From 6487fdf5e6b85923f4f8c40b0598610b6a13f694 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 25 Jun 2020 15:46:37 +0000
Subject: [PATCH 1/3] Add Strelka YARA function

---
 setup/so-functions | 4 ++++
 setup/so-setup     | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/setup/so-functions b/setup/so-functions
index 37145e12b..1afd6b90f 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1622,3 +1622,7 @@ es_heapsize() {
 		export NODE_ES_HEAP_SIZE
 	fi
 }
+
+strelka_yara_update() {
+        so-yara-update
+}
diff --git a/setup/so-setup b/setup/so-setup
index 634389dcd..60bffd618 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -257,6 +257,9 @@ if [[ $is_master ]]; then
 	whiptail_enable_components
 	if [[ $STRELKA == 1 ]]; then
 	    whiptail_strelka_rules
+            if [[ $STRELKARULES == 1 ]]; then
+                strelka_yara_update
+            fi
 	fi
 	collect_webuser_inputs
 	get_redirect

From 63c45be3884aa1981fb5b8b0dd171ccdb90197e3 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 25 Jun 2020 15:49:58 +0000
Subject: [PATCH 2/3] Update Strelka init for rules

---
 salt/strelka/init.sls | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls
index 145b9e620..4a422b642 100644
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -25,6 +25,13 @@ strelkaconfdir:
     - group: 939
     - makedirs: True
 
+strelkarulesdir:
+  file.directory:
+    - name: /opt/so/conf/strelka/rules
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 # Sync dynamic config to conf dir
 strelkasync:
   file.recurse:
@@ -33,9 +40,21 @@ strelkasync:
     - user: 939
     - group: 939
     - template: jinja
-    {%- if STRELKA_RULES != 1 %}
-    - exclude_pat: rules/
-    {%- endif %}
+
+{%- if STRELKA_RULES == 1 %}
+strelka_yara_update:
+  cron.present:
+    - user: root
+    - name: '[ -d /opt/so/saltstack/default/salt/strelka/rules/ ] && /usr/sbin/so-yara-update > /dev/null 2>&1'
+    - hour: '7'
+
+strelkarules:
+  file.recurse:
+    - name: /opt/so/conf/strelka/rules
+    - source: salt://strelka/rules
+    - user: 939
+    - group: 939
+{%- endif %}
 
 strelkadatadir:
    file.directory:

From a24402de9933ecd875ad06dc86a8a86024420805 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 25 Jun 2020 16:31:04 +0000
Subject: [PATCH 3/3] More Strelka rule config

---
 salt/common/tools/sbin/so-yara-update | 84 +++++++++++++++++++++++++++
 salt/strelka/rules/ignore.txt         |  4 ++
 salt/strelka/rules/repos.txt          |  1 +
 3 files changed, 89 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-yara-update
 create mode 100644 salt/strelka/rules/ignore.txt
 create mode 100644 salt/strelka/rules/repos.txt

diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update
new file mode 100644
index 000000000..e6b682690
--- /dev/null
+++ b/salt/common/tools/sbin/so-yara-update
@@ -0,0 +1,84 @@
+#!/bin/bash
+output_dir="/opt/so/saltstack/default/salt/strelka/rules"
+#mkdir -p $output_dir
+repos="$output_dir/repos.txt"
+ignorefile="$output_dir/ignore.txt"
+
+deletecounter=0
+newcounter=0
+updatecounter=0
+
+gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)
+
+if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
+
+  while IFS= read -r repo; do
+
+    # Remove old repo if existing bc of previous error condition or unexpected disruption
+    repo_name=`echo $repo | awk -F '/' '{print $NF}'`
+    [ -d $repo_name ] && rm -rf $repo_name
+
+    # Clone repo and make appropriate directories for rules
+    git clone $repo
+    echo "Analyzing rules from $repo_name..."
+    mkdir -p $output_dir/$repo_name
+    [ -f $repo_name/LICENSE ] && cp $repo_name/LICENSE $output_dir/$repo_name
+
+    # Copy over rules
+    for i in $(find $repo_name -name "*.yar*"); do
+      rule_name=$(echo $i | awk -F '/' '{print $NF}')
+      repo_sum=$(sha256sum $i | awk '{print $1}')
+
+      # Check rules against those in ignore list -- don't copy if ignored.
+      if ! grep -iq $rule_name $ignorefile; then
+        existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l)
+
+        # For existing rules, check to see if they need to be updated, by comparing checksums
+        if [ $existing_rules -gt 0 ];then
+          local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}')
+          if [ "$repo_sum" != "$local_sum" ]; then
+            echo "Checksums do not match!"
+            echo "Updating $rule_name..."
+            cp $i $output_dir/$repo_name;
+            ((updatecounter++))
+          fi
+        else
+          # If rule doesn't exist already, we'll add it
+          echo "Adding new rule: $rule_name..."
+          cp $i $output_dir/$repo_name
+          ((newcounter++))
+        fi
+      fi;
+    done
+
+    # Check to see if we have any old rules that need to be removed
+    for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
+      is_repo_rule=$(find $repo_name -name "$i" | wc -l)
+      if [ $is_repo_rule -eq 0 ]; then
+        echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..."
+        rm $output_dir/$repo_name/$i
+        ((deletecounter++))
+      fi
+    done
+    #rm -rf $repo_name
+  done < $repos
+
+  echo "Done!"
+
+  if [ "$newcounter" -gt 0 ];then
+    echo "$newcounter new rules added."
+  fi
+
+  if [ "$updatecounter" -gt 0 ];then
+    echo "$updatecounter rules updated."
+  fi
+
+  if [ "$deletecounter" -gt 0 ];then
+    echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
+  fi
+
+else
+  echo "Server returned $gh_status status code."
+  echo "No connectivity to Github...exiting..."
+  exit 1
+fi
diff --git a/salt/strelka/rules/ignore.txt b/salt/strelka/rules/ignore.txt
new file mode 100644
index 000000000..a803f8c28
--- /dev/null
+++ b/salt/strelka/rules/ignore.txt
@@ -0,0 +1,4 @@
+generic_anomalies.yar
+general_cloaking.yar
+thor_inverse_matches.yar
+yara_mixed_ext_vars.yar
diff --git a/salt/strelka/rules/repos.txt b/salt/strelka/rules/repos.txt
new file mode 100644
index 000000000..e26687ea9
--- /dev/null
+++ b/salt/strelka/rules/repos.txt
@@ -0,0 +1 @@
+https://github.com/Neo23x0/signature-base