Merge pull request #12986 from Security-Onion-Solutions/fix/old_strelka

Remove old Strelka configuration for YARA

salt/manager/init.sls

@@ -73,17 +73,6 @@ manager_sbin:
     - exclude_pat:
       - "*_test.py"
 
-yara_update_scripts:
-  file.recurse:
-    - name: /usr/sbin/
-    - source: salt://manager/tools/sbin_jinja/
-    - user: socore
-    - group: socore
-    - file_mode: 755
-    - template: jinja
-    - defaults:
-        EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
-
 so-repo-file:
   file.managed:
     - name: /opt/so/conf/reposync/repodownload.conf

salt/manager/tools/sbin_jinja/so-yara-download

@@ -1,51 +0,0 @@
-#!/bin/bash
-NOROOT=1
-. /usr/sbin/so-common
-
-{%- set proxy = salt['pillar.get']('manager:proxy') %}
-{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %}
-
-# Download the rules from the internet
-{%- if proxy %}
-export http_proxy={{ proxy }} 
-export https_proxy={{ proxy }} 
-export no_proxy="{{ noproxy }}" 
-{%- endif %}
-
-repos="/opt/so/conf/strelka/repos.txt"
-output_dir=/nsm/rules/yara
-gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com)
-clone_dir="/tmp"
-if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
-
-  while IFS= read -r repo; do
-    if ! $(echo "$repo" | grep -qE '^#'); then
-      # Remove old repo if existing bc of previous error condition or unexpected disruption
-      repo_name=`echo $repo | awk -F '/' '{print $NF}'`
-      [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
-
-      # Clone repo and make appropriate directories for rules
-      git clone $repo $clone_dir/$repo_name
-      echo "Analyzing rules from $clone_dir/$repo_name..."
-      mkdir -p $output_dir/$repo_name
-      # Ensure a copy of the license is available for the rules
-      [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
-
-      # Copy over rules
-      for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
-        rule_name=$(echo $i | awk -F '/' '{print $NF}')
-        cp $i $output_dir/$repo_name
-     done
-     rm -rf $clone_dir/$repo_name
-    fi
-    done < $repos
-
-  echo "Done!"
-
-/usr/sbin/so-yara-update 
-  
-else
-  echo "Server returned $gh_status status code."
-  echo "No connectivity to Github...exiting..."
-  exit 1
-fi

salt/manager/tools/sbin_jinja/so-yara-update

@@ -1,41 +0,0 @@
-#!/bin/bash
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-NOROOT=1
-. /usr/sbin/so-common
-
-echo "Starting to check for yara rule updates at $(date)..."
-
-newcounter=0
-excludedcounter=0
-excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
-
-# Pull down the SO Rules
-SORULEDIR=/nsm/rules/yara
-OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules
-
-mkdir -p $OUTPUTDIR
-# remove all rules prior to copy so we can clear out old rules
-rm -f $OUTPUTDIR/*
-
-for i in $(find $SORULEDIR -name "*.yar" -o -name "*.yara"); do
-  rule_name=$(echo $i | awk -F '/' '{print $NF}')
-  if [[ ! "${excluded_rules[*]}" =~ ${rule_name} ]]; then
-    echo "Adding rule: $rule_name..."
-    cp $i $OUTPUTDIR/$rule_name
-    ((newcounter++))
-  else
-    echo "Excluding rule: $rule_name..."
-    ((excludedcounter++))
-  fi
-done
-
-if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
-  echo "$newcounter rules added."
-  echo "$excludedcounter rule(s) excluded."
-fi
-
-echo "Finished rule updates at $(date)..."

salt/strelka/defaults.yaml

@@ -733,28 +733,6 @@ strelka:
     enabled: False
   rules:
     enabled: True
-    repos:
-      - https://github.com/Security-Onion-Solutions/securityonion-yara.git
-    excluded:
-      - apt_flame2_orchestrator.yar
-      - apt_tetris.yar
-      - gen_susp_js_obfuscatorio.yar
-      - gen_webshells.yar
-      - generic_anomalies.yar
-      - general_cloaking.yar
-      - thor_inverse_matches.yar
-      - yara_mixed_ext_vars.yar
-      - apt_apt27_hyperbro.yar
-      - apt_turla_gazer.yar
-      - gen_google_anomaly.yar
-      - gen_icon_anomalies.yar
-      - gen_nvidia_leaked_cert.yar
-      - gen_sign_anomalies.yar
-      - gen_susp_xor.yar
-      - gen_webshells_ext_vars.yar
-      - configured_vulns_ext_vars.yar
-      - expl_outlook_cve_2023_23397.yar
-      - gen_mal_3cx_compromise_mar23.yar
   filecheck:
     historypath: '/nsm/strelka/history/'
     strelkapath: '/nsm/strelka/unprocessed/'

salt/strelka/rules/repos.txt.jinja

@@ -1,2 +0,0 @@
-# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka:rules:repos pillar section
-{{ STRELKAREPOS | join('\n') }}

salt/strelka/soc_strelka.yaml

@@ -578,18 +578,6 @@ strelka:
       global: False
       helpLink: strelka.html
       advanced: False
-    repos:
-      description: List of repos for so-yara-download to use to download rules.
-      readonly: False
-      global: False
-      helpLink: strelka.html
-      advanced: False
-    excluded:
-      description: List of rules to exclude so-yara-update from download and propagating to backend nodes.
-      readonly: False
-      global: False
-      helpLink: strelka.html
-      advanced: False
   filecheck:
     historypath:
       description: The path for previously scanned files.

setup/so-setup

@@ -764,16 +764,10 @@ if ! [[ -f $install_opt_file ]]; then
 		if [[ ! $is_airgap ]]; then
 			title "Downloading IDS Rules"
 			logCmd "so-rule-update"
-			title "Downloading YARA rules"
-			logCmd "su socore -c '/usr/sbin/so-yara-download'"
 			if [[ $monints || $is_import ]]; then
 				title "Restarting Suricata to pick up the new rules"
 				logCmd "so-suricata-restart"
 			fi
-			if [[ $monints ]]; then
-				title "Restarting Strelka to use new rules"
-				logCmd "so-strelka-restart"
-			fi
 		fi
 		title "Setting up Kibana Default Space"
 		logCmd "so-kibana-space-defaults"