From b2d2a9f0ed4a3425f89cef7aad34eac99ddaaaba Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 26 May 2023 15:16:14 -0400 Subject: [PATCH] Rule Updates --- salt/idstools/tools/sbin_jinja/so-rule-update | 2 ++ salt/strelka/config.sls | 16 +++++++------- salt/strelka/defaults.yaml | 3 +-- salt/strelka/tools/sbin_jinja/so-yara-update | 21 +++++++++++++++++++ setup/so-functions | 12 +++-------- setup/so-setup | 6 ++++++ 6 files changed, 41 insertions(+), 19 deletions(-) create mode 100644 salt/strelka/tools/sbin_jinja/so-yara-update diff --git a/salt/idstools/tools/sbin_jinja/so-rule-update b/salt/idstools/tools/sbin_jinja/so-rule-update index 7e08f0e6d..6ed4058f1 100755 --- a/salt/idstools/tools/sbin_jinja/so-rule-update +++ b/salt/idstools/tools/sbin_jinja/so-rule-update @@ -6,6 +6,8 @@ {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} {%- set proxy = salt['pillar.get']('manager:proxy') %} +mkdir -p /nsm/rules/suricata + # Download the rules from the internet {%- if GLOBALS.airgap != 'True' %} {%- if proxy %} diff --git a/salt/strelka/config.sls b/salt/strelka/config.sls index aa51e4b03..53afb0ea3 100644 --- a/salt/strelka/config.sls +++ b/salt/strelka/config.sls @@ -43,14 +43,14 @@ strelka_sbin: - group: 939 - file_mode: 755 -#strelka_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://strelka/tools/sbin_jinja -# - user: 939 -# - group: 939 -# - file_mode: 755 -# - template: jinja +strelka_sbin_jinja: + file.recurse: + - name: /usr/sbin + - source: salt://strelka/tools/sbin_jinja + - user: 939 + - group: 939 + - file_mode: 755 + - template: jinja {% else %} diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 2379bd012..d8b238b03 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -542,8 +542,7 @@ strelka: enabled: False rules: enabled: True - repos: - - https://github.com/Neo23x0/signature-base + repos: [] excluded: - apt_flame2_orchestrator.yar - apt_tetris.yar diff --git a/salt/strelka/tools/sbin_jinja/so-yara-update b/salt/strelka/tools/sbin_jinja/so-yara-update new file mode 100644 index 000000000..cb1d8619e --- /dev/null +++ b/salt/strelka/tools/sbin_jinja/so-yara-update @@ -0,0 +1,21 @@ +#!/bin/bash + +. /usr/sbin/so-common + +{%- set proxy = salt['pillar.get']('manager:proxy') %} + +# Download the rules from the internet +{%- if proxy %} +export http_proxy={{ proxy }} +export https_proxy={{ proxy }} +export no_proxy= salt['pillar.get']('manager:no_proxy') +{%- endif %} + +mkdir -p /tmp/yara +cd /tmp/yara +git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git +mkdir -p /nsm/rules/yara +rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/ +cd /tmp +rm -rf /tmp/yara + diff --git a/setup/so-functions b/setup/so-functions index 09e219cfd..3e487abfe 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1523,15 +1523,9 @@ create_strelka_pillar() { "strelka:"\ " enabled: $STRELKA"\ " rules: 1" > "$strelka_pillar_file" - if [[ $is_airgap ]]; then - printf '%s\n'\ - " repos:"\ - " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$strelka_pillar_file" - else - printf '%s\n'\ - " repos:"\ - " - 'https://github.com/Neo23x0/signature-base'" >> "$strelka_pillar_file" - fi + printf '%s\n'\ + " repos:"\ + " - 'https://$HOSTNAME:7788/yara'" >> "$strelka_pillar_file" } backup_pillar() { diff --git a/setup/so-setup b/setup/so-setup index 4b7ff4d67..36487b6bd 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -644,6 +644,12 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply -l info manager" logCmd "salt-call state.apply influxdb -l info" logCmd "salt-call state.highstate -l info" + if [[ ! $is_airgap ]]; then + title "Downloading IDS Rules" + logCmd "so-rule-update" + title "Downloading YARA rules" + logCmd "so-yara-update" + fi title "Setting up Kibana Default Space" logCmd "so-kibana-space-defaults" add_web_user