CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-02-08 08:13:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9945 from Security-Onion-Solutions/2.4/strelka

Browse Source 
2.4/strelka
This commit is contained in:
Josh Patterson
2023-03-17 09:55:45 -04:00
committed by GitHub
parent c7099280da 91da3fd797
commit 9893fce105
6 changed files with 614 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
salt/strelka/defaults.yaml
View File

@@ -526,10 +526,9 @@ strelka:
response:
log: "/var/log/strelka/strelka.log"
manager:
coordinator:
addr: 'HOST:6380'
db: 0
coordinator:
addr: 'HOST:6380'
db: 0
rules:
enabled: True
repos:
@@ -552,3 +551,7 @@ strelka:
- gen_susp_xor.yar
- gen_webshells_ext_vars.yar
- configured_vulns_ext_vars.yar
filecheck:
historypath: '/nsm/strelka/history/'
strelkapath: '/nsm/strelka/unprocessed/'
logfile: '/opt/so/log/strelka/filecheck.log'

3
salt/strelka/filecheck/filecheck.yaml.jinja
View File

@@ -1 +1,2 @@
{{ FILECHECKCONFIG | yaml(false) }}
filecheck:
{{ FILECHECKCONFIG | yaml(false) | indent(width=2) }}

12
salt/strelka/filecheck/map.jinja
View File

@@ -1,12 +0,0 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'strelka/filecheck/defaults.yaml' as FILECHECKDEFAULTS %}
{% if GLOBALS.md_engine == "SURICATA" %}
{% set extract_path = '/nsm/suricata/extracted' %}
{% set filecheck_runas = 'suricata' %}
{% else %}
{% set extract_path = '/nsm/zeek/extracted/complete' %}
{% set filecheck_runas = 'socore' %}
{% endif %}
{% do FILECHECKDEFAULTS.filecheck.update({'extract_path': extract_path}) %}

13
salt/strelka/init.sls
View File

@@ -9,8 +9,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'strelka/map.jinja' import STRELKAMERGED %}
{% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %}
{% from 'strelka/filecheck/map.jinja' import filecheck_runas %}
{% from 'strelka/map.jinja' import filecheck_runas %}
# Strelka config
strelkaconfdir:
@@ -99,7 +98,7 @@ manager_config:
- defaults:
MANAGERCONFIG: {{ STRELKAMERGED.config.manager }}
{% if STRELKAMERGED.rules.enabled %}
{% if STRELKAMERGED.rules.enabled %}
strelkarules:
file.recurse:
@@ -109,7 +108,7 @@ strelkarules:
- group: 939
- clean: True
{% if grains['role'] in GLOBALS.manager_roles %}
{% if grains['role'] in GLOBALS.manager_roles %}
strelkarepos:
file.managed:
- name: /opt/so/conf/strelka/repos.txt
@@ -118,8 +117,8 @@ strelkarepos:
- defaults:
STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
{% endif %}
{% endif %}
{% endif %}
{% endif %}
strelkadatadir:
file.directory:
@@ -185,7 +184,7 @@ filecheck_conf:
- source: salt://strelka/filecheck/filecheck.yaml.jinja
- template: jinja
- defaults:
FILECHECKCONFIG: {{ FILECHECKDEFAULTS }}
FILECHECKCONFIG: {{ STRELKAMERGED.filecheck }}
filecheck_script:
file.managed:

10
salt/strelka/map.jinja
View File

@@ -17,4 +17,14 @@
{% set manager_coordinator_port = STRELKADEFAULTS.strelka.config.manager.coordinator.addr.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.manager.coordinator.update({'addr': HOST ~ ':' ~ manager_coordinator_port}) %}
{% if GLOBALS.md_engine == "SURICATA" %}
{% set extract_path = '/nsm/suricata/extracted' %}
{% set filecheck_runas = 'suricata' %}
{% else %}
{% set extract_path = '/nsm/zeek/extracted/complete' %}
{% set filecheck_runas = 'socore' %}
{% endif %}
{% do STRELKADEFAULTS.strelka.filecheck.update({'extract_path': extract_path}) %}
{% set STRELKAMERGED = salt['pillar.get']('strelka', STRELKADEFAULTS.strelka, merge=True) %}

