yara scripts

salt/manager/files/so-yara-update.jinja

@@ -1,99 +0,0 @@
-#!/bin/bash
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-echo "Starting to check for yara rule updates at $(date)..."
-
-output_dir="/opt/so/saltstack/local/salt/strelka/rules"
-mkdir -p $output_dir
-repos="/opt/so/conf/strelka/repos.txt"
-newcounter=0
-excludedcounter=0
-excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
-
-
-{% if ISAIRGAP is sameas true %}
-
-echo "Airgap mode enabled."
-
-clone_dir="/nsm/repo/rules/strelka"
-repo_name="signature-base"
-[ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
-mkdir -p mkdir -p $output_dir/$repo_name
-# Ensure a copy of the license is available for the rules
-[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
-
-# Copy over rules
-for i in $(find $clone_dir/yara -name "*.yar*"); do
-  rule_name=$(echo $i | awk -F '/' '{print $NF}')
-  if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
-    echo "Adding rule: $rule_name..."
-    cp $i $output_dir/$repo_name
-    ((newcounter++))
-  else
-    echo "Excluding rule: $rule_name..."
-    ((excludedcounter++))
-  fi
-done
-
-echo "Done!"
-
-if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
-  echo "$newcounter rules added."
-  echo "$excludedcounter rule(s) excluded."
-fi
-
-{% else %}
-
-gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com)
-clone_dir="/tmp"
-if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
-
-  while IFS= read -r repo; do
-    if ! $(echo "$repo" | grep -qE '^#'); then
-      # Remove old repo if existing bc of previous error condition or unexpected disruption
-      repo_name=`echo $repo | awk -F '/' '{print $NF}'`
-      [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
-
-      # Clone repo and make appropriate directories for rules
-      git clone $repo $clone_dir/$repo_name
-      echo "Analyzing rules from $clone_dir/$repo_name..."
-      mkdir -p $output_dir/$repo_name
-      # Ensure a copy of the license is available for the rules
-      [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
-
-      # Copy over rules
-      for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
-        rule_name=$(echo $i | awk -F '/' '{print $NF}')
-
-        if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
-          echo "Adding rule: $rule_name..."
-          cp $i $output_dir/$repo_name
-          ((newcounter++))
-        else
-          echo "Excluding rule: $rule_name..."
-          ((excludedcounter++))
-        fi
-     done
-     rm -rf $clone_dir/$repo_name
-    fi
-    done < $repos
-
-  echo "Done!"
-  
-  if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
-    echo "$newcounter rule(s) added."
-    echo "$excludedcounter rule(s) excluded."
-  fi
-  
-else
-  echo "Server returned $gh_status status code."
-  echo "No connectivity to Github...exiting..."
-  exit 1
-fi
-{% endif %}
-
-echo "Finished rule updates at $(date)..."

salt/manager/init.sls

@@ -96,7 +96,7 @@ strelkarepos:
 yara_update_script:
   file.managed:
     - name: /usr/sbin/so-yara-update
-    - source: salt://manager/files/so-yara-update.jinja
+    - source: salt://manager/tools/sbin_jinja/so-yara-update
     - user: root
     - group: root
     - mode: 755

salt/manager/tools/sbin_jinja/so-yara-update

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+echo "Starting to check for yara rule updates at $(date)..."
+
+repos="/opt/so/conf/strelka/repos.txt"
+newcounter=0
+excludedcounter=0
+excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
+
+
+# Pull down the SO Rules
+SORULEDIR=/nsm/rules/yara
+OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules
+
+mkdir -p $OUTPUTDIR
+
+for i in $(find $SORUKLEDIR -name "*.yar*"); do
+  rule_name=$(echo $i | awk -F '/' '{print $NF}')
+  if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
+    echo "Adding rule: $rule_name..."
+    cp $i $OUTPUTDIR/$rule_name
+    ((newcounter++))
+  else
+    echo "Excluding rule: $rule_name..."
+    ((excludedcounter++))
+  fi
+done
+
+if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
+  echo "$newcounter rules added."
+  echo "$excludedcounter rule(s) excluded."
+fi
+
+echo "Finished rule updates at $(date)..."

salt/strelka/defaults.yaml

@@ -542,7 +542,8 @@ strelka:
     enabled: False
   rules:
     enabled: True
-    repos: []
+    repos:
+      - https://github.com/Security-Onion-Solutions/securityonion-yara.git
     excluded:
       - apt_flame2_orchestrator.yar
       - apt_tetris.yar

salt/strelka/tools/sbin_jinja/so-yara-download

@@ -0,0 +1,48 @@
+#!/bin/bash
+NOROOT=1
+. /usr/sbin/so-common
+
+{%- set proxy = salt['pillar.get']('manager:proxy') %}
+
+# Download the rules from the internet
+{%- if proxy %}
+export http_proxy={{ proxy }} 
+export https_proxy={{ proxy }} 
+export no_proxy= salt['pillar.get']('manager:no_proxy') 
+{%- endif %}
+
+outputdir=/nsm/rules/yara
+gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com)
+clone_dir="/tmp"
+if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
+
+  while IFS= read -r repo; do
+    if ! $(echo "$repo" | grep -qE '^#'); then
+      # Remove old repo if existing bc of previous error condition or unexpected disruption
+      repo_name=`echo $repo | awk -F '/' '{print $NF}'`
+      [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
+
+      # Clone repo and make appropriate directories for rules
+      git clone $repo $clone_dir/$repo_name
+      echo "Analyzing rules from $clone_dir/$repo_name..."
+      mkdir -p $output_dir/$repo_name
+      # Ensure a copy of the license is available for the rules
+      [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
+
+      # Copy over rules
+      for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
+        rule_name=$(echo $i | awk -F '/' '{print $NF}')
+        cp $i $output_dir/$repo_name
+     done
+     rm -rf $clone_dir/$repo_name
+    fi
+    done < $repos
+
+  echo "Done!"
+ 
+  
+else
+  echo "Server returned $gh_status status code."
+  echo "No connectivity to Github...exiting..."
+  exit 1
+fi

salt/strelka/tools/sbin_jinja/so-yara-update

@@ -1,21 +0,0 @@
-#!/bin/bash
-NOROOT=1
-. /usr/sbin/so-common
-
-{%- set proxy = salt['pillar.get']('manager:proxy') %}
-
-# Download the rules from the internet
-{%- if proxy %}
-export http_proxy={{ proxy }} 
-export https_proxy={{ proxy }} 
-export no_proxy= salt['pillar.get']('manager:no_proxy') 
-{%- endif %}
-
-mkdir -p /tmp/yara
-cd /tmp/yara
-git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git
-mkdir -p /nsm/rules/yara
-rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/
-cd /tmp
-rm -rf /tmp/yara
-