Merge pull request #14499 from Security-Onion-Solutions/strelkaFix

Add missing scanners and fix forcedType for Strelka SOC UI annotations. Restart Strelka containers on config change.
2026-02-12 02:03:30 +01:00 · 2025-04-02 11:56:44 -04:00
parent 3c342bb90d cd6deae0a7
commit 275489b8a3
5 changed files with 31 additions and 3 deletions
--- a/salt/strelka/backend/enabled.sls
+++ b/salt/strelka/backend/enabled.sls
@@ -44,6 +44,10 @@ strelka_backend:
    - restart_policy: on-failure
    - watch:
      - file: strelkasensorcompiledrules
+      - file: backend_backend_config
+      - file: backend_logging_config
+      - file: backend_passwords
+      - file: backend_taste

 delete_so-strelka-backend_so-status.disabled:
  file.uncomment:
--- a/salt/strelka/filestream/enabled.sls
+++ b/salt/strelka/filestream/enabled.sls
@@ -41,6 +41,8 @@ strelka_filestream:
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    - watch:
+      - file: filestream_config

 delete_so-strelka-filestream_so-status.disabled:
  file.uncomment:
--- a/salt/strelka/frontend/enabled.sls
+++ b/salt/strelka/frontend/enabled.sls
@@ -46,6 +46,8 @@ strelka_frontend:
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    - watch:
+      - file: frontend_config

 delete_so-strelka-frontend_so-status.disabled:
  file.uncomment:
--- a/salt/strelka/manager/enabled.sls
+++ b/salt/strelka/manager/enabled.sls
@@ -40,6 +40,8 @@ strelka_manager:
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    - watch:
+      - file: manager_config

 delete_so-strelka-manager_so-status.disabled:
  file.uncomment:
--- a/salt/strelka/soc_strelka.yaml
+++ b/salt/strelka/soc_strelka.yaml
@@ -64,46 +64,62 @@ strelka:
            helpLink: strelka.html
            advanced: True
        scanners:
-          'ScanBase64': &scannerOptions
+          'ScanBase64PE': &scannerOptions
            description: Configuration options for this scanner.
            readonly: False
            global: False
            helpLink: strelka.html
            advanced: True
-            type: json
-            multiline: True
+            forcedType: "[]{}"
+            syntax: json
          'ScanBatch': *scannerOptions
+          'ScanBmpEof': *scannerOptions
          'ScanBzip2': *scannerOptions
+          'ScanDmg': *scannerOptions
          'ScanDocx': *scannerOptions
+          'ScanDonut': *scannerOptions
          'ScanElf': *scannerOptions
          'ScanEmail': *scannerOptions
+          'ScanEncryptedDoc': *scannerOptions
+          'ScanEncryptedZip': *scannerOptions
          'ScanEntropy': *scannerOptions
          'ScanExiftool': *scannerOptions
+          'ScanFooter': *scannerOptions
          'ScanGif': *scannerOptions
          'ScanGzip': *scannerOptions
          'ScanHash': *scannerOptions
          'ScanHeader': *scannerOptions
          'ScanHtml': *scannerOptions
          'ScanIni': *scannerOptions
+          'ScanIqy': *scannerOptions
+          'ScanIso': *scannerOptions
          'ScanJarManifest': *scannerOptions
          'ScanJavascript': *scannerOptions
          'ScanJpeg': *scannerOptions
          'ScanJson': *scannerOptions
          'ScanLibarchive': *scannerOptions
+          'ScanLNK': *scannerOptions
+          'ScanLsb': *scannerOptions
          'ScanLzma': *scannerOptions
          'ScanMacho': *scannerOptions
+          'ScanManifest': *scannerOptions
+          'ScanMsi': *scannerOptions
          'ScanOcr': *scannerOptions
          'ScanOle': *scannerOptions
+          'ScanOnenote': *scannerOptions
          'ScanPdf': *scannerOptions
          'ScanPe': *scannerOptions
          'ScanPgp': *scannerOptions
          'ScanPhp': *scannerOptions
          'ScanPkcs7': *scannerOptions
          'ScanPlist': *scannerOptions
+          'ScanPngEof': *scannerOptions
+          'ScanQr': *scannerOptions
          'ScanRar': *scannerOptions
          'ScanRpm': *scannerOptions
          'ScanRtf': *scannerOptions
          'ScanRuby': *scannerOptions
+          'ScanSevenZip': *scannerOptions
          'ScanSwf': *scannerOptions
          'ScanTar': *scannerOptions
          'ScanTnef': *scannerOptions
@@ -111,6 +127,8 @@ strelka:
          'ScanUrl': *scannerOptions
          'ScanVb': *scannerOptions
          'ScanVba': *scannerOptions
+          'ScanVhd': *scannerOptions
+          'ScanVsto': *scannerOptions
          'ScanX509': *scannerOptions
          'ScanXml': *scannerOptions
          'ScanYara': *scannerOptions