#!/bin/bash
# Copyright 2014-2023 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}

echo "Starting to check for yara rule updates at $(date)..."

output_dir="/opt/so/saltstack/default/salt/strelka/rules"
mkdir -p $output_dir
repos="$output_dir/repos.txt"
newcounter=0

{% if ISAIRGAP is sameas true %}

echo "Airgap mode enabled."

clone_dir="/nsm/repo/rules/strelka"
repo_name="signature-base"
mkdir -p /opt/so/saltstack/default/salt/strelka/rules/signature-base
# Ensure a copy of the license is available for the rules
[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name

# Copy over rules
for i in $(find $clone_dir/yara -name "*.yar*"); do
  rule_name=$(echo $i | awk -F '/' '{print $NF}')
  echo "Adding rule: $rule_name..."
  cp $i $output_dir/$repo_name
  ((newcounter++))
done

echo "Done!"

if [ "$newcounter" -gt 0 ];then
  echo "$newcounter rules added."
fi

{% else %}

gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com)
clone_dir="/tmp"
if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then

  while IFS= read -r repo; do
    if ! $(echo "$repo" | grep -qE '^#'); then
      # Remove old repo if existing bc of previous error condition or unexpected disruption
      repo_name=`echo $repo | awk -F '/' '{print $NF}'`
      [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name

      # Clone repo and make appropriate directories for rules
      git clone $repo $clone_dir/$repo_name
      echo "Analyzing rules from $clone_dir/$repo_name..."
      mkdir -p $output_dir/$repo_name
      # Ensure a copy of the license is available for the rules
      [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name

      # Copy over rules
      for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
        rule_name=$(echo $i | awk -F '/' '{print $NF}')
        echo "Adding rule: $rule_name..."
        cp $i $output_dir/$repo_name
        ((newcounter++))
     done
     rm -rf $clone_dir/$repo_name
    fi
    done < $repos

  echo "Done!"
  
  if [ "$newcounter" -gt 0 ];then
    echo "$newcounter rules added."
  fi
  
else
  echo "Server returned $gh_status status code."
  echo "No connectivity to Github...exiting..."
  exit 1
fi
{% endif %}

echo "Finished rule updates at $(date)..."