589
salt/strelka/soc_strelka.yaml Normal file
View File

@@ -0,0 +1,589 @@
strelka:
config:
backend:
backend:
logging_cfg:
description: Path to the Python logging configuration.
readonly: True
global: False
helpLink: strelka.html
advanced: True
limits:
max_files:
description: Number of files the backend will process before shutting down.
readonly: False
global: False
helpLink: strelka.html
time_to_live:
description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable).
readonly: False
global: False
helpLink: strelka.html
max_depth:
description: Maximum depth that extracted files will be processed by the backend.
readonly: False
global: False
helpLink: strelka.html
distribution:
description: Amount of time (in seconds) that a single file can be distributed to all scanners.
readonly: False
global: False
helpLink: strelka.html
scanner:
description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner).
readonly: False
global: False
helpLink: strelka.html
coordinator:
addr:
description: Network address of the coordinator.
readonly: False
global: False
helpLink: strelka.html
advanced: True
db:
description: Redis database of the coordinator.
readonly: False
global: False
helpLink: strelka.html
advanced: True
tasting:
mime_db:
description: Location of the MIME database used to taste files.
readonly: True
global: False
helpLink: strelka.html
advanced: True
yara_rules:
description: Location of the directory of YARA files that contains rules used to taste files.
readonly: True
global: False
helpLink: strelka.html
advanced: True
scanners:
'ScanBase64': &scannerOptions
description: Configuration options for this scanner.
readonly: False
global: False
helpLink: strelka.html
advanced: True
type: json
multiline: True
'ScanBatch': *scannerOptions
'ScanBzip2': *scannerOptions
'ScanDocx': *scannerOptions
'ScanElf': *scannerOptions
'ScanEmail': *scannerOptions
'ScanEntropy': *scannerOptions
'ScanExiftool': *scannerOptions
'ScanGif': *scannerOptions
'ScanGzip': *scannerOptions
'ScanHash': *scannerOptions
'ScanHeader': *scannerOptions
'ScanHtml': *scannerOptions
'ScanIni': *scannerOptions
'ScanJarManifest': *scannerOptions
'ScanJavascript': *scannerOptions
'ScanJpeg': *scannerOptions
'ScanJson': *scannerOptions
'ScanLibarchive': *scannerOptions
'ScanLzma': *scannerOptions
'ScanMacho': *scannerOptions
'ScanOcr': *scannerOptions
'ScanOle': *scannerOptions
'ScanPdf': *scannerOptions
'ScanPe': *scannerOptions
'ScanPgp': *scannerOptions
'ScanPhp': *scannerOptions
'ScanPkcs7': *scannerOptions
'ScanPlist': *scannerOptions
'ScanRar': *scannerOptions
'ScanRpm': *scannerOptions
'ScanRtf': *scannerOptions
'ScanRuby': *scannerOptions
'ScanSwf': *scannerOptions
'ScanTar': *scannerOptions
'ScanTnef': *scannerOptions
'ScanUpx': *scannerOptions
'ScanUrl': *scannerOptions
'ScanVb': *scannerOptions
'ScanVba': *scannerOptions
'ScanX509': *scannerOptions
'ScanXml': *scannerOptions
'ScanYara': *scannerOptions
'ScanZip': *scannerOptions
'ScanZlib': *scannerOptions
logging:
version:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
formatters:
simple:
format:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
datefmt:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
handlers:
console:
class:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
formatter:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
stream:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
root:
level:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
handlers:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
loggers:
OpenSSL:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
bs4:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
bz2:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
chardet:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
docx:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
elftools:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
email:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
entropy:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
esprima:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
gzip:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
hashlib:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
json:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
libarchive:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
lxml:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
lzma:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
macholibre:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
olefile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
oletools:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
pdfminer:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
pefile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
pgpdump:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
pygments:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
pylzma:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
rarfile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
