Merge pull request #1336 from Security-Onion-Solutions/experimental

Get Rules onto the install for airgap
2025-12-06 09:12:45 +01:00 · 2020-09-13 14:58:36 -04:00
parent 18dc7a915a 112a0b426e
commit 841db1b4b9
6 changed files with 94 additions and 12 deletions
--- a/salt/common/tools/sbin/so-yara-update
+++ b/salt/common/tools/sbin/so-yara-update
@@ -14,8 +14,9 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%}
+

-clone_dir="/tmp"
 output_dir="/opt/so/saltstack/default/salt/strelka/rules"
 #mkdir -p $output_dir
 repos="$output_dir/repos.txt"
@@ -27,6 +28,69 @@ updatecounter=0

 gh_status=$(curl -s -o /dev/null -w "%{http_code}" http://github.com)

+{%- if ISAIRGAP is sameas true -%}
+
+
+clone_dir="/nsm/repo/rules/strelka"
+repo_name="signature-base"
+mkdir -p $output_dir/$repo_name
+[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
+
+# Copy over rules
+for i in $(find $clone_dir -name "*.yar*"); do
+  rule_name=$(echo $i | awk -F '/' '{print $NF}')
+  repo_sum=$(sha256sum $i | awk '{print $1}')
+
+  # Check rules against those in ignore list -- don't copy if ignored.
+  if ! grep -iq $rule_name $ignorefile; then
+    existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l)
+
+    # For existing rules, check to see if they need to be updated, by comparing checksums
+    if [ $existing_rules -gt 0 ];then
+      local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}')
+      if [ "$repo_sum" != "$local_sum" ]; then
+        echo "Checksums do not match!"
+        echo "Updating $rule_name..."
+        cp $i $output_dir/$repo_name;
+        ((updatecounter++))
+      fi
+    else
+      # If rule doesn't exist already, we'll add it
+      echo "Adding new rule: $rule_name..."
+      cp $i $output_dir/$repo_name
+      ((newcounter++))
+    fi
+  fi;
+done
+    
+# Check to see if we have any old rules that need to be removed
+for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do
+  is_repo_rule=$(find $clone_dir -name "$i" | wc -l)
+  if [ $is_repo_rule -eq 0 ]; then
+    echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..."
+    rm $output_dir/$repo_name/$i
+    ((deletecounter++))
+  fi
+done
+
+echo "Done!"
+
+  if [ "$newcounter" -gt 0 ];then
+    echo "$newcounter new rules added."
+  fi
+
+  if [ "$updatecounter" -gt 0 ];then
+    echo "$updatecounter rules updated."
+  fi
+
+  if [ "$deletecounter" -gt 0 ];then
+    echo "$deletecounter rules removed because they were deprecated or don't exist in the source repo."
+  fi
+
+{%- else -%}
+
+
+clone_dir="/tmp"
 if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then

  while IFS= read -r repo; do
@@ -100,3 +164,4 @@ else
  echo "No connectivity to Github...exiting..."
  exit 1
 fi
+{%- endif -%}
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -21,6 +21,7 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %}
+{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}

 socore_own_saltstack:
  file.directory:
@@ -82,10 +83,16 @@ so-aptcacherng:

 {% endif %}

+strelka_yara_update:
+  cron.present:
+    - user: root
+    - name: '/usr/sbin/so-yara-update > /dev/null 2>&1'
+    - hour: '7'
+    - minute: '1'
 {% else %}

 manager_state_not_allowed:
  test.fail_without_changes:
    - name: manager_state_not_allowed

-{% endif %}
+{% endif %}
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -6,8 +6,9 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
-{%- set MANAGER_URL = salt['pillar.get']('global:url_base', '') %}
-{%- set MANAGER_IP = salt['pillar.get']('global:managerip', '') %}
+{% set MANAGER_URL = salt['pillar.get']('global:url_base', '') %}
+{% set MANAGER_IP = salt['pillar.get']('global:managerip', '') %}
+{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}

 soctopusdir:
  file.directory:
@@ -64,6 +65,9 @@ so-soctopus:
      - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw
      - /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw
      - /opt/so/conf/navigator/nav_layer_playbook.json:/etc/playbook/nav_layer_playbook.json:rw
+      {% if ISAIRGAP is sameas true %}
+      - /nsm/repo/rules/sigma:/soctopus/sigma
+      {% endif %}
    - port_bindings:
      - 0.0.0.0:7000:7000
    - extra_hosts:
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -21,7 +21,7 @@
 {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{%- set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') -%}
+{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}

 # Strelka config
 strelkaconfdir:
@@ -48,12 +48,6 @@ strelkasync:
    - template: jinja

 {%- if STRELKA_RULES == 1 %}
-strelka_yara_update:
-  cron.present:
-    - user: root
-    - name: '[ -d /opt/so/saltstack/default/salt/strelka/rules/ ] && /usr/sbin/so-yara-update > /dev/null 2>&1'
-    - hour: '7'
-    - minute: '1'

 strelkarules:
  file.recurse:
@@ -61,6 +55,7 @@ strelkarules:
    - source: salt://strelka/rules
    - user: 939
    - group: 939
+    
 {%- endif %}

 strelkadatadir:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -50,6 +50,14 @@ airgap_rules() {
 	# Copy the rules for suricata if using Airgap
 	mkdir -p /nsm/repo/rules
 	cp -v /root/SecurityOnion/agrules/emerging-all.rules /nsm/repo/rules/
+	
+	# Copy over sigma rules
+	cp -Rv /root/SecurityOnion/agrules/sigma /nsm/repo/rules/
+
+	# Don't leave Strelka out
+	cp -Rv /root/SecurityOnion/agrules/strelka /nsm/repo/rules/
+
+
 }

 analyze_system() {
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -331,7 +331,7 @@ if [[ $is_manager && ! $is_eval ]]; then
 		whiptail_oinkcode
 	fi

-	if [[ $STRELKA == 1 ]]; then
+	if [[ "$STRELKA" == 1 ]]; then
            STRELKARULES=1
        fi

@@ -573,6 +573,9 @@ fi
 		docker_seed_registry  2>> "$setup_log" # ~ 60% when finished
 		
 		set_progress_str 60 "$(print_salt_state_apply 'manager')"
+		if [[ "$STRELKARULES" == 1 ]]; then
+			/usr/sbin/so-yara-update >> $setup_log 2>&1	
+		fi
 		salt-call state.apply -l info manager >> $setup_log 2>&1

 		set_progress_str 61 "$(print_salt_state_apply 'idstools')"