From 8be5082b604f9057a8d1159e9ba8017fd3e5ec50 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 7 Jul 2023 16:43:26 -0400
Subject: [PATCH] yara scripts

---
 salt/manager/files/so-yara-update.jinja       | 99 -------------------
 salt/manager/init.sls                         |  2 +-
 salt/manager/tools/sbin_jinja/so-yara-update  | 39 ++++++++
 salt/strelka/defaults.yaml                    |  3 +-
 .../strelka/tools/sbin_jinja/so-yara-download | 48 +++++++++
 salt/strelka/tools/sbin_jinja/so-yara-update  | 21 ----
 6 files changed, 90 insertions(+), 122 deletions(-)
 delete mode 100755 salt/manager/files/so-yara-update.jinja
 create mode 100755 salt/manager/tools/sbin_jinja/so-yara-update
 create mode 100644 salt/strelka/tools/sbin_jinja/so-yara-download
 delete mode 100644 salt/strelka/tools/sbin_jinja/so-yara-update

diff --git a/salt/manager/files/so-yara-update.jinja b/salt/manager/files/so-yara-update.jinja
deleted file mode 100755
index d11ba1a76..000000000
--- a/salt/manager/files/so-yara-update.jinja
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/bin/bash
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-echo "Starting to check for yara rule updates at $(date)..."
-
-output_dir="/opt/so/saltstack/local/salt/strelka/rules"
-mkdir -p $output_dir
-repos="/opt/so/conf/strelka/repos.txt"
-newcounter=0
-excludedcounter=0
-excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
-
-
-{% if ISAIRGAP is sameas true %}
-
-echo "Airgap mode enabled."
-
-clone_dir="/nsm/repo/rules/strelka"
-repo_name="signature-base"
-[ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
-mkdir -p mkdir -p $output_dir/$repo_name
-# Ensure a copy of the license is available for the rules
-[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
-
-# Copy over rules
-for i in $(find $clone_dir/yara -name "*.yar*"); do
-  rule_name=$(echo $i | awk -F '/' '{print $NF}')
-  if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
-    echo "Adding rule: $rule_name..."
-    cp $i $output_dir/$repo_name
-    ((newcounter++))
-  else
-    echo "Excluding rule: $rule_name..."
-    ((excludedcounter++))
-  fi
-done
-
-echo "Done!"
-
-if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
-  echo "$newcounter rules added."
-  echo "$excludedcounter rule(s) excluded."
-fi
-
-{% else %}
-
-gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com)
-clone_dir="/tmp"
-if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
-
-  while IFS= read -r repo; do
-    if ! $(echo "$repo" | grep -qE '^#'); then
-      # Remove old repo if existing bc of previous error condition or unexpected disruption
-      repo_name=`echo $repo | awk -F '/' '{print $NF}'`
-      [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
-
-      # Clone repo and make appropriate directories for rules
-      git clone $repo $clone_dir/$repo_name
-      echo "Analyzing rules from $clone_dir/$repo_name..."
-      mkdir -p $output_dir/$repo_name
-      # Ensure a copy of the license is available for the rules
-      [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
-
-      # Copy over rules
-      for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
-        rule_name=$(echo $i | awk -F '/' '{print $NF}')
-
-        if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
-          echo "Adding rule: $rule_name..."
-          cp $i $output_dir/$repo_name
-          ((newcounter++))
-        else
-          echo "Excluding rule: $rule_name..."
-          ((excludedcounter++))
-        fi
-     done
-     rm -rf $clone_dir/$repo_name
-    fi
-    done < $repos
-
-  echo "Done!"
-  
-  if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
-    echo "$newcounter rule(s) added."
-    echo "$excludedcounter rule(s) excluded."
-  fi
-  
-else
-  echo "Server returned $gh_status status code."
-  echo "No connectivity to Github...exiting..."
-  exit 1
-fi
-{% endif %}
-
-echo "Finished rule updates at $(date)..."
diff --git a/salt/manager/init.sls b/salt/manager/init.sls
index 2eef1259b..816ed22ff 100644
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -96,7 +96,7 @@ strelkarepos:
 yara_update_script:
   file.managed:
     - name: /usr/sbin/so-yara-update
-    - source: salt://manager/files/so-yara-update.jinja
+    - source: salt://manager/tools/sbin_jinja/so-yara-update
     - user: root
     - group: root
     - mode: 755
diff --git a/salt/manager/tools/sbin_jinja/so-yara-update b/salt/manager/tools/sbin_jinja/so-yara-update
new file mode 100755
index 000000000..fff5bb806
--- /dev/null
+++ b/salt/manager/tools/sbin_jinja/so-yara-update
@@ -0,0 +1,39 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+echo "Starting to check for yara rule updates at $(date)..."
