CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into dev

Browse Source
This commit is contained in:
Mike Reeves
2020-06-25 12:56:38 -04:00
parent 30ac5f9764 5e41bba6db
commit 57d0603e4c
6 changed files with 118 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
salt/common/tools/sbin/so-yara-update Normal file
View File

@@ -0,0 +1,84 @@
#!/bin/bash
output_dir="/opt/so/saltstack/default/salt/strelka/rules"
#mkdir -p $output_dir
repos="$output_dir/repos.txt"
ignorefile="$output_dir/ignore.txt"
deletecounter=0
newcounter=0
updatecounter=0
gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then
while IFS= read -r repo; do
# Remove old repo if existing bc of previous error condition or unexpected disruption
repo_name=`echo $repo | awk -F '/' '{print $NF}'`
[ -d $repo_name ] && rm -rf $repo_name
# Clone repo and make appropriate directories for rules
git clone $repo
echo "Analyzing rules from $repo_name..."
mkdir -p $output_dir/$repo_name
[ -f $repo_name/LICENSE ] && cp $repo_name/LICENSE $output_dir/$repo_name
# Copy over rules
for i in $(find $repo_name -name "*.yar*"); do
rule_name=$(echo $i | awk -F '/' '{print $NF}')
repo_sum=$(sha256sum $i | awk '{print $1}')
# Check rules against those in ignore list -- don't copy if ignored.
if ! grep -iq $rule_name $ignorefile; then
existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l)
# For existing rules, check to see if they need to be updated, by comparing checksums
if [ $existing_rules -gt 0 ];then
local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}')
if [ "$repo_sum" != "$local_sum" ]; then
echo "Checksums do not match!"
echo "Updating $rule_name..."
cp $i $output_dir/$repo_name;
((updatecounter++))
fi
else
# If rule doesn't exist already, we'll add it
echo "Adding new rule: $rule_name..."
cp $i $output_dir/$repo_name
((newcounter++))
fi
fi;
done
# Check to see if we have any old rules that need to be removed
for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
is_repo_rule=$(find $repo_name -name "$i" | wc -l)
if [ $is_repo_rule -eq 0 ]; then
echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..."
rm $output_dir/$repo_name/$i
((deletecounter++))
fi
done
#rm -rf $repo_name
done < $repos
echo "Done!"
if [ "$newcounter" -gt 0 ];then
echo "$newcounter new rules added."
fi
if [ "$updatecounter" -gt 0 ];then
echo "$updatecounter rules updated."
fi
if [ "$deletecounter" -gt 0 ];then
echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
fi
else
echo "Server returned $gh_status status code."
echo "No connectivity to Github...exiting..."
exit 1
fi

23
salt/strelka/init.sls
View File

@@ -25,6 +25,13 @@ strelkaconfdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
strelkarulesdir:
file.directory:
- name: /opt/so/conf/strelka/rules
- user: 939
- group: 939
- makedirs: True
# Sync dynamic config to conf dir # Sync dynamic config to conf dir
strelkasync: strelkasync:
file.recurse: file.recurse:
@@ -33,8 +40,20 @@ strelkasync:
- user: 939 - user: 939
- group: 939 - group: 939
- template: jinja - template: jinja
{%- if STRELKA_RULES != 1 %}
- exclude_pat: rules/ {%- if STRELKA_RULES == 1 %}
strelka_yara_update:
cron.present:
- user: root
- name: '[ -d /opt/so/saltstack/default/salt/strelka/rules/ ] && /usr/sbin/so-yara-update > /dev/null 2>&1'
- hour: '7'
strelkarules:
file.recurse:
- name: /opt/so/conf/strelka/rules
- source: salt://strelka/rules
- user: 939
- group: 939
{%- endif %} {%- endif %}
strelkadatadir: strelkadatadir:

4
salt/strelka/rules/ignore.txt Normal file
View File

@@ -0,0 +1,4 @@
generic_anomalies.yar
general_cloaking.yar
thor_inverse_matches.yar
yara_mixed_ext_vars.yar

1
salt/strelka/rules/repos.txt Normal file
View File

@@ -0,0 +1 @@
https://github.com/Neo23x0/signature-base

4
setup/so-functions
View File

@@ -1622,3 +1622,7 @@ es_heapsize() {
export NODE_ES_HEAP_SIZE export NODE_ES_HEAP_SIZE
fi fi
} }
strelka_yara_update() {
so-yara-update
}

3
setup/so-setup
View File

@@ -257,6 +257,9 @@ if [[ $is_master ]]; then
whiptail_enable_components whiptail_enable_components
if [[ $STRELKA == 1 ]]; then if [[ $STRELKA == 1 ]]; then
whiptail_strelka_rules whiptail_strelka_rules
if [[ $STRELKARULES == 1 ]]; then
strelka_yara_update
fi
fi fi
collect_webuser_inputs collect_webuser_inputs
get_redirect get_redirect