Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Async yara rule downloads #86

Merged
merged 2 commits into from
Aug 25, 2024
Merged

Async yara rule downloads #86

merged 2 commits into from
Aug 25, 2024

Conversation

jukuisma
Copy link
Contributor

Hey, please consider the following two patches.

Cheers, Juho

@jukuisma jukuisma changed the title Draft: Async yara rule downloads Async yara rule downloads Apr 16, 2024
@jukuisma
Copy link
Contributor Author

Although, now that I think about it, last couple of yara rules might still be downloading the first time this in run when the next task starts copying them. Add async_status task or a simple pause.

@jukuisma jukuisma changed the title Async yara rule downloads Draft: Async yara rule downloads Apr 16, 2024
@jukuisma
Copy link
Contributor Author

Although, now that I think about it, last couple of yara rules might still be downloading the first time this in run when the next task starts copying them. Add async_status task or a simple pause.

Got back to this and realized that the next task doesn't move around the downloaded yara rules, but copies these:

╭─aj@archibald ~/github/harden.yml/  ‹feature/async-yara-download›
╰─➤  ls -ltr files/yara
total 20
-rw-r--r--. 1 aj aj  497 Apr 16 21:18 GoldenHelper.yar
-rw-r--r--. 1 aj aj 1312 Apr 16 21:18 README.md
-rw-r--r--. 1 aj aj  626 Apr 16 21:18 GoldenSpy.yar
-rw-r--r--. 1 aj aj  906 Apr 16 21:18 Goldenspy_Uninstaller.yar
-rw-r--r--. 1 aj aj 1198 Apr 16 21:18 Goldenspy_Uninstaller_v2.yar

i.e., there shouldn't be any reason the enforce completion of all async tasks before this.

@jukuisma jukuisma changed the title Draft: Async yara rule downloads Async yara rule downloads Apr 21, 2024
@pyllyukko
Copy link
Owner

Hey, please consider the following two patches.

Hi! Sorry I have totally missed any notification about this PR. I'll look into it soon.

Although I need to tell that I'm having second thoughts about this whole "download a million YARA rules" :D Here are some thoughts/reasons:

  • The rules seem to come and go in the upstream repos, which of course make the whole playbook fail if it fails to find a single file to download
  • The quality varies a lot for these rules and it's a pain trying to somehow vet them
    • It would be nice to utilize YARA Forge, to get some quality guarantees (as mentioned in YARA #84)
  • This kind of thing should maybe be implemented / transferred to clamav-unofficial-sigs (as it does download some YARA rules already), but apparently that project is in hiatus.

@jukuisma
Copy link
Contributor Author

Although I need to tell that I'm having second thoughts about this whole "download a million YARA rules" :D

Sure, I don't have big opinions nor expertise on the actual content of the YARA rules. I'm not personally running these hardenings on any of my systems as is. I was just digging into these mostly for educational purposes and picking the applicable parts to use on my systems as one does. As such, there's no pressure to get these changes merged either. Just noticed a low hanging fruit for making the playbook execution faster.

@jukuisma
Enable ssh controlmaster
893fdb0 
Allow reusing established ssh connections. This makes everything except
the bottle-necking yara rule downloads slightly faster as it removes
authentication overhead from each individual task.
@jukuisma
Run yara rule downloads asynchronously
029d5a6 
This allows parallelizing download of multiple small files from github.
Cuts previous ~20 minute play time to ~5 minutes on a 8 core vagrant box
with `--forks 8` flag.

Downside is that ansible doesn't know if the rule has changed since last
download and we lose idempotency, i.e., every rule is listed as changed.
@pyllyukko pyllyukko merged commit ee4bfee into pyllyukko:master Aug 25, 2024
1 check passed
@pyllyukko
Copy link
Owner

Merged. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jukuisma @pyllyukko