From a36a6d565921c3489a2de61ba4abf13f29ccf3d1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 10:40:16 -0400 Subject: [PATCH] Strelka UI components --- salt/strelka/soc_strelka.yaml | 576 ++++++++++++++++++++++++++++++++++ 1 file changed, 576 insertions(+) create mode 100644 salt/strelka/soc_strelka.yaml diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml new file mode 100644 index 000000000..bd730579d --- /dev/null +++ b/salt/strelka/soc_strelka.yaml @@ -0,0 +1,576 @@ +strelka: + config: + backend: + backend: + logging_cfg: + description: Location in the container where the config file is located. + readonly: True + global: False + helpLink: strelka.html + advanced: True + limits: + max_files: + description: Max Files. + readonly: False + global: False + helpLink: strelka.html + time_to_live: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + max_depth: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + distribution: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + scanner: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + coordinator: + addr: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advanced: True + tasting: + mime_db: '/usr/lib/file/magic.mgc' + description: Location in the container where the config file is located. + readonly: True + global: False + helpLink: strelka.html + advanced: True + yara_rules: '/etc/strelka/taste/' + description: Location in the container where the config file is located. + readonly: True + global: False + helpLink: strelka.html + advanced: True + scanners: + 'ScanBase64': + - positive: + filename: '^base64_' + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advanced: True + priority: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + + 'ScanBatch': + - positive: + flavors: + - 'text/x-msdos-batch' + - 'batch_file' + priority: 5 + 'ScanBzip2': + - positive: + flavors: + - 'application/x-bzip2' + - 'bzip2_file' + priority: 5 + 'ScanDocx': + - positive: + flavors: + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + priority: 5 + options: + extract_text: False + 'ScanElf': + - positive: + flavors: + - 'application/x-object' + - 'application/x-executable' + - 'application/x-sharedlib' + - 'application/x-coredump' + - 'elf_file' + priority: 5 + 'ScanEmail': + - positive: + flavors: + - 'application/vnd.ms-outlook' + - 'message/rfc822' + - 'email_file' + priority: 5 + 'ScanEntropy': + - positive: + flavors: + - '*' + priority: 5 + 'ScanExiftool': + - positive: + flavors: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advacned: True + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanGif': + - positive: + flavors: + - 'image/gif' + - 'gif_file' + priority: 5 + 'ScanGzip': + - positive: + flavors: + - 'application/gzip' + - 'application/x-gzip' + - 'gzip_file' + priority: 5 + 'ScanHash': + - positive: + flavors: + - '*' + priority: 5 + 'ScanHeader': + - positive: + flavors: + - '*' + priority: 5 + options: + length: 50 + 'ScanHtml': + - positive: + flavors: + - 'hta_file' + - 'text/html' + - 'html_file' + priority: 5 + options: + parser: "html5lib" + 'ScanIni': + - positive: + filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' + flavors: + - 'ini_file' + priority: 5 + 'ScanJarManifest': + - positive: + flavors: + - 'jar_manifest_file' + priority: 5 + 'ScanJavascript': + - negative: + flavors: + - 'text/html' + - 'html_file' + positive: + flavors: + - 'javascript_file' + - 'text/javascript' + priority: 5 + options: + beautify: True + 'ScanJpeg': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + priority: 5 + 'ScanJson': + - positive: + flavors: + - 'application/json' + - 'json_file' + priority: 5 + 'ScanLibarchive': + - positive: + flavors: + - 'application/vnd.ms-cab-compressed' + - 'cab_file' + - 'application/x-7z-compressed' + - '_7zip_file' + - 'application/x-cpio' + - 'cpio_file' + - 'application/x-xar' + - 'xar_file' + - 'arj_file' + - 'iso_file' + - 'application/x-debian-package' + - 'debian_package_file' + priority: 5 + options: + limit: 1000 + 'ScanLzma': + - positive: + flavors: + - 'application/x-lzma' + - 'lzma_file' + - 'application/x-xz' + - 'xz_file' + priority: 5 + 'ScanMacho': + - positive: + flavors: + - 'application/x-mach-binary' + - 'macho_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanOcr': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + - 'image/png' + - 'png_file' + - 'image/tiff' + - 'type_is_tiff' + - 'image/x-ms-bmp' + - 'bmp_file' + priority: 5 + options: + extract_text: False + tmp_directory: '/dev/shm/' + 'ScanOle': + - positive: + flavors: + - 'application/CDFV2' + - 'application/msword' + - 'olecf_file' + priority: 5 + 'ScanPdf': + - positive: + flavors: + - 'application/pdf' + - 'pdf_file' + priority: 5 + options: + extract_text: False + limit: 2000 + 'ScanPe': + - positive: + flavors: + - 'application/x-dosexec' + - 