mquery

YARA malware query accelerator (web frontend)

View on GitHub

Configuration

There are three different things you can configure within Mquery: core, plugins and ursadb. Unfortunately, all are configured differently.

Mquery core configuration

Mquery is configured with typed-config. There are two ways to pass every configuration field - with a config file, or a environment variable. For example:

[redis]
host=redis-server.example.com

[mquery]
backend=tcp://ursadb-server.example.com:9281
plugins=plugins.archive:GzipPlugin

This is a simple INI configuration file that mquery understands. It should be saved in a file called mquery.ini. The file should be in one of the following locations (checked in that order):

Alternatively, you can use environment variables to configure mquery. All field names are mapped intuitively to environment variables by joining the ini section name with a key name - for example, to change redis host value use REDIS_HOST. Environment variables take precedence over values from the config file!

Currently, supported configuration keys are:

Mquery plugin configuration

In contrast to the core configuration, plugins can be configured dynamically. Every worker registers its list of active plugins in the database, and it’s possible to configure them using the web UI:

This configuration mechanism is used by the plugins shipped with Mquery. Despite this, it’s optional, and plugin authors don’t have to use it. Since plugins are arbitrary code, plugins can read their configuration from anywhere they want, including the environment, other config files, etc.

It’s also easy to use the same config file for Mquery and plugins - see example_typed_config_plugin.py file for an example.

UrsaDB configuration

UrsaDB is not technically part of Mquery, but both systems work closely together and depend on each other for optimal performance.

Mquery currently does not allow you to configure UrsaDB nicely. You have to do it “manually”, by connecting with ursacli program to the TCP port exposed by UrsaDB. This program is built together with UrsaDB, and available in all official docker images. You can execute it in docker compose like this:

docker compose exec ursadb ursacli

Or you can download the latest ursadb release and run a client from there.

To set a configuration field, issue a command like this:

$ ursacli
ursadb> config set "database_workers" 10;

The configuration keys are already documented in the UrsaDB’s docs here: https://cert-polska.github.io/ursadb/configuration.html. We won’t copy all relevant information here, but the most important config keys are:

.env file

Finally, in the main directory of the repository there is a file named .env. Mquery does not use it in any way, but it’s read by Docker.

$ cat .env
# This file is only relevant for docker compose deployments.

# Directory where your samples are stored. By default you have to copy them
# to ./samples subdirectory in this repository.
SAMPLES_DIR=./samples
# Directory where the index files should be saved. By default ./index
# subdirectory in this repository.
INDEX_DIR=./index

If you use docker compose to start mquery, you can use this file to specify a location on the host for your samples_dir and index_dir. These variables are then used when creating containers. See for example ursadb container spec:

  ursadb:
    restart: always
    image: mqueryci/ursadb:v1.5.0
    ports:
    - "127.0.0.1:9281:9281"
    volumes:
    - "${SAMPLES_DIR}:/mnt/samples"
    - "${INDEX_DIR}:/var/lib/ursadb"
    user: "0:0"

As you can see, variables from .env are used to specify mount point for the data volumes. You can also ignore this file, and edit docker compose directly to your liking.