Add YARA queries to osquery-perf #25272
Conversation
| // Switch based on contents of the query. | ||
| lcQuery := strings.ToLower(query) | ||
| switch { | ||
| case strings.Contains(lcQuery, "from yara") && strings.Contains(lcQuery, "sigurl"): |
There was a problem hiding this comment.
If the query isn't using sigurl then it's not a remote Yara rule, so it won't cause any extra load on the Fleet server.
|
|
||
| func (a *agent) runLiveYaraQuery(query string) (results []map[string]string, status *fleet.OsqueryStatus, message *string, stats *fleet.Stats) { | ||
| // Get the URL of the YARA rule to request (i.e. the sigurl). | ||
| urlRegex := regexp.MustCompile(`sigurl=(["'])([^"']*)["']`) |
There was a problem hiding this comment.
Technically this would allow mismatched single and double quotes but Go regex doesn't support backreferences and I don't think it's worth validating.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #25272 +/- ##
==========================================
- Coverage 63.84% 63.82% -0.03%
==========================================
Files 1616 1616
Lines 153829 153893 +64
Branches 3975 3975
==========================================
- Hits 98218 98217 -1
- Misses 47797 47861 +64
- Partials 7814 7815 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
cmd/osquery-perf/agent.go
Outdated
| } | ||
| request.Header.Add("Content-type", "application/json") | ||
|
|
||
| // Make the request. For load testing purposes we don't actually care about the response. |
There was a problem hiding this comment.
We should still read the body to better simulate clients:
if _, err := io.Copy(io.Discard, response.Body); err != nil {
...
}
cmd/osquery-perf/agent.go
Outdated
| if _, err := io.Copy(io.Discard, response.Body); err != nil { | ||
| ss := fleet.OsqueryStatus(1) | ||
| return []map[string]string{}, &ss, ptr.String(fmt.Sprintf("error reading response from yara API: %v", err)), nil | ||
| } | ||
| defer response.Body.Close() |
There was a problem hiding this comment.
defer response.Body.Close() should be before the io.Copy.
Overview
This PR adds support for remote YARA queries to osquery-perf, so that remote YARA queries can be load-tested.
Details
The existing
runLiveQuery()is updated to branch off into different query running functions based on the content of the query. If the query containsfrom yaraandsigurl, then the newrunLiveYaraQuery()function is run which makes a request to the Fleet "get yara rules" API before returning an appropriate response. Otherwise, the newRunLiveMockQuery()function is run which includes the previous logic for sending a mock response.Testing
I don't see any automated testing for osquery-perf, but I manually tested in the following way:
go run agent.goand verified that the result was as-expected:
I also used a log in Fleet to verify that the "get yara rules" API was really being called.
and verified that the result was as expected:
I also tested that sending a
sigurlwith the wrong host returns alive yara query failed because sigurl host did not match server addresserrorChecklist for submitter
cmd/osquery-perffor new osquery data ingestion features.