observer: add YARA rule-based process execution scanning#4995
Open
4ykutG wants to merge 1 commit into
Open
Conversation
Implements issue cilium#1319. Hooks into execve events via HandlePerfData, scans new process binaries asynchronously with a YARA worker pool, and sends SIGKILL on a match. - pkg/observer/yara_scanner.go: YARA engine with 4-worker pool, buffered queue (256), per-worker Scanner, fail-safe drop on full queue - pkg/observer/observer.go: whitelist filter + enqueueYaraScan on execve - pkg/option, pkg/defaults: --yara-rules-dir flag (default /etc/tetragon/yara-rules.d) - cmd/tetragon/main.go: InitYaraScanner at startup (non-fatal if missing) - yara-rules/ransomware.yar: detection rules for WannaCry, LockBit, REvil, shadow copy deletion, ransom note names, encryption+mass-write pattern - vendor: go-yara/v4 binding (requires libyara >= 4.2) Note: userspace SIGKILL is a known limitation (TOCTOU). A follow-up could use eBPF LSM hooks for pre-execution blocking.
mtardy
requested changes
May 13, 2026
Member
mtardy
left a comment
mtardy
left a comment
There was a problem hiding this comment.
Thanks for the proposal. Could you speak a bit about why you think this is the
right way to solve the problem?
Additionally, if you are using Generative AI tools to create this contribution,
please describe how involved you were using the AI Influence Level, and
describe how you reviewed the output before submission.
Could you also in the future split your commits into logical changes, please read https://tetragon.io/docs/contribution-guide/ before resubmitting. Thanks!
Member
There was a problem hiding this comment.
why did you remove the whole Dockerfile?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1319
Description
Adds YARA rule-based scanning for process execution events. When a new process starts, its binary is scanned asynchronously against YARA rules. On a match, SIGKILL is sent to terminate the process.
pkg/observer/yara_scanner.go: YARA engine with 4-worker pool, buffered queue (256), per-worker Scanner, fail-safe drop on full queue
pkg/observer/observer.go: whitelist filter + async scan on execve events
pkg/option, pkg/defaults: --yara-rules-dir flag (default /etc/tetragon/yara-rules.d)
cmd/tetragon/main.go: engine initialization at startup (non-fatal if directory missing)
yara-rules/ransomware.yar: detection rules for WannaCry, LockBit, REvil, shadow copy deletion, ransom note names, encryption+mass-write patterns
Known limitation: userspace SIGKILL has a TOCTOU race — the binary starts executing before we can kill it. A proper solution would use eBPF LSM hooks for pre-execution blocking, which could be a follow-up.
Dependency: requires libyara >= 4.2 on the host system.
Changelog
Add YARA rule-based process execution scanning via --yara-rules-dir flag.