requests:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
rpmfile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
ssdeep:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
tarfile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
tnefparse:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
yara:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
zipfile:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
zlib:
propagate:
description: This is an advanced option for Strelka logging.
readonly: False
global: False
helpLink: strelka.html
advanced: True
passwords:
description: Passwords that will be stored in the password_file used in scanner options.
readonly: False
global: False
helpLink: strelka.html
multiline: True
filestream:
conn:
server:
description: Network address of the frontend server.
readonly: False
global: False
helpLink: strelka.html
advanced: True
cert:
description: Local path to the frontend SSL server certificate.
readonly: False
global: False
helpLink: strelka.html
advanced: True
timeout:
dial:
description: Amount of time to wait for the client to dial the server.
readonly: False
global: False
helpLink: strelka.html
advanced: True
file:
description: Amount of time to wait for an individual file to complete a scan.
readonly: False
global: False
helpLink: strelka.html
advanced: True
throughput:
concurrency:
description: Number of concurrent requests to make.
readonly: False
global: False
helpLink: strelka.html
advanced: True
chunk:
description: Size of file chunks that will be sent to the frontend server.
readonly: False
global: False
helpLink: strelka.html
advanced: True
delay:
description: Artificial sleep between the submission of each chunk.
readonly: False
global: False
helpLink: strelka.html
advanced: True
files:
patterns:
description: List of glob patterns that determine which files will be sent for scanning.
readonly: False
global: False
helpLink: strelka.html
advanced: True
delete:
description: Boolean that determines if files should be deleted after being sent for scanning.
readonly: False
global: False
helpLink: strelka.html
advanced: True
gatekeeper:
description: Boolean that determines if events should be pulled from the temporary event cache.
readonly: False
global: False
helpLink: strelka.html
advanced: True
processed:
description: Directory where files will be moved after being submitted for scanning.
readonly: False
global: False
helpLink: strelka.html
advanced: True
response:
report:
description: Frequency at which the frontend reports the number of files processed.
readonly: False
global: False
helpLink: strelka.html
advanced: True
delta:
description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning.
readonly: False
global: False
helpLink: strelka.html
advanced: True
staging:
description: Directory where files are staged before being sent to the cluster.
readonly: False
global: False
helpLink: strelka.html
advanced: True
frontend:
server:
description: Network address of the frontend server.
readonly: False
global: False
helpLink: strelka.html
advanced: True
coordinator:
addr:
description: Network address of the coordinator.
readonly: False
global: False
helpLink: strelka.html
advanced: True
db:
description: Redis database of the coordinator.
readonly: False
global: False
helpLink: strelka.html
advanced: True
gatekeeper:
addr:
description: Network address of the gatekeeper.
readonly: False
global: False
helpLink: strelka.html
advanced: True
db:
description: Redis database of the gatekeeper.
readonly: False
global: False
helpLink: strelka.html
advanced: True
ttl:
description: Time-to-live for events added to the gatekeeper.
readonly: False
global: False
helpLink: strelka.html
advanced: True
response:
log:
description: Location where worker scan results are logged to.
readonly: False
global: False
helpLink: strelka.html
advanced: True
manager:
coordinator:
addr:
description: Network address of the coordinator.
readonly: False
global: False
helpLink: strelka.html
advanced: True
db:
description: Redis database of the coordinator.
readonly: False
global: False
helpLink: strelka.html
advanced: True
rules:
enabled:
description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes.
readonly: False
global: False
helpLink: strelka.html
advanced: False
repos:
description: List of repos for so-yara-update to use to download rules.
readonly: False
global: False
helpLink: strelka.html
advanced: False
excluded:
description: List of rules to exclude so-yara-update from download and propagating to backend nodes.
readonly: False
global: False
helpLink: strelka.html
advanced: False
filecheck:
historypath:
description: The path for previously scanned files.
readonly: True
global: False
helpLink: strelka.html
advanced: True
strelkapath:
description: The path for unprocessed files.
readonly: True
global: False
helpLink: strelka.html
advanced: True
logfile:
description: The path for the filecheck log.
readonly: False
global: False
helpLink: strelka.html
advanced: True