Rule Updates

2025-12-06 09:12:45 +01:00 · 2023-05-26 15:16:14 -04:00
parent 8ce0d76287
commit b2d2a9f0ed
6 changed files with 41 additions and 19 deletions
--- a/salt/idstools/tools/sbin_jinja/so-rule-update
+++ b/salt/idstools/tools/sbin_jinja/so-rule-update
@@ -6,6 +6,8 @@
 {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
 {%-   set proxy = salt['pillar.get']('manager:proxy') %}

+mkdir -p /nsm/rules/suricata
+
 # Download the rules from the internet
 {%- if GLOBALS.airgap != 'True' %}
 {%- if proxy %}
--- a/salt/strelka/config.sls
+++ b/salt/strelka/config.sls
@@ -43,14 +43,14 @@ strelka_sbin:
    - group: 939
    - file_mode: 755

-#strelka_sbin_jinja:
-#  file.recurse:
-#    - name: /usr/sbin
-#    - source: salt://strelka/tools/sbin_jinja
-#    - user: 939
-#    - group: 939 
-#    - file_mode: 755
-#    - template: jinja
+strelka_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://strelka/tools/sbin_jinja
+    - user: 939
+    - group: 939 
+    - file_mode: 755
+    - template: jinja

 {% else %}

--- a/salt/strelka/defaults.yaml
+++ b/salt/strelka/defaults.yaml
@@ -542,8 +542,7 @@ strelka:
    enabled: False
  rules:
    enabled: True
-    repos:
-      - https://github.com/Neo23x0/signature-base
+    repos: []
    excluded:
      - apt_flame2_orchestrator.yar
      - apt_tetris.yar
--- a/salt/strelka/tools/sbin_jinja/so-yara-update
+++ b/salt/strelka/tools/sbin_jinja/so-yara-update
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+. /usr/sbin/so-common
+
+{%- set proxy = salt['pillar.get']('manager:proxy') %}
+
+# Download the rules from the internet
+{%- if proxy %}
+export http_proxy={{ proxy }} 
+export https_proxy={{ proxy }} 
+export no_proxy= salt['pillar.get']('manager:no_proxy') 
+{%- endif %}
+
+mkdir -p /tmp/yara
+cd /tmp/yara
+git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git
+mkdir -p /nsm/rules/yara
+rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/
+cd /tmp
+rm -rf /tmp/yara
+
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1523,15 +1523,9 @@ create_strelka_pillar() {
 		"strelka:"\
 		"  enabled: $STRELKA"\
 		"  rules: 1" > "$strelka_pillar_file"
-		if [[ $is_airgap ]]; then
 		printf '%s\n'\
 			"  repos:"\
-				"    - 'https://$HOSTNAME/repo/rules/strelka'" >> "$strelka_pillar_file"
-		else 
-			printf '%s\n'\
-				"  repos:"\
-				"    - 'https://github.com/Neo23x0/signature-base'" >> "$strelka_pillar_file"
-		fi
+			"    - 'https://$HOSTNAME:7788/yara'" >> "$strelka_pillar_file"
 }

 backup_pillar() {
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -644,6 +644,12 @@ if ! [[ -f $install_opt_file ]]; then
 		logCmd "salt-call state.apply -l info manager"
 		logCmd "salt-call state.apply influxdb -l info"
 		logCmd "salt-call state.highstate -l info"
+		if [[ ! $is_airgap ]]; then
+			title "Downloading IDS Rules"
+			logCmd "so-rule-update"
+			title "Downloading YARA rules"
+			logCmd "so-yara-update"
+		fi
 		title "Setting up Kibana Default Space"
 		logCmd "so-kibana-space-defaults"
 		add_web_user