Merge pull request #1338 from Security-Onion-Solutions/experimental

Fix strelka rules

salt/common/tools/sbin/so-yara-update

@@ -14,11 +14,10 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%}
-
+{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 
 output_dir="/opt/so/saltstack/default/salt/strelka/rules"
-#mkdir -p $output_dir
+mkdir -p $output_dir
 repos="$output_dir/repos.txt"
 ignorefile="$output_dir/ignore.txt"
 
@@ -26,18 +25,17 @@ deletecounter=0
 newcounter=0
 updatecounter=0
 
-gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
-
-{%- if ISAIRGAP is sameas true -%}
+{% if ISAIRGAP is sameas true %}
 
 
 clone_dir="/nsm/repo/rules/strelka"
 repo_name="signature-base"
-mkdir -p $output_dir/$repo_name
+mkdir -p /opt/so/saltstack/default/salt/strelka/rules/signature-base
+
 [ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
 
 # Copy over rules
-for i in $(find $clone_dir -name "*.yar*"); do
+for i in $(find $clone_dir/yara -name "*.yar*"); do
   rule_name=$(echo $i | awk -F '/' '{print $NF}')
   repo_sum=$(sha256sum $i | awk '{print $1}')
 
@@ -87,9 +85,9 @@ echo "Done!"
     echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
   fi
 
-{%- else -%}
-
+{% else %}
 
+gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
 clone_dir="/tmp"
 if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then