mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 01:02:46 +01:00
jinja for strelka
This commit is contained in:
m0duspwnens
@@ -9,7 +9,7 @@ echo "Starting to check for yara rule updates at $(date)..."
|
||||
|
||||
output_dir="/opt/so/saltstack/default/salt/strelka/rules"
|
||||
mkdir -p $output_dir
|
||||
repos="$output_dir/repos.txt"
|
||||
repos="/opt/so/conf/strelka/repos.txt"
|
||||
newcounter=0
|
||||
excludedcounter=0
|
||||
excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
|
||||
|
||||
@@ -33,7 +33,7 @@ yara_update_script:
|
||||
- template: jinja
|
||||
- defaults:
|
||||
ISAIRGAP: {{ GLOBALS.airgap }}
|
||||
EXCLUDEDRULES: {{ STRELKAMERGED.excluded_rules }}
|
||||
EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
|
||||
|
||||
strelka_yara_update:
|
||||
cron.present:
|
||||
|
||||
@@ -13,7 +13,7 @@ strelka:
|
||||
addr: 'HOST:6380'
|
||||
db: 0
|
||||
tasting:
|
||||
mime_db: ''
|
||||
mime_db: null
|
||||
yara_rules: '/etc/strelka/taste/'
|
||||
scanners:
|
||||
'ScanBase64':
|
||||
@@ -535,37 +535,25 @@ strelka:
|
||||
addr: 'HOST:6380'
|
||||
db: 0
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
excluded_rules:
|
||||
- apt_flame2_orchestrator.yar
|
||||
- apt_tetris.yar
|
||||
- gen_susp_js_obfuscatorio.yar
|
||||
- gen_webshells.yar
|
||||
- generic_anomalies.yar
|
||||
- general_cloaking.yar
|
||||
- thor_inverse_matches.yar
|
||||
- yara_mixed_ext_vars.yar
|
||||
- apt_apt27_hyperbro.yar
|
||||
- apt_turla_gazer.yar
|
||||
- gen_google_anomaly.yar
|
||||
- gen_icon_anomalies.yar
|
||||
- gen_nvidia_leaked_cert.yar
|
||||
- gen_sign_anomalies.yar
|
||||
- gen_susp_xor.yar
|
||||
- gen_webshells_ext_vars.yar
|
||||
- configured_vulns_ext_vars.yar
|
||||
rules:
|
||||
enabled: True
|
||||
repos:
|
||||
- https://github.com/Neo23x0/signature-base
|
||||
excluded:
|
||||
- apt_flame2_orchestrator.yar
|
||||
- apt_tetris.yar
|
||||
- gen_susp_js_obfuscatorio.yar
|
||||
- gen_webshells.yar
|
||||
- generic_anomalies.yar
|
||||
- general_cloaking.yar
|
||||
- thor_inverse_matches.yar
|
||||
- yara_mixed_ext_vars.yar
|
||||
- apt_apt27_hyperbro.yar
|
||||
- apt_turla_gazer.yar
|
||||
- gen_google_anomaly.yar
|
||||
- gen_icon_anomalies.yar
|
||||
- gen_nvidia_leaked_cert.yar
|
||||
- gen_sign_anomalies.yar
|
||||
- gen_susp_xor.yar
|
||||
- gen_webshells_ext_vars.yar
|
||||
- configured_vulns_ext_vars.yar
|
||||
|
||||
@@ -7,7 +7,6 @@
|
||||
{% if sls in allowed_states %}
|
||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||
{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
|
||||
|
||||
{% from 'strelka/map.jinja' import STRELKAMERGED %}
|
||||
{% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %}
|
||||
@@ -35,6 +34,7 @@ backend_backend_config:
|
||||
- template: jinja
|
||||
- user: 939
|
||||
- group: 939
|
||||
- makedirs: True
|
||||
- defaults:
|
||||
BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }}
|
||||
|
||||
@@ -65,6 +65,7 @@ filestream_config:
|
||||
- template: jinja
|
||||
- user: 939
|
||||
- group: 939
|
||||
- makedirs: True
|
||||
- defaults:
|
||||
FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }}
|
||||
|
||||
@@ -75,6 +76,7 @@ frontend_config:
|
||||
- template: jinja
|
||||
- user: 939
|
||||
- group: 939
|
||||
- makedirs: True
|
||||
- defaults:
|
||||
FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }}
|
||||
|
||||
@@ -85,10 +87,11 @@ manager_config:
|
||||
- template: jinja
|
||||
- user: 939
|
||||
- group: 939
|
||||
- makedirs: True
|
||||
- defaults:
|
||||
MANAGERCONFIG: {{ STRELKAMERGED.config.manager }}
|
||||
|
||||
{% if STRELKA_RULES == 1 %}
|
||||
{% if STRELKAMERGED.rules.enabled %}
|
||||
|
||||
strelkarules:
|
||||
file.recurse:
|
||||
@@ -101,9 +104,11 @@ strelkarules:
|
||||
{% if grains['role'] in GLOBALS.manager_roles %}
|
||||
strelkarepos:
|
||||
file.managed:
|
||||
- name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt
|
||||
- source: salt://strelka/rules/repos.txt.jinja
|
||||
- name: /opt/so/conf/strelka/repos.txt
|
||||
- source: salt://strelka/repos.txt.jinja
|
||||
- template: jinja
|
||||
- defaults:
|
||||
STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
2
salt/strelka/repos.txt.jinja
Normal file
2
salt/strelka/repos.txt.jinja
Normal file
@@ -0,0 +1,2 @@
|
||||
# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka:rules:repos pillar section
|
||||
{{ STRELKAREPOS | join('\n') }}
|
||||
@@ -1,4 +0,0 @@
|
||||
generic_anomalies.yar
|
||||
general_cloaking.yar
|
||||
thor_inverse_matches.yar
|
||||
yara_mixed_ext_vars.yar
|
||||
@@ -1 +0,0 @@
|
||||
https://github.com/Neo23x0/signature-base
|
||||
@@ -1,4 +0,0 @@
|
||||
# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka.repos pillar section
|
||||
{%- for repo in salt['pillar.get']('strelka:repos', {}) %}
|
||||
{{ repo }}
|
||||
{%- endfor %}
|
||||
Reference in New Issue
Block a user