CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12240 from Security-Onion-Solutions/upgrade/strelka_0.24.01.18

Browse Source 
UPGRADE: Strelka 0.24.01.18
This commit is contained in:
weslambert
2024-01-23 13:50:15 -05:00
committed by GitHub
parent b1052ddcce 1698d95efe
commit 8348506acc
1 changed files with 194 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

197
salt/strelka/defaults.yaml
View File

@@ -17,9 +17,10 @@ strelka:
mime_db: '/usr/lib/file/magic.mgc' mime_db: '/usr/lib/file/magic.mgc'
yara_rules: '/etc/strelka/taste/' yara_rules: '/etc/strelka/taste/'
scanners: scanners:
'ScanBase64': 'ScanBase64PE':
- positive: - positive:
filename: '^base64_' flavors:
- 'base64_pe'
priority: 5 priority: 5
'ScanBatch': 'ScanBatch':
- positive: - positive:
@@ -27,12 +28,27 @@ strelka:
- 'text/x-msdos-batch' - 'text/x-msdos-batch'
- 'batch_file' - 'batch_file'
priority: 5 priority: 5
'ScanBmpEof':
- positive:
flavors:
- 'image/x-ms-bmp'
- 'bmp_file'
negative:
source:
- 'ScanTranscode'
priority: 5
'ScanBzip2': 'ScanBzip2':
- positive: - positive:
flavors: flavors:
- 'application/x-bzip2' - 'application/x-bzip2'
- 'bzip2_file' - 'bzip2_file'
priority: 5 priority: 5
'ScanDmg':
- positive:
flavors:
- 'dmg_disk_image'
- 'hfsplus_disk_image'
priority: 5
'ScanDocx': 'ScanDocx':
- positive: - positive:
flavors: flavors:
@@ -40,6 +56,11 @@ strelka:
priority: 5 priority: 5
options: options:
extract_text: False extract_text: False
'ScanDonut':
- positive:
flavors:
- 'hacktool_win_shellcode_donut'
priority: 5
'ScanElf': 'ScanElf':
- positive: - positive:
flavors: flavors:
@@ -56,6 +77,26 @@ strelka:
- 'message/rfc822' - 'message/rfc822'
- 'email_file' - 'email_file'
priority: 5 priority: 5
'ScanEncryptedDoc':
- positive:
flavors:
- 'encrypted_word_document'
priority: 5
options:
max_length: 5
scanner_timeout: 150
log_pws: True
password_file: "/etc/strelka/passwords.dat"
'ScanEncryptedZip':
- positive:
flavors:
- 'encrypted_zip'
priority: 5
options:
max_length: 5
scanner_timeout: 150
log_pws: True
password_file: '/etc/strelka/passwords.dat'
'ScanEntropy': 'ScanEntropy':
- positive: - positive:
flavors: flavors:
@@ -111,6 +152,16 @@ strelka:
priority: 5 priority: 5
options: options:
tmp_directory: '/dev/shm/' tmp_directory: '/dev/shm/'
'ScanFooter':
- positive:
flavors:
- '*'
priority: 5
options:
length: 50
encodings:
- classic
- backslash
'ScanGif': 'ScanGif':
- positive: - positive:
flavors: flavors:
@@ -144,13 +195,25 @@ strelka:
- 'html_file' - 'html_file'
priority: 5 priority: 5
options: options:
parser: "html5lib" max_hyperlinks: 50
'ScanIqy':
- positive:
flavors:
- 'iqy_file'
priority: 5
'ScanIni': 'ScanIni':
- positive: - positive:
filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
flavors: flavors:
- 'ini_file' - 'ini_file'
priority: 5 priority: 5
'ScanIso':
- positive:
flavors:
- 'application/x-iso9660-image'
priority: 5
options:
limit: 50
'ScanJarManifest': 'ScanJarManifest':
- positive: - positive:
flavors: flavors:
@@ -198,6 +261,25 @@ strelka:
priority: 5 priority: 5
options: options:
limit: 1000 limit: 1000
'ScanLNK':
- positive:
flavors:
- 'lnk_file'
priority: 5
'ScanLsb':
- positive:
flavors:
- 'image/png'
- 'png_file'
- 'image/jpeg'
- 'jpeg_file'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'image/webp'
