Collector condition #152

sirbrowser · 2023-05-05T09:03:25Z

sirbrowser
May 5, 2023

Hello Thiago,

Is it possible to execute a file collector based on the result of a command?

For example if I want to execute a yara scanner and collect all files flagged by the scanner.

Thanks

Answered by tclahr

May 6, 2023

Hi,
Yes, it is! You need to run yara scanner using command collector, save the list of files in a text file (one file per line), then collect them using the file collector.

Let me give you an example:

artifacts:
  -
    description: run yara scanner and save list of files in a text file
    supported_os: [all]
    collector: command
    command: yara_scanner <parameters>
    output_file: yara_scanner.txt
  -
    description: collect all files (full path) listed in yara_scanner.txt
    supported_os: [all]
    collector: file
    path: yara_scanner.txt
    is_file_list: true

View full answer

tclahr · 2023-05-06T12:15:09Z

tclahr
May 6, 2023
Maintainer

Hi,
Yes, it is! You need to run yara scanner using command collector, save the list of files in a text file (one file per line), then collect them using the file collector.

Let me give you an example:

artifacts:
  -
    description: run yara scanner and save list of files in a text file
    supported_os: [all]
    collector: command
    command: yara_scanner <parameters>
    output_file: yara_scanner.txt
  -
    description: collect all files (full path) listed in yara_scanner.txt
    supported_os: [all]
    collector: file
    path: yara_scanner.txt
    is_file_list: true

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Collector condition #152

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Collector condition #152

Uh oh!

sirbrowser May 5, 2023

Replies: 1 comment

Uh oh!

tclahr May 6, 2023 Maintainer

sirbrowser
May 5, 2023

tclahr
May 6, 2023
Maintainer