, then the newrunLiveYaraQuery()
function is run which makes a request to the Fleet "get yara rules" API before returning an appropriate response. Otherwise, the newRunLiveMockQuery()
function is run which includes the previous logic for sending a mock response.Testing
I don't see any automated testing for osquery-perf, but I manually tested in the following way:
go run agent.go
and verified that the result was as-expected:
I also used a log in Fleet to verify that the "get yara rules" API was really being called.
and verified that the result was as expected:
I also tested that sending a
sigurl
with the wrong host returns alive yara query failed because sigurl host did not match server address
errorChecklist for submitter
cmd/osquery-perf
for new osquery data ingestion features.