From 52a0ace1b8d87b4ce0e7e8d1aa8feb584b25a688 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 24 Jun 2020 17:08:58 +0000
Subject: [PATCH 1/4] Use Strelka rules if enabled

---
 salt/strelka/init.sls | 6 +++++-
 salt/top.sls          | 2 +-
 setup/so-functions    | 8 +++++---
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls
index 5767531f4..145b9e620 100644
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -15,6 +15,7 @@
 {%- set MASTER = grains['master'] %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
+{%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%}
 
 # Strelka config
 strelkaconfdir:
@@ -32,6 +33,9 @@ strelkasync:
     - user: 939
     - group: 939
     - template: jinja
+    {%- if STRELKA_RULES != 1 %}
+    - exclude_pat: rules/
+    {%- endif %}
 
 strelkadatadir:
    file.directory:
@@ -87,7 +91,7 @@ strelka_backend:
     - image: {{ MASTER }}:5000/soshybridhunter/so-strelka-backend:{{ VERSION }}
     - binds:
       - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
-      - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro
+      - /opt/so/conf/strelka/rules/:/etc/yara/:ro
     - name: so-strelka-backend
     - command: strelka-backend
     - restart_policy: on-failure
diff --git a/salt/top.sls b/salt/top.sls
index 3629fbe0b..7af856b35 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -7,7 +7,7 @@
 {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
-{%- set STRELKA = salt['pillar.get']('static:strelka', '0') -%}
+{%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%}
 
 
 base:
diff --git a/setup/so-functions b/setup/so-functions
index 1ba4b66a1..37145e12b 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -953,9 +953,11 @@ master_static() {
 		"  fleet_hostname: N/A"\
 		"  fleet_ip: N/A"\
 		"  sensoronikey: $SENSORONIKEY"\
-		"  strelka: $STRELKA"\
-        "  wazuh: $WAZUH"\
-		"  masterupdate: $MASTERUPDATES"\
+		"  wazuh: $WAZUH"\
+                "  masterupdate: $MASTERUPDATES"\
+		"strelka:"\
+		"  enabled: $STRELKA"\
+		"  rules: $STRELKARULES"\
 		"elastic:"\
 		"  features: False" > "$static_pillar"
 

From 8bfbd773671dec71f92132e436eaa16187a6786f Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 24 Jun 2020 17:18:05 +0000
Subject: [PATCH 2/4] Update whiptail for Strelka

---
 setup/so-whiptail | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/setup/so-whiptail b/setup/so-whiptail
index 48e74e9b5..b99f306b0 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -1028,6 +1028,26 @@ whiptail_shard_count() {
 
 }
 
+whiptail_strelka_rules() {
+
+        [ -n "$TESTING" ] && return
+
+        # Ask to inherit from master
+        whiptail --title "Security Onion Setup" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75
+
+        local exitstatus=$?
+
+        if [ $exitstatus == 0 ]; then
+                export STRELKARULES=1
+        else
+                local exitstatus=$?
+                whiptail_check_exitstatus $exitstatus
+                export STRELKARULES
+
+        fi
+
+}
+
 whiptail_suricata_pins() {
 
 	[ -n "$TESTING" ] && return

From a01339039af058147efff82ffb90d49a87d83749 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 24 Jun 2020 17:22:55 +0000
Subject: [PATCH 3/4] Update Setup for Strelka rules

---
 setup/so-setup | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/setup/so-setup b/setup/so-setup
index 478151def..634389dcd 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -255,6 +255,9 @@ fi
 if [[ $is_master ]]; then
 	whiptail_components_adv_warning
 	whiptail_enable_components
+	if [[ $STRELKA == 1 ]]; then
+	    whiptail_strelka_rules
+	fi
 	collect_webuser_inputs
 	get_redirect
 fi

From f5bb831edff2d01f0c50741acf478c7b3ff5afc2 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 24 Jun 2020 17:27:59 +0000
Subject: [PATCH 4/4] Fix comment

---
 setup/so-whiptail | 1 -
 1 file changed, 1 deletion(-)

diff --git a/setup/so-whiptail b/setup/so-whiptail
index b99f306b0..6c27fcd81 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -1032,7 +1032,6 @@ whiptail_strelka_rules() {
 
         [ -n "$TESTING" ] && return
 
-        # Ask to inherit from master
         whiptail --title "Security Onion Setup" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75
 
         local exitstatus=$?