'mz_file' + priority: 5 + 'ScanPgp': + - positive: + flavors: + - 'application/pgp-keys' + - 'pgp_file' + priority: 5 + 'ScanPhp': + - positive: + flavors: + - 'text/x-php' + - 'php_file' + priority: 5 + 'ScanPkcs7': + - positive: + flavors: + - 'pkcs7_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanPlist': + - positive: + flavors: + - 'bplist_file' + - 'plist_file' + priority: 5 + options: + keys: + - 'KeepAlive' + - 'Label' + - 'NetworkState' + - 'Program' + - 'ProgramArguments' + - 'RunAtLoad' + - 'StartInterval' + 'ScanRar': + - positive: + flavors: + - 'application/x-rar' + - 'rar_file' + priority: 5 + options: + limit: 1000 + 'ScanRpm': + - positive: + flavors: + - 'application/x-rpm' + - 'rpm_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanRtf': + - positive: + flavors: + - 'text/rtf' + - 'rtf_file' + priority: 5 + options: + limit: 1000 + 'ScanRuby': + - positive: + flavors: + - 'text/x-ruby' + priority: 5 + 'ScanSwf': + - positive: + flavors: + - 'application/x-shockwave-flash' + - 'fws_file' + - 'cws_file' + - 'zws_file' + priority: 5 + 'ScanTar': + - positive: + flavors: + - 'application/x-tar' + - 'tar_file' + priority: 5 + options: + limit: 1000 + 'ScanTnef': + - positive: + flavors: + - 'application/vnd.ms-tnef' + - 'tnef_file' + priority: 5 + 'ScanUpx': + - positive: + flavors: + - 'upx_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanUrl': + - negative: + flavors: + - 'javascript_file' + positive: + flavors: + - 'text/plain' + priority: 5 + 'ScanVb': + - positive: + flavors: + - 'vb_file' + - 'vbscript' + priority: 5 + 'ScanVba': + - positive: + flavors: + - 'mhtml_file' + - 'application/msword' + - 'olecf_file' + - 'wordml_file' + priority: 5 + options: + analyze_macros: True + 'ScanX509': + - positive: + flavors: + - 'x509_der_file' + priority: 5 + options: + type: 'der' + - positive: + flavors: + - 'x509_pem_file' + priority: 5 + options: + type: 'pem' + 'ScanXml': + - positive: + flavors: + - 'application/xml' + - 'text/xml' + - 'xml_file' + - 'mso_file' + - 'soap_file' + priority: 5 + 'ScanYara': + - positive: + flavors: + - '*' + priority: 5 + options: + location: '/etc/yara/' + 'ScanZip': + - positive: + flavors: + - 'application/java-archive' + - 'application/zip' + - 'zip_file' + - 'application/vnd.openxmlformats-officedocument' + - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' + - 'ooxml_file' + priority: 5 + options: + limit: 1000 + password_file: '/etc/strelka/passwords.dat' + 'ScanZlib': + - positive: + flavors: + - 'application/zlib' + - 'zlib_file' + priority: 5 + logging: + version: 1 + formatters: + simple: + format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' + datefmt: '%Y-%m-%d %H:%M:%S' + handlers: + console: + class: logging.StreamHandler + formatter: simple + stream: ext://sys.stdout + root: + level: DEBUG + handlers: [console] + loggers: + OpenSSL: + propagate: 0 + bs4: + propagate: 0 + bz2: + propagate: 0 + chardet: + propagate: 0 + docx: + propagate: 0 + elftools: + propagate: 0 + email: + propagate: 0 + entropy: + propagate: 0 + esprima: + propagate: 0 + gzip: + propagate: 0 + hashlib: + propagate: 0 + json: + propagate: 0 + libarchive: + propagate: 0 + lxml: + propagate: 0 + lzma: + propagate: 0 + macholibre: + propagate: 0 + olefile: + propagate: 0 + oletools: + propagate: 0 + pdfminer: + propagate: 0 + pefile: + propagate: 0 + pgpdump: + propagate: 0 + pygments: + propagate: 0 + pylzma: + propagate: 0 + rarfile: + propagate: 0 + requests: + propagate: 0 + rpmfile: + propagate: 0 + ssdeep: + propagate: 0 + tarfile: + propagate: 0 + tnefparse: + propagate: 0 + yara: + propagate: 0 + zipfile: + propagate: 0 + zlib: + propagate: 0 + passwords: + - infected + - password + filestream: + conn: + server: 'HOST:57314' + cert: '' + timeout: + dial: 5s + file: 1m + throughput: + concurrency: 8 + chunk: 32768 + delay: 0s + files: + patterns: + - '/nsm/strelka/unprocessed/*' + delete: false + gatekeeper: true + processed: '/nsm/strelka/processed' + response: + report: 5s + delta: 5s + staging: '/nsm/strelka/staging' + frontend: + server: ":57314" + coordinator: + addr: 'HOST:6380' + db: 0 + gatekeeper: + addr: 'HOST:6381' + db: 0 + ttl: 1h + response: + log: "/var/log/strelka/strelka.log" + manager: + coordinator: + addr: 'HOST:6380' + db: 0 + + rules: + enabled: True + repos: + - https://github.com/Neo23x0/signature-base + excluded: + - apt_flame2_orchestrator.yar + - apt_tetris.yar + - gen_susp_js_obfuscatorio.yar + - gen_webshells.yar + - generic_anomalies.yar + - general_cloaking.yar + - thor_inverse_matches.yar + - yara_mixed_ext_vars.yar + - apt_apt27_hyperbro.yar + - apt_turla_gazer.yar + - gen_google_anomaly.yar + - gen_icon_anomalies.yar + - gen_nvidia_leaked_cert.yar + - gen_sign_anomalies.yar + - gen_susp_xor.yar + - gen_webshells_ext_vars.yar + - configured_vulns_ext_vars.yar +