From 4e329359919367869ff8a0d3032e8823386863af Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 8 Mar 2024 16:24:37 +0000 Subject: [PATCH 1/6] Add Strelka config back --- salt/manager/init.sls | 45 +++++++++++++++++++++++++++++++++ salt/strelka/backend/config.sls | 10 ++++++++ 2 files changed, 55 insertions(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 51590a6ec..56e72c279 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -103,6 +103,51 @@ rules_dir: - group: socore - makedirs: True +{% if STRELKAMERGED.rules.enabled %} + strelkarepos: + file.managed: + - name: /opt/so/conf/strelka/repos.txt + - source: salt://strelka/rules/repos.txt.jinja + - template: jinja + - defaults: + STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} + - makedirs: True + strelka-yara-update: + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} + cron.present: + {% else %} + cron.absent: + {% endif %} + - user: socore + - name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1' + - identifier: strelka-yara-update + - hour: '7' + - minute: '1' + strelka-yara-download: + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} + cron.present: + {% else %} + cron.absent: + {% endif %} + - user: socore + - name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1' + - identifier: strelka-yara-download + - hour: '7' + - minute: '1' + {% if not GLOBALS.airgap %} + update_yara_rules: + cmd.run: + - name: /usr/sbin/so-yara-update + - onchanges: + - file: yara_update_scripts + download_yara_rules: + cmd.run: + - name: /usr/sbin/so-yara-download + - onchanges: + - file: yara_update_scripts + {% endif %} + {% endif %} + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/strelka/backend/config.sls b/salt/strelka/backend/config.sls index b39e06ac8..db18a68cc 100644 --- a/salt/strelka/backend/config.sls +++ b/salt/strelka/backend/config.sls @@ -50,6 +50,16 @@ backend_taste: - user: 939 - group: 939 +{% if STRELKAMERGED.rules.enabled %} +strelkarules: + file.recurse: + - name: /opt/so/conf/strelka/rules + - source: salt://strelka/rules + - user: 939 + - group: 939 + - clean: True +{% endif %} + {% else %} {{sls}}_state_not_allowed: From fc66a549027070ab75eecd9fda9d7fbb7aee074a Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 8 Mar 2024 16:26:14 +0000 Subject: [PATCH 2/6] Add Strelka download and update scripts back --- .../manager/tools/sbin_jinja/so-yara-download | 51 +++++++++++++++++++ salt/manager/tools/sbin_jinja/so-yara-update | 41 +++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 salt/manager/tools/sbin_jinja/so-yara-download create mode 100644 salt/manager/tools/sbin_jinja/so-yara-update diff --git a/salt/manager/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download new file mode 100644 index 000000000..aa9576253 --- /dev/null +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -0,0 +1,51 @@ +#!/bin/bash +NOROOT=1 +. /usr/sbin/so-common + +{%- set proxy = salt['pillar.get']('manager:proxy') %} +{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %} + +# Download the rules from the internet +{%- if proxy %} +export http_proxy={{ proxy }} +export https_proxy={{ proxy }} +export no_proxy="{{ noproxy }}" +{%- endif %} + +repos="/opt/so/conf/strelka/repos.txt" +output_dir=/nsm/rules/yara +gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com) +clone_dir="/tmp" +if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then + + while IFS= read -r repo; do + if ! $(echo "$repo" | grep -qE '^#'); then + # Remove old repo if existing bc of previous error condition or unexpected disruption + repo_name=`echo $repo | awk -F '/' '{print $NF}'` + [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name + + # Clone repo and make appropriate directories for rules + git clone $repo $clone_dir/$repo_name + echo "Analyzing rules from $clone_dir/$repo_name..." + mkdir -p $output_dir/$repo_name + # Ensure a copy of the license is available for the rules + [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name + + # Copy over rules + for i in $(find $clone_dir/$repo_name -name "*.yar*"); do + rule_name=$(echo $i | awk -F '/' '{print $NF}') + cp $i $output_dir/$repo_name + done + rm -rf $clone_dir/$repo_name + fi + done < $repos + + echo "Done!" + +/usr/sbin/so-yara-update + +else + echo "Server returned $gh_status status code." + echo "No connectivity to Github...exiting..." + exit 1 +fi diff --git