+
+repos="/opt/so/conf/strelka/repos.txt"
+newcounter=0
+excludedcounter=0
+excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
+
+
+# Pull down the SO Rules
+SORULEDIR=/nsm/rules/yara
+OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules
+
+mkdir -p $OUTPUTDIR
+
+for i in $(find $SORUKLEDIR -name "*.yar*"); do
+  rule_name=$(echo $i | awk -F '/' '{print $NF}')
+  if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
+    echo "Adding rule: $rule_name..."
+    cp $i $OUTPUTDIR/$rule_name
+    ((newcounter++))
+  else
+    echo "Excluding rule: $rule_name..."
+    ((excludedcounter++))
+  fi
+done
+
+if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
+  echo "$newcounter rules added."
+  echo "$excludedcounter rule(s) excluded."
+fi
+
+echo "Finished rule updates at $(date)..."
diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml
index d8b238b03..76110aafe 100644
--- a/salt/strelka/defaults.yaml
+++ b/salt/strelka/defaults.yaml
@@ -542,7 +542,8 @@ strelka:
     enabled: False
   rules:
     enabled: True
-    repos: []
+    repos:
+      - https://github.com/Security-Onion-Solutions/securityonion-yara.git
     excluded:
       - apt_flame2_orchestrator.yar
       - apt_tetris.yar
diff --git a/salt/strelka/tools/sbin_jinja/so-yara-download b/salt/strelka/tools/sbin_jinja/so-yara-download
new file mode 100644
index 000000000..69c5ffc1d
--- /dev/null
+++ b/salt/strelka/tools/sbin_jinja/so-yara-download
@@ -0,0 +1,48 @@
+#!/bin/bash
+NOROOT=1
+. /usr/sbin/so-common
+
+{%- set proxy = salt['pillar.get']('manager:proxy') %}
+
+# Download the rules from the internet
+{%- if proxy %}
+export http_proxy={{ proxy }} 
+export https_proxy={{ proxy }} 
+export no_proxy= salt['pillar.get']('manager:no_proxy') 
+{%- endif %}
+
+outputdir=/nsm/rules/yara
+gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com)
+clone_dir="/tmp"
+if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
+
+  while IFS= read -r repo; do
+    if ! $(echo "$repo" | grep -qE '^#'); then
+      # Remove old repo if existing bc of previous error condition or unexpected disruption
+      repo_name=`echo $repo | awk -F '/' '{print $NF}'`
+      [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
+
+      # Clone repo and make appropriate directories for rules
+      git clone $repo $clone_dir/$repo_name
+      echo "Analyzing rules from $clone_dir/$repo_name..."
+      mkdir -p $output_dir/$repo_name
+      # Ensure a copy of the license is available for the rules
+      [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
+
+      # Copy over rules
+      for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
+        rule_name=$(echo $i | awk -F '/' '{print $NF}')
+        cp $i $output_dir/$repo_name
+     done
+     rm -rf $clone_dir/$repo_name
+    fi
+    done < $repos
+
+  echo "Done!"
+ 
+  
+else
+  echo "Server returned $gh_status status code."
+  echo "No connectivity to Github...exiting..."
+  exit 1
+fi
diff --git a/salt/strelka/tools/sbin_jinja/so-yara-update b/salt/strelka/tools/sbin_jinja/so-yara-update
deleted file mode 100644
index 9ec6fa41f..000000000
--- a/salt/strelka/tools/sbin_jinja/so-yara-update
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-NOROOT=1
-. /usr/sbin/so-common
-
-{%- set proxy = salt['pillar.get']('manager:proxy') %}
-
-# Download the rules from the internet
-{%- if proxy %}
-export http_proxy={{ proxy }} 
-export https_proxy={{ proxy }} 
-export no_proxy= salt['pillar.get']('manager:no_proxy') 
-{%- endif %}
-
-mkdir -p /tmp/yara
-cd /tmp/yara
-git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git
-mkdir -p /nsm/rules/yara
-rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/
-cd /tmp
-rm -rf /tmp/yara
-