diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update index ddddb87eb..e84832ace 100755 --- a/salt/common/tools/sbin/so-yara-update +++ b/salt/common/tools/sbin/so-yara-update @@ -20,6 +20,7 @@ echo "Starting to check for yara rule updates at $(date)..." output_dir="/opt/so/saltstack/default/salt/strelka/rules" mkdir -p $output_dir + repos="$output_dir/repos.txt" ignorefile="$output_dir/ignore.txt" @@ -95,55 +96,56 @@ clone_dir="/tmp" if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then while IFS= read -r repo; do + if ! $(echo "$repo" | grep -qE '^#'); then + # Remove old repo if existing bc of previous error condition or unexpected disruption + repo_name=`echo $repo | awk -F '/' '{print $NF}'` + [ -d $repo_name ] && rm -rf $repo_name - # Remove old repo if existing bc of previous error condition or unexpected disruption - repo_name=`echo $repo | awk -F '/' '{print $NF}'` - [ -d $repo_name ] && rm -rf $repo_name + # Clone repo and make appropriate directories for rules - # Clone repo and make appropriate directories for rules + git clone $repo $clone_dir/$repo_name + echo "Analyzing rules from $clone_dir/$repo_name..." + mkdir -p $output_dir/$repo_name + [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name - git clone $repo $clone_dir/$repo_name - echo "Analyzing rules from $clone_dir/$repo_name..." - mkdir -p $output_dir/$repo_name - [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name + # Copy over rules + for i in $(find $clone_dir/$repo_name -name "*.yar*"); do + rule_name=$(echo $i | awk -F '/' '{print $NF}') + repo_sum=$(sha256sum $i | awk '{print $1}') - # Copy over rules - for i in $(find $clone_dir/$repo_name -name "*.yar*"); do - rule_name=$(echo $i | awk -F '/' '{print $NF}') - repo_sum=$(sha256sum $i | awk '{print $1}') + # Check rules against those in ignore list -- don't copy if ignored. + if ! grep -iq $rule_name $ignorefile; then + existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l) - # Check rules against those in ignore list -- don't copy if ignored. - if ! grep -iq $rule_name $ignorefile; then - existing_rules=$(find $output_dir/$repo_name/ -name $rule_name | wc -l) - - # For existing rules, check to see if they need to be updated, by comparing checksums - if [ $existing_rules -gt 0 ];then - local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}') - if [ "$repo_sum" != "$local_sum" ]; then - echo "Checksums do not match!" - echo "Updating $rule_name..." - cp $i $output_dir/$repo_name; - ((updatecounter++)) + # For existing rules, check to see if they need to be updated, by comparing checksums + if [ $existing_rules -gt 0 ];then + local_sum=$(sha256sum $output_dir/$repo_name/$rule_name | awk '{print $1}') + if [ "$repo_sum" != "$local_sum" ]; then + echo "Checksums do not match!" + echo "Updating $rule_name..." + cp $i $output_dir/$repo_name; + ((updatecounter++)) + fi + else + # If rule doesn't exist already, we'll add it + echo "Adding new rule: $rule_name..." + cp $i $output_dir/$repo_name + ((newcounter++)) fi - else - # If rule doesn't exist already, we'll add it - echo "Adding new rule: $rule_name..." - cp $i $output_dir/$repo_name - ((newcounter++)) - fi - fi; - done + fi; + done - # Check to see if we have any old rules that need to be removed - for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do - is_repo_rule=$(find $clone_dir/$repo_name -name "$i" | wc -l) - if [ $is_repo_rule -eq 0 ]; then - echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..." - rm $output_dir/$repo_name/$i - ((deletecounter++)) - fi - done - rm -rf $clone_dir/$repo_name + # Check to see if we have any old rules that need to be removed + for i in $(find $output_dir/$repo_name -name "*.yar*" | awk -F '/' '{print $NF}'); do + is_repo_rule=$(find $clone_dir/$repo_name -name "$i" | wc -l) + if [ $is_repo_rule -eq 0 ]; then + echo "Could not find $i in source $repo_name repo...removing from $output_dir/$repo_name..." + rm $output_dir/$repo_name/$i + ((deletecounter++)) + fi + done + rm -rf $clone_dir/$repo_name + fi done < $repos echo "Done!" diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 339b5d434..c4b5346ae 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -55,6 +55,12 @@ strelkarules: - source: salt://strelka/rules - user: 939 - group: 939 + +strelkarepos: + file.managed: + - name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt + - source: salt://strelka/rules/repos.txt.jinja + - template: jinja {%- endif %} diff --git a/salt/strelka/rules/repos.txt.jinja b/salt/strelka/rules/repos.txt.jinja new file mode 100644 index 000000000..7d449f18d --- /dev/null +++ b/salt/strelka/rules/repos.txt.jinja @@ -0,0 +1,4 @@ +# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka.repos pillar section +{%- for repo in salt['pillar.get']('strelka:repos', {}) %} +{{ repo }} +{%- endfor %} diff --git a/setup/so-functions b/setup/so-functions index 78bde3a95..e723a89c8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1260,6 +1260,8 @@ manager_global() { "strelka:"\ " enabled: $STRELKA"\ " rules: 1"\ + " repos:"\ + " - https://github.com/Neo23x0/signature-base"\ "curator:"\ " hot_warm: False"\ "elastic:"\