From d1836fb3a332ed9f5cc5207a83c059a559a4341a Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 14 Sep 2020 09:57:08 -0400
Subject: [PATCH] Fix Salt issue with script

---
 salt/common/tools/sbin/so-yara-update | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update
index dc76e0676..9d7b3fcdf 100755
--- a/salt/common/tools/sbin/so-yara-update
+++ b/salt/common/tools/sbin/so-yara-update
@@ -14,11 +14,10 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%}
-
+{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 
 output_dir="/opt/so/saltstack/default/salt/strelka/rules"
-#mkdir -p $output_dir
+mkdir -p $output_dir
 repos="$output_dir/repos.txt"
 ignorefile="$output_dir/ignore.txt"
 
@@ -26,18 +25,17 @@ deletecounter=0
 newcounter=0
 updatecounter=0
 
-gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
-
-{%- if ISAIRGAP is sameas true -%}
+{% if ISAIRGAP is sameas true %}
 
 
 clone_dir="/nsm/repo/rules/strelka"
 repo_name="signature-base"
-mkdir -p $output_dir/$repo_name
+mkdir -p /opt/so/saltstack/default/salt/strelka/rules/signature-base
+
 [ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
 
 # Copy over rules
-for i in $(find $clone_dir -name "*.yar*"); do
+for i in $(find $clone_dir/yara -name "*.yar*"); do
   rule_name=$(echo $i | awk -F '/' '{print $NF}')
   repo_sum=$(sha256sum $i | awk '{print $1}')
 
@@ -62,7 +60,7 @@ for i in $(find $clone_dir -name "*.yar*"); do
     fi
   fi;
 done
-    
+
 # Check to see if we have any old rules that need to be removed
 for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
   is_repo_rule=$(find $clone_dir -name "$i" | wc -l)
@@ -87,9 +85,9 @@ echo "Done!"
     echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
   fi
 
-{%- else -%}
-
+{% else %}
 
+gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
 clone_dir="/tmp"
 if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
 
@@ -132,7 +130,7 @@ if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
         fi
       fi;
     done
-    
+
     # Check to see if we have any old rules that need to be removed
     for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
       is_repo_rule=$(find $clone_dir/$repo_name -name "$i" | wc -l)