I'm trying to run on-demand yara scan in osqueryi using 'pattern' constraints but that column is not there and getting error below. Am i missing something on how to use pattern constraints?
select * from yara where pattern="/bin/%sh" and sig_group="sig_group_1";
Error: no such column: pattern
Just referencing the osquery yara documentation here that i followed: https://osquery.readthedocs.io/en/stable/deployment/yara/
osquery> SELECT * FROM yara WHERE pattern="/bin/%sh" AND sigfile="/Users/wxs/sigs/baz.sig";
+-----------+---------+-------+-----------+-------------------------+----------+
| path | matches | count | sig_group | sigfile | pattern |
+-----------+---------+-------+-----------+-------------------------+----------+
| /bin/bash | | 0 | | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/csh | | 0 | | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/ksh | | 0 | | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/sh | | 0 | | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/tcsh | | 0 | | /Users/wxs/sigs/baz.sig | /bin/%sh |
| /bin/zsh | | 0 | | /Users/wxs/sigs/baz.sig | /bin/%sh |
+-----------+---------+-------+-----------+-------------------------+----------+
osquery>
And the table schema of yara don't have column 'pattern' either: https://osquery.io/schema/4.8.0/#yara
Those linked docs appear to be out of date. As you point out, there is no
patterncolumn.It looks like you should be able to use a pattern on
path. From the examples in the source code:(I don't use yara, and can't easily confirm this)