Issue Type
🐛 Bug
Affected Component
openrelik-worker-yara
Description
While testing a .lime memory capture, I noticed that the worker completed successfully but produced no matches. The task did not fail and the UI/report only showed an empty result.
After checking the worker logs and output files, the selected input was passed to fraken-x as a regular file:
The .lime file was around 4 GiB. fraken-x defaults to --maxsize 1073741824
So the file appears to be skipped because it is larger than the default 1 GiB max file size. This is hard to spot because the task still succeeds and the output is just [].
What would be the preferred fix for the Yara worker?
One option would be to add a task config field, for example:
Maximum file size
default: x
The worker could then pass this value
For single-file inputs, another option would be to automatically raise --maxsize to at least the selected file size. That would make selected memory captures like .lime scan as expected, while mounted disk image scans could keep the configured/default limit to avoid unexpectedly expensive scans.
The automatic raise could of course also be a config option.
What do you think?
The worker doesnt show an error, because it passed it to fraken and things it has succesful, but fraken skips it due to the maximum size.
Relevant Logs
Issue Type
🐛 Bug
Affected Component
openrelik-worker-yara
Description
While testing a .lime memory capture, I noticed that the worker completed successfully but produced no matches. The task did not fail and the UI/report only showed an empty result.
After checking the worker logs and output files, the selected input was passed to fraken-x as a regular file:
The .lime file was around 4 GiB. fraken-x defaults to --maxsize 1073741824
So the file appears to be skipped because it is larger than the default 1 GiB max file size. This is hard to spot because the task still succeeds and the output is just [].
What would be the preferred fix for the Yara worker?
One option would be to add a task config field, for example:
Maximum file size
default: x
The worker could then pass this value
For single-file inputs, another option would be to automatically raise --maxsize to at least the selected file size. That would make selected memory captures like .lime scan as expected, while mounted disk image scans could keep the configured/default limit to avoid unexpectedly expensive scans.
The automatic raise could of course also be a config option.
What do you think?
The worker doesnt show an error, because it passed it to fraken and things it has succesful, but fraken skips it due to the maximum size.
Relevant Logs