a/salt/manager/tools/sbin_jinja/so-yara-update b/salt/manager/tools/sbin_jinja/so-yara-update new file mode 100644 index 000000000..07c940f47 --- /dev/null +++ b/salt/manager/tools/sbin_jinja/so-yara-update @@ -0,0 +1,41 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +NOROOT=1 +. /usr/sbin/so-common + +echo "Starting to check for yara rule updates at $(date)..." + +newcounter=0 +excludedcounter=0 +excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) + +# Pull down the SO Rules +SORULEDIR=/nsm/rules/yara +OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules + +mkdir -p $OUTPUTDIR +# remove all rules prior to copy so we can clear out old rules +rm -f $OUTPUTDIR/* + +for i in $(find $SORULEDIR -name "*.yar" -o -name "*.yara"); do + rule_name=$(echo $i | awk -F '/' '{print $NF}') + if [[ ! "${excluded_rules[*]}" =~ ${rule_name} ]]; then + echo "Adding rule: $rule_name..." + cp $i $OUTPUTDIR/$rule_name + ((newcounter++)) + else + echo "Excluding rule: $rule_name..." + ((excludedcounter++)) + fi +done + +if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then + echo "$newcounter rules added." + echo "$excludedcounter rule(s) excluded." +fi + +echo "Finished rule updates at $(date)..." From e8ae60901233b06742a915cb64940e8564d75f37 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 8 Mar 2024 16:27:17 +0000 Subject: [PATCH 3/6] Add Strelka rules watch back --- salt/strelka/backend/enabled.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 9ebb1a148..fc56f4197 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -42,8 +42,8 @@ strelka_backend: {% endfor %} {% endif %} - restart_policy: on-failure - #- watch: - # - file: strelkarules + - watch: + - file: strelkarules delete_so-strelka-backend_so-status.disabled: file.uncomment: From 34d5954e169972e21e412fb236f8bfc80cca788e Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 11 Mar 2024 09:12:05 -0400 Subject: [PATCH 4/6] Fix indent --- salt/manager/init.sls | 86 +++++++++++++++++++++---------------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index ee564dce8..c62a41999 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -118,49 +118,49 @@ rules_dir: - makedirs: True {% if STRELKAMERGED.rules.enabled %} - strelkarepos: - file.managed: - - name: /opt/so/conf/strelka/repos.txt - - source: salt://strelka/rules/repos.txt.jinja - - template: jinja - - defaults: - STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} - - makedirs: True - strelka-yara-update: - {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} - cron.present: - {% else %} - cron.absent: - {% endif %} - - user: socore - - name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1' - - identifier: strelka-yara-update - - hour: '7' - - minute: '1' - strelka-yara-download: - {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} - cron.present: - {% else %} - cron.absent: - {% endif %} - - user: socore - - name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1' - - identifier: strelka-yara-download - - hour: '7' - - minute: '1' - {% if not GLOBALS.airgap %} - update_yara_rules: - cmd.run: - - name: /usr/sbin/so-yara-update - - onchanges: - - file: yara_update_scripts - download_yara_rules: - cmd.run: - - name: /usr/sbin/so-yara-download - - onchanges: - - file: yara_update_scripts - {% endif %} - {% endif %} +strelkarepos: + file.managed: + - name: /opt/so/conf/strelka/repos.txt + - source: salt://strelka/rules/repos.txt.jinja + - template: jinja + - defaults: + STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} + - makedirs: True +strelka-yara-update: + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} + cron.present: + {% else %} + cron.absent: + {% endif %} + - user: socore + - name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1' + - identifier: strelka-yara-update + - hour: '7' + - minute: '1' +strelka-yara-download: + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} + cron.present: + {% else %} + cron.absent: + {% endif %} + - user: socore + - name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1' + - identifier: strelka-yara-download + - hour: '7' + - minute: '1' +{% if not GLOBALS.airgap %} +update_yara_rules: + cmd.run: + - name: /usr/sbin/so-yara-update + - onchanges: + - file: yara_update_scripts +download_yara_rules: + cmd.run: + - name: /usr/sbin/so-yara-download + - onchanges: + - file: yara_update_scripts +{% endif %} +{% endif %} {% else %} From 907cf9f9924d25c3e309a32900c9a522ffa8a212 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 11 Mar 2024 12:20:28 -0400 Subject: [PATCH 5/6] transition pcap --- salt/bpf/pcap.map.jinja | 17 ++++++++++------- salt/global/soc_global.yaml | 6 +++--- salt/suricata/map.jinja | 2 +- salt/suricata/pcap.sls | 2 +- salt/telegraf/scripts/oldpcap.sh | 2 +- 5 files changed, 16 insertions(+), 13 deletions(-) diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja index c1d7562cc..a6deae4f4 100644 --- a/salt/bpf/pcap.map.jinja +++ b/salt/bpf/pcap.map.jinja @@ -1,7 +1,10 @@ -{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} -{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} -{% import 'bpf/macros.jinja' as MACROS %} - -{{ MACROS.remove_comments(BPFMERGED, 'pcap') }} - -{% set PCAPBPF = BPFMERGED.pcap %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% if GLOBALS.pcap_engine == "TRANSITION" %} +{% set PCAPBPF = "ip and host 255.255.255.1 and port 1" %} +{% else %} +{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} +{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} +{% import 'bpf/macros.jinja' as MACROS %} +{{ MACROS.remove_comments(BPFMERGED, 'pcap') }} +{% set PCAPBPF = BPFMERGED.pcap %} +{% endif %} diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index d707fb1cc..a48476214 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -15,9 +15,9 @@ global: regexFailureMessage: You must enter either ZEEK or SURICATA. global: True pcapengine: - description: Which engine to use for generating pcap. Options are STENO and SURICATA. - regex: ^(STENO|SURICATA)$ - regexFailureMessage: You must enter either STENO or SURICATA. + description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION. + regex: ^(STENO|SURICATA|TRANSITION)$ + regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION. global: True ids: description: Which IDS engine to use. Currently only Suricata is supported. diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 6ba3c3b73..7f7b04aef 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -9,7 +9,7 @@ {% set surimeta_filestore_index = [] %} {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #} -{% if GLOBALS.pcap_engine == "SURICATA" %} +{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %} {# move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %} diff --git a/salt/suricata/pcap.sls b/salt/suricata/pcap.sls index 665262477..87b568f96 100644 --- a/salt/suricata/pcap.sls +++ b/salt/suricata/pcap.sls @@ -11,7 +11,7 @@ suripcapdir: - mode: 775 - makedirs: True -{% if GLOBALS.pcap_engine == "SURICATA" %} +{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %} {# there should only be 1 interface in af-packet so we can just reference the first list item #} {% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %} diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh index 438ce912c..876ff7835 100644 --- a/salt/telegraf/scripts/oldpcap.sh +++ b/salt/telegraf/scripts/oldpcap.sh @@ -5,7 +5,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- if GLOBALS.pcap_engine == "SURICATA" %} +{%- if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %} PCAPLOC=/host/nsm/suripcap {%- else %} PCAPLOC=/host/nsm/pcap From ba32b3e6e9d23a7c34fadef272f5bf8ec2e52ae3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 11 Mar 2024 14:07:45 -0400 Subject: [PATCH 6/6] fix bpf for transition --- salt/bpf/pcap.map.jinja | 2 +- salt/soc/defaults.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja index a6deae4f4..4d8fef460 100644 --- a/salt/bpf/pcap.map.jinja +++ b/salt/bpf/pcap.map.jinja @@ -1,6 +1,6 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% if GLOBALS.pcap_engine == "TRANSITION" %} -{% set PCAPBPF = "ip and host 255.255.255.1 and port 1" %} +{% set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %} {% else %} {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 5699c7722..7be2db772 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1132,7 +1132,8 @@ soc: compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py reposFolder: /opt/sensoroni/yara/repos rulesRepos: - - https://github.com/Security-Onion-Solutions/securityonion-yara + - repo: https://github.com/Security-Onion-Solutions/securityonion-yara + license: DRL yaraRulesFolder: /opt/sensoroni/yara/rules suricataengine: communityRulesFile: /nsm/rules/suricata/emerging-all.rules