CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rule Updates

Browse Source
This commit is contained in:
Mike Reeves
2023-05-26 15:16:14 -04:00
parent 8ce0d76287
commit b2d2a9f0ed
6 changed files with 41 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/idstools/tools/sbin_jinja/so-rule-update
View File

@@ -6,6 +6,8 @@
{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
{%- set proxy = salt['pillar.get']('manager:proxy') %} {%- set proxy = salt['pillar.get']('manager:proxy') %}
mkdir -p /nsm/rules/suricata
# Download the rules from the internet # Download the rules from the internet
{%- if GLOBALS.airgap != 'True' %} {%- if GLOBALS.airgap != 'True' %}
{%- if proxy %} {%- if proxy %}

16
salt/strelka/config.sls
View File

@@ -43,14 +43,14 @@ strelka_sbin:
- group: 939 - group: 939
- file_mode: 755 - file_mode: 755
#strelka_sbin_jinja: strelka_sbin_jinja:
# file.recurse: file.recurse:
# - name: /usr/sbin - name: /usr/sbin
# - source: salt://strelka/tools/sbin_jinja - source: salt://strelka/tools/sbin_jinja
# - user: 939 - user: 939
# - group: 939 - group: 939
# - file_mode: 755 - file_mode: 755
# - template: jinja - template: jinja
{% else %} {% else %}

3
salt/strelka/defaults.yaml
View File

@@ -542,8 +542,7 @@ strelka:
enabled: False enabled: False
rules: rules:
enabled: True enabled: True
repos: repos: []
- https://github.com/Neo23x0/signature-base
excluded: excluded:
- apt_flame2_orchestrator.yar - apt_flame2_orchestrator.yar
- apt_tetris.yar - apt_tetris.yar

21
salt/strelka/tools/sbin_jinja/so-yara-update Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
. /usr/sbin/so-common
{%- set proxy = salt['pillar.get']('manager:proxy') %}
# Download the rules from the internet
{%- if proxy %}
export http_proxy={{ proxy }}
export https_proxy={{ proxy }}
export no_proxy= salt['pillar.get']('manager:no_proxy')
{%- endif %}
mkdir -p /tmp/yara
cd /tmp/yara
git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git
mkdir -p /nsm/rules/yara
rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/
cd /tmp
rm -rf /tmp/yara

12
setup/so-functions
View File

@@ -1523,15 +1523,9 @@ create_strelka_pillar() {
"strelka:"\ "strelka:"\
" enabled: $STRELKA"\ " enabled: $STRELKA"\
" rules: 1" > "$strelka_pillar_file" " rules: 1" > "$strelka_pillar_file"
if [[ $is_airgap ]]; then printf '%s\n'\
printf '%s\n'\ " repos:"\
" repos:"\ " - 'https://$HOSTNAME:7788/yara'" >> "$strelka_pillar_file"
" - 'https://$HOSTNAME/repo/rules/strelka'" >> "$strelka_pillar_file"
else
printf '%s\n'\
" repos:"\
" - 'https://github.com/Neo23x0/signature-base'" >> "$strelka_pillar_file"
fi
} }
backup_pillar() { backup_pillar() {

6
setup/so-setup
View File

@@ -644,6 +644,12 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "salt-call state.apply -l info manager" logCmd "salt-call state.apply -l info manager"
logCmd "salt-call state.apply influxdb -l info" logCmd "salt-call state.apply influxdb -l info"
logCmd "salt-call state.highstate -l info" logCmd "salt-call state.highstate -l info"
if [[ ! $is_airgap ]]; then
title "Downloading IDS Rules"
logCmd "so-rule-update"
title "Downloading YARA rules"
logCmd "so-yara-update"
fi
title "Setting up Kibana Default Space" title "Setting up Kibana Default Space"
logCmd "so-kibana-space-defaults" logCmd "so-kibana-space-defaults"
add_web_user add_web_user