negative:
source:
- 'ScanTranscode'
priority: 5
'ScanLzma': 'ScanLzma':
- positive: - positive:
flavors: flavors:
@@ -214,6 +296,36 @@ strelka:
priority: 5 priority: 5
options: options:
tmp_directory: '/dev/shm/' tmp_directory: '/dev/shm/'
'ScanManifest':
- positive:
flavors:
- 'browser_manifest'
priority: 5
'ScanMsi':
- positive:
flavors:
- "image/vnd.fpx"
- "application/vnd.ms-msi"
- "application/x-msi"
priority: 5
options:
tmp_directory: '/dev/shm/'
keys:
- 'Author'
- 'Characters'
- 'Company'
- 'CreateDate'
- 'LastModifiedBy'
- 'Lines'
- 'ModifyDate'
- 'Pages'
- 'Paragraphs'
- 'RevisionNumber'
- 'Software'
- 'Template'
- 'Title'
- 'TotalEditTime'
- 'Words'
'ScanOcr': 'ScanOcr':
- positive: - positive:
flavors: flavors:
@@ -236,6 +348,13 @@ strelka:
- 'application/msword' - 'application/msword'
- 'olecf_file' - 'olecf_file'
priority: 5 priority: 5
'ScanOnenote':
- positive:
flavors:
- 'application/onenote'
- 'application/msonenote'
- 'onenote_file'
priority: 5
'ScanPdf': 'ScanPdf':
- positive: - positive:
flavors: flavors:
@@ -285,6 +404,30 @@ strelka:
- 'ProgramArguments' - 'ProgramArguments'
- 'RunAtLoad' - 'RunAtLoad'
- 'StartInterval' - 'StartInterval'
'ScanPngEof':
- positive:
flavors:
- 'image/png'
- 'png_file'
negative:
source:
- 'ScanTranscode'
priority: 5
'ScanQr':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'image/webp'
priority: 5
options:
support_inverted: True
'ScanRar': 'ScanRar':
- positive: - positive:
flavors: flavors:
@@ -309,6 +452,19 @@ strelka:
priority: 5 priority: 5
options: options:
limit: 1000 limit: 1000
'ScanSevenZip':
- positive:
flavors:
- 'application/x-7z-compressed'
- '_7zip_file'
- "image/vnd.fpx"
- "application/vnd.ms-msi"
- "application/x-msi"
priority: 5
options:
scanner_timeout: 150
crack_pws: True
log_pws: True
'ScanSwf': 'ScanSwf':
- positive: - positive:
flavors: flavors:
@@ -351,6 +507,7 @@ strelka:
flavors: flavors:
- 'vb_file' - 'vb_file'
- 'vbscript' - 'vbscript'
- 'hta_file'
priority: 5 priority: 5
'ScanVba': 'ScanVba':
- positive: - positive:
@@ -362,6 +519,20 @@ strelka:
priority: 5 priority: 5
options: options:
analyze_macros: True analyze_macros: True
'ScanVhd':
- positive:
flavors:
- 'application/x-vhd'
- 'vhd_file'
- 'vhdx_file'
priority: 5
options:
limit: 100
'ScanVsto':
- positive:
flavors:
- 'vsto_file'
priority: 5
'ScanX509': 'ScanX509':
- positive: - positive:
flavors: flavors:
@@ -391,6 +562,12 @@ strelka:
priority: 5 priority: 5
options: options:
location: '/etc/yara/' location: '/etc/yara/'
compiled:
enabled: False
filename: "rules.compiled"
store_offset: True
offset_meta_key: "StrelkaHexDump"
offset_padding: 32
'ScanZip': 'ScanZip':
- positive: - positive:
flavors: flavors:
@@ -530,6 +707,20 @@ strelka:
ttl: 1h ttl: 1h
response: response:
log: "/var/log/strelka/strelka.log" log: "/var/log/strelka/strelka.log"
broker:
bootstrap: "PLACEHOLDER"
protocol: "PLACEHOLDER"
certlocation: "PLACEHOLDER"
keylocation: "PLACEHOLDER"
calocation: "PLACEHOLDER"
topic: "PLACEHOLDER"
s3redundancy: "PLACEHOLDER - This should be a boolean value"
s3:
accesskey: "PLACEHOLDER"
secretkey: "PLACEHOLDER"
bucketName: "PLACEHOLDER'
region: "PLACEHOLDER"
endpoint: "PLACEHOLDER"
manager: manager:
enabled: False enabled: False
config: config: