From 58343e39fa869cf5471a34e218a0bb2fd41c3d7c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 10 Mar 2023 17:32:14 -0500 Subject: [PATCH 1/5] 2.4 strelka --- .../files/so-yara-update.jinja} | 39 +- salt/manager/init.sls | 15 + salt/strelka/defaults.yaml | 554 +++++++++++++++++- salt/strelka/filecheck/defaults.yaml | 4 + salt/strelka/filecheck/filecheck.yaml | 10 - salt/strelka/filecheck/filecheck.yaml.jinja | 1 + salt/strelka/filecheck/map.jinja | 12 + salt/strelka/files/backend/backend.yaml | 420 ------------- salt/strelka/files/backend/backend.yaml.jinja | 1 + salt/strelka/files/backend/logging.yaml | 78 --- salt/strelka/files/backend/logging.yaml.jinja | 1 + salt/strelka/files/backend/passwords.dat | 2 - .../strelka/files/backend/passwords.dat.jinja | 1 + salt/strelka/files/filestream/filestream.yaml | 26 - .../files/filestream/filestream.yaml.jinja | 1 + salt/strelka/files/frontend/frontend.yaml | 16 - .../files/frontend/frontend.yaml.jinja | 1 + salt/strelka/files/manager/manager.yaml | 9 - salt/strelka/files/manager/manager.yaml.jinja | 1 + salt/strelka/init.sls | 98 +++- salt/strelka/map.jinja | 20 + 21 files changed, 706 insertions(+), 604 deletions(-) rename salt/{common/tools/sbin/so-yara-update => manager/files/so-yara-update.jinja} (70%) create mode 100644 salt/strelka/filecheck/defaults.yaml delete mode 100644 salt/strelka/filecheck/filecheck.yaml create mode 100644 salt/strelka/filecheck/filecheck.yaml.jinja create mode 100644 salt/strelka/filecheck/map.jinja delete mode 100644 salt/strelka/files/backend/backend.yaml create mode 100644 salt/strelka/files/backend/backend.yaml.jinja delete mode 100644 salt/strelka/files/backend/logging.yaml create mode 100644 salt/strelka/files/backend/logging.yaml.jinja delete mode 100644 salt/strelka/files/backend/passwords.dat create mode 100644 salt/strelka/files/backend/passwords.dat.jinja delete mode 100644 salt/strelka/files/filestream/filestream.yaml create mode 100644 salt/strelka/files/filestream/filestream.yaml.jinja delete mode 100644 salt/strelka/files/frontend/frontend.yaml create mode 100644 salt/strelka/files/frontend/frontend.yaml.jinja delete mode 100644 salt/strelka/files/manager/manager.yaml create mode 100644 salt/strelka/files/manager/manager.yaml.jinja create mode 100644 salt/strelka/map.jinja diff --git a/salt/common/tools/sbin/so-yara-update b/salt/manager/files/so-yara-update.jinja similarity index 70% rename from salt/common/tools/sbin/so-yara-update rename to salt/manager/files/so-yara-update.jinja index b4e83a172..ea07f72e4 100755 --- a/salt/common/tools/sbin/so-yara-update +++ b/salt/manager/files/so-yara-update.jinja @@ -5,14 +5,15 @@ # Elastic License 2.0. -{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} - echo "Starting to check for yara rule updates at $(date)..." output_dir="/opt/so/saltstack/default/salt/strelka/rules" mkdir -p $output_dir repos="$output_dir/repos.txt" newcounter=0 +excludedcounter=0 +excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) + {% if ISAIRGAP is sameas true %} @@ -20,22 +21,29 @@ echo "Airgap mode enabled." clone_dir="/nsm/repo/rules/strelka" repo_name="signature-base" -mkdir -p /opt/so/saltstack/default/salt/strelka/rules/signature-base +[ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name +mkdir -p mkdir -p $output_dir/$repo_name # Ensure a copy of the license is available for the rules [ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name # Copy over rules for i in $(find $clone_dir/yara -name "*.yar*"); do rule_name=$(echo $i | awk -F '/' '{print $NF}') - echo "Adding rule: $rule_name..." - cp $i $output_dir/$repo_name - ((newcounter++)) + if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then + echo "Adding rule: $rule_name..." + cp $i $output_dir/$repo_name + ((newcounter++)) + else + echo "Excluding rule: $rule_name..." + ((excludedcounter++)) + fi done echo "Done!" -if [ "$newcounter" -gt 0 ];then +if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then echo "$newcounter rules added." + echo "$excludedcounter rule(s) excluded." fi {% else %} @@ -60,9 +68,15 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then # Copy over rules for i in $(find $clone_dir/$repo_name -name "*.yar*"); do rule_name=$(echo $i | awk -F '/' '{print $NF}') - echo "Adding rule: $rule_name..." - cp $i $output_dir/$repo_name - ((newcounter++)) + + if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then + echo "Adding rule: $rule_name..." + cp $i $output_dir/$repo_name + ((newcounter++)) + else + echo "Excluding rule: $rule_name..." + ((excludedcounter++)) + fi done rm -rf $clone_dir/$repo_name fi @@ -70,8 +84,9 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then echo "Done!" - if [ "$newcounter" -gt 0 ];then - echo "$newcounter rules added." + if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then + echo "$newcounter rule(s) added." + echo "$excludedcounter rule(s) excluded." fi else diff --git a/salt/manager/init.sls b/salt/manager/init.sls index c1062e8ae..5f2b0005a 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -5,6 +5,9 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} + include: - salt.minion - kibana.secrets @@ -20,6 +23,18 @@ socore_own_saltstack: - user - group +yara_update_script: + file.managed: + - name: /usr/sbin/so-yara-update + - source: salt://manager/files/so-yara-update.jinja + - user: root + - group: root + - mode: 755 + - template: jinja + - defaults: + ISAIRGAP: {{ GLOBALS.airgap }} + EXCLUDEDRULES: {{ STRELKAMERGED.excluded_rules }} + strelka_yara_update: cron.present: - user: root diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 792431dc6..12f0edda3 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -1,5 +1,557 @@ strelka: - ignore: + config: + backend: + backend: + logging_cfg: '/etc/strelka/logging.yaml' + limits: + max_files: 0 + time_to_live: 0 + max_depth: 15 + distribution: 600 + scanner: 150 + coordinator: + addr: 'HOST:6380' + db: 0 + tasting: + mime_db: '' + yara_rules: '/etc/strelka/taste/' + scanners: + 'ScanBase64': + - positive: + filename: '^base64_' + priority: 5 + 'ScanBatch': + - positive: + flavors: + - 'text/x-msdos-batch' + - 'batch_file' + priority: 5 + 'ScanBzip2': + - positive: + flavors: + - 'application/x-bzip2' + - 'bzip2_file' + priority: 5 + 'ScanDocx': + - positive: + flavors: + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + priority: 5 + options: + extract_text: False + 'ScanElf': + - positive: + flavors: + - 'application/x-object' + - 'application/x-executable' + - 'application/x-sharedlib' + - 'application/x-coredump' + - 'elf_file' + priority: 5 + 'ScanEmail': + - positive: + flavors: + - 'application/vnd.ms-outlook' + - 'message/rfc822' + - 'email_file' + priority: 5 + 'ScanEntropy': + - positive: + flavors: + - '*' + priority: 5 + 'ScanExiftool': + - positive: + flavors: + - 'application/msword' + - 'application/vnd.openxmlformats-officedocument' + - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' + - 'olecf_file' + - 'ooxml_file' + - 'audio/mpeg' + - 'mp3_file' + - 'mhtml_file' + - 'application/pdf' + - 'pdf_file' + - 'text/rtf' + - 'rtf_file' + - 'wordml_file' + - 'application/x-dosexec' + - 'mz_file' + - 'application/x-object' + - 'application/x-executable' + - 'application/x-sharedlib' + - 'application/x-coredump' + - 'elf_file' + - 'lnk_file' + - 'application/x-mach-binary' + - 'macho_file' + - 'image/gif' + - 'gif_file' + - 'image/jpeg' + - 'jpeg_file' + - 'image/png' + - 'png_file' + - 'image/tiff' + - 'type_is_tiff' + - 'image/x-ms-bmp' + - 'bmp_file' + - 'application/x-shockwave-flash' + - 'fws_file' + - 'psd_file' + - 'video/mp4' + - 'video/quicktime' + - 'video/x-msvideo' + - 'avi_file' + - 'video/x-ms-wmv' + - 'wmv_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanGif': + - positive: + flavors: + - 'image/gif' + - 'gif_file' + priority: 5 + 'ScanGzip': + - positive: + flavors: + - 'application/gzip' + - 'application/x-gzip' + - 'gzip_file' + priority: 5 + 'ScanHash': + - positive: + flavors: + - '*' + priority: 5 + 'ScanHeader': + - positive: + flavors: + - '*' + priority: 5 + options: + length: 50 + 'ScanHtml': + - positive: + flavors: + - 'hta_file' + - 'text/html' + - 'html_file' + priority: 5 + options: + parser: "html5lib" + 'ScanIni': + - positive: + filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' + flavors: + - 'ini_file' + priority: 5 + 'ScanJarManifest': + - positive: + flavors: + - 'jar_manifest_file' + priority: 5 + 'ScanJavascript': + - negative: + flavors: + - 'text/html' + - 'html_file' + positive: + flavors: + - 'javascript_file' + - 'text/javascript' + priority: 5 + options: + beautify: True + 'ScanJpeg': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + priority: 5 + 'ScanJson': + - positive: + flavors: + - 'application/json' + - 'json_file' + priority: 5 + 'ScanLibarchive': + - positive: + flavors: + - 'application/vnd.ms-cab-compressed' + - 'cab_file' + - 'application/x-7z-compressed' + - '_7zip_file' + - 'application/x-cpio' + - 'cpio_file' + - 'application/x-xar' + - 'xar_file' + - 'arj_file' + - 'iso_file' + - 'application/x-debian-package' + - 'debian_package_file' + priority: 5 + options: + limit: 1000 + 'ScanLzma': + - positive: + flavors: + - 'application/x-lzma' + - 'lzma_file' + - 'application/x-xz' + - 'xz_file' + priority: 5 + 'ScanMacho': + - positive: + flavors: + - 'application/x-mach-binary' + - 'macho_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanOcr': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + - 'image/png' + - 'png_file' + - 'image/tiff' + - 'type_is_tiff' + - 'image/x-ms-bmp' + - 'bmp_file' + priority: 5 + options: + extract_text: False + tmp_directory: '/dev/shm/' + 'ScanOle': + - positive: + flavors: + - 'application/CDFV2' + - 'application/msword' + - 'olecf_file' + priority: 5 + 'ScanPdf': + - positive: + flavors: + - 'application/pdf' + - 'pdf_file' + priority: 5 + options: + extract_text: False + limit: 2000 + 'ScanPe': + - positive: + flavors: + - 'application/x-dosexec' + - 'mz_file' + priority: 5 + 'ScanPgp': + - positive: + flavors: + - 'application/pgp-keys' + - 'pgp_file' + priority: 5 + 'ScanPhp': + - positive: + flavors: + - 'text/x-php' + - 'php_file' + priority: 5 + 'ScanPkcs7': + - positive: + flavors: + - 'pkcs7_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanPlist': + - positive: + flavors: + - 'bplist_file' + - 'plist_file' + priority: 5 + options: + keys: + - 'KeepAlive' + - 'Label' + - 'NetworkState' + - 'Program' + - 'ProgramArguments' + - 'RunAtLoad' + - 'StartInterval' + 'ScanRar': + - positive: + flavors: + - 'application/x-rar' + - 'rar_file' + priority: 5 + options: + limit: 1000 + 'ScanRpm': + - positive: + flavors: + - 'application/x-rpm' + - 'rpm_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanRtf': + - positive: + flavors: + - 'text/rtf' + - 'rtf_file' + priority: 5 + options: + limit: 1000 + 'ScanRuby': + - positive: + flavors: + - 'text/x-ruby' + priority: 5 + 'ScanSwf': + - positive: + flavors: + - 'application/x-shockwave-flash' + - 'fws_file' + - 'cws_file' + - 'zws_file' + priority: 5 + 'ScanTar': + - positive: + flavors: + - 'application/x-tar' + - 'tar_file' + priority: 5 + options: + limit: 1000 + 'ScanTnef': + - positive: + flavors: + - 'application/vnd.ms-tnef' + - 'tnef_file' + priority: 5 + 'ScanUpx': + - positive: + flavors: + - 'upx_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanUrl': + - negative: + flavors: + - 'javascript_file' + positive: + flavors: + - 'text/plain' + priority: 5 + 'ScanVb': + - positive: + flavors: + - 'vb_file' + - 'vbscript' + priority: 5 + 'ScanVba': + - positive: + flavors: + - 'mhtml_file' + - 'application/msword' + - 'olecf_file' + - 'wordml_file' + priority: 5 + options: + analyze_macros: True + 'ScanX509': + - positive: + flavors: + - 'x509_der_file' + priority: 5 + options: + type: 'der' + - positive: + flavors: + - 'x509_pem_file' + priority: 5 + options: + type: 'pem' + 'ScanXml': + - positive: + flavors: + - 'application/xml' + - 'text/xml' + - 'xml_file' + - 'mso_file' + - 'soap_file' + priority: 5 + 'ScanYara': + - positive: + flavors: + - '*' + priority: 5 + options: + location: '/etc/yara/' + 'ScanZip': + - positive: + flavors: + - 'application/java-archive' + - 'application/zip' + - 'zip_file' + - 'application/vnd.openxmlformats-officedocument' + - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' + - 'ooxml_file' + priority: 5 + options: + limit: 1000 + password_file: '/etc/strelka/passwords.dat' + 'ScanZlib': + - positive: + flavors: + - 'application/zlib' + - 'zlib_file' + priority: 5 + logging: + version: 1 + formatters: + simple: + format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' + datefmt: '%Y-%m-%d %H:%M:%S' + handlers: + console: + class: logging.StreamHandler + formatter: simple + stream: ext://sys.stdout + root: + level: DEBUG + handlers: [console] + loggers: + OpenSSL: + propagate: 0 + bs4: + propagate: 0 + bz2: + propagate: 0 + chardet: + propagate: 0 + docx: + propagate: 0 + elftools: + propagate: 0 + email: + propagate: 0 + entropy: + propagate: 0 + esprima: + propagate: 0 + gzip: + propagate: 0 + hashlib: + propagate: 0 + json: + propagate: 0 + libarchive: + propagate: 0 + lxml: + propagate: 0 + lzma: + propagate: 0 + macholibre: + propagate: 0 + olefile: + propagate: 0 + oletools: + propagate: 0 + pdfminer: + propagate: 0 + pefile: + propagate: 0 + pgpdump: + propagate: 0 + pygments: + propagate: 0 + pylzma: + propagate: 0 + rarfile: + propagate: 0 + requests: + propagate: 0 + rpmfile: + propagate: 0 + ssdeep: + propagate: 0 + tarfile: + propagate: 0 + tnefparse: + propagate: 0 + yara: + propagate: 0 + zipfile: + propagate: 0 + zlib: + propagate: 0 + passwords: + - infected + - password + filestream: + conn: + server: 'HOST:57314' + cert: '' + timeout: + dial: 5s + file: 1m + throughput: + concurrency: 8 + chunk: 32768 + delay: 0s + files: + patterns: + - '/nsm/strelka/unprocessed/*' + delete: false + gatekeeper: true + processed: '/nsm/strelka/processed' + response: + report: 5s + delta: 5s + staging: '/nsm/strelka/staging' + frontend: + server: ":57314" + coordinator: + addr: 'HOST:6380' + db: 0 + gatekeeper: + addr: 'HOST:6381' + db: 0 + ttl: 1h + response: + log: "/var/log/strelka/strelka.log" + manager: + coordinator: + addr: 'HOST:6380' + db: 0 + + + + + + + + + + + + + + + + + + excluded_rules: - apt_flame2_orchestrator.yar - apt_tetris.yar - gen_susp_js_obfuscatorio.yar diff --git a/salt/strelka/filecheck/defaults.yaml b/salt/strelka/filecheck/defaults.yaml new file mode 100644 index 000000000..6f45954d6 --- /dev/null +++ b/salt/strelka/filecheck/defaults.yaml @@ -0,0 +1,4 @@ +filecheck: + historypath: '/nsm/strelka/history/' + strelkapath: '/nsm/strelka/unprocessed/' + logfile: '/opt/so/log/strelka/filecheck.log' diff --git a/salt/strelka/filecheck/filecheck.yaml b/salt/strelka/filecheck/filecheck.yaml deleted file mode 100644 index 1c156fc3d..000000000 --- a/salt/strelka/filecheck/filecheck.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{%- set ENGINE = salt['pillar.get']('global:mdengine', '') %} -filecheck: - {%- if ENGINE == "SURICATA" %} - extract_path: '/nsm/suricata/extracted' - {%- else %} - extract_path: '/nsm/zeek/extracted/complete' - {%- endif %} - historypath: '/nsm/strelka/history/' - strelkapath: '/nsm/strelka/unprocessed/' - logfile: '/opt/so/log/strelka/filecheck.log' diff --git a/salt/strelka/filecheck/filecheck.yaml.jinja b/salt/strelka/filecheck/filecheck.yaml.jinja new file mode 100644 index 000000000..95c5abab2 --- /dev/null +++ b/salt/strelka/filecheck/filecheck.yaml.jinja @@ -0,0 +1 @@ +{{ FILECHECKCONFIG | yaml(false) }} diff --git a/salt/strelka/filecheck/map.jinja b/salt/strelka/filecheck/map.jinja new file mode 100644 index 000000000..670136b45 --- /dev/null +++ b/salt/strelka/filecheck/map.jinja @@ -0,0 +1,12 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'strelka/filecheck/defaults.yaml' as FILECHECKDEFAULTS %} + +{% if GLOBALS.md_engine == "SURICATA" %} +{% set extract_path = '/nsm/suricata/extracted' %} +{% set filecheck_runas = 'suricata' %} +{% else %} +{% set extract_path = '/nsm/zeek/extracted/complete' %} +{% set filecheck_runas = 'socore' %} +{% endif %} + +{% do FILECHECKDEFAULTS.filecheck.update({'extract_path': extract_path}) %} diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml deleted file mode 100644 index db6ce0560..000000000 --- a/salt/strelka/files/backend/backend.yaml +++ /dev/null @@ -1,420 +0,0 @@ -{%- if grains.role in ['so-sensor', 'so-heavynode'] -%} - {%- set mainint = salt['pillar.get']('host:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- else %} - {%- set ip = salt['pillar.get']('global:managerip') %} -{%- endif -%} -logging_cfg: '/etc/strelka/logging.yaml' -limits: - max_files: 0 - time_to_live: 0 - max_depth: 15 - distribution: 600 - scanner: 150 -coordinator: - addr: '{{ ip }}:6380' - db: 0 -tasting: - mime_db: null - yara_rules: '/etc/strelka/taste/' -scanners: - 'ScanBase64': - - positive: - filename: '^base64_' - priority: 5 - 'ScanBatch': - - positive: - flavors: - - 'text/x-msdos-batch' - - 'batch_file' - priority: 5 - 'ScanBzip2': - - positive: - flavors: - - 'application/x-bzip2' - - 'bzip2_file' - priority: 5 - 'ScanDocx': - - positive: - flavors: - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - priority: 5 - options: - extract_text: False - 'ScanElf': - - positive: - flavors: - - 'application/x-object' - - 'application/x-executable' - - 'application/x-sharedlib' - - 'application/x-coredump' - - 'elf_file' - priority: 5 - 'ScanEmail': - - positive: - flavors: - - 'application/vnd.ms-outlook' - - 'message/rfc822' - - 'email_file' - priority: 5 - 'ScanEntropy': - - positive: - flavors: - - '*' - priority: 5 - 'ScanExiftool': - - positive: - flavors: - - 'application/msword' - - 'application/vnd.openxmlformats-officedocument' - - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' - - 'olecf_file' - - 'ooxml_file' - - 'audio/mpeg' - - 'mp3_file' - - 'mhtml_file' - - 'application/pdf' - - 'pdf_file' - - 'text/rtf' - - 'rtf_file' - - 'wordml_file' - - 'application/x-dosexec' - - 'mz_file' - - 'application/x-object' - - 'application/x-executable' - - 'application/x-sharedlib' - - 'application/x-coredump' - - 'elf_file' - - 'lnk_file' - - 'application/x-mach-binary' - - 'macho_file' - - 'image/gif' - - 'gif_file' - - 'image/jpeg' - - 'jpeg_file' - - 'image/png' - - 'png_file' - - 'image/tiff' - - 'type_is_tiff' - - 'image/x-ms-bmp' - - 'bmp_file' - - 'application/x-shockwave-flash' - - 'fws_file' - - 'psd_file' - - 'video/mp4' - - 'video/quicktime' - - 'video/x-msvideo' - - 'avi_file' - - 'video/x-ms-wmv' - - 'wmv_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanGif': - - positive: - flavors: - - 'image/gif' - - 'gif_file' - priority: 5 - 'ScanGzip': - - positive: - flavors: - - 'application/gzip' - - 'application/x-gzip' - - 'gzip_file' - priority: 5 - 'ScanHash': - - positive: - flavors: - - '*' - priority: 5 - 'ScanHeader': - - positive: - flavors: - - '*' - priority: 5 - options: - length: 50 - 'ScanHtml': - - positive: - flavors: - - 'hta_file' - - 'text/html' - - 'html_file' - priority: 5 - options: - parser: "html5lib" - 'ScanIni': - - positive: - filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' - flavors: - - 'ini_file' - priority: 5 - 'ScanJarManifest': - - positive: - flavors: - - 'jar_manifest_file' - priority: 5 - 'ScanJavascript': - - negative: - flavors: - - 'text/html' - - 'html_file' - positive: - flavors: - - 'javascript_file' - - 'text/javascript' - priority: 5 - options: - beautify: True - 'ScanJpeg': - - positive: - flavors: - - 'image/jpeg' - - 'jpeg_file' - priority: 5 - 'ScanJson': - - positive: - flavors: - - 'application/json' - - 'json_file' - priority: 5 - 'ScanLibarchive': - - positive: - flavors: - - 'application/vnd.ms-cab-compressed' - - 'cab_file' - - 'application/x-7z-compressed' - - '_7zip_file' - - 'application/x-cpio' - - 'cpio_file' - - 'application/x-xar' - - 'xar_file' - - 'arj_file' - - 'iso_file' - - 'application/x-debian-package' - - 'debian_package_file' - priority: 5 - options: - limit: 1000 - 'ScanLzma': - - positive: - flavors: - - 'application/x-lzma' - - 'lzma_file' - - 'application/x-xz' - - 'xz_file' - priority: 5 - 'ScanMacho': - - positive: - flavors: - - 'application/x-mach-binary' - - 'macho_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanOcr': - - positive: - flavors: - - 'image/jpeg' - - 'jpeg_file' - - 'image/png' - - 'png_file' - - 'image/tiff' - - 'type_is_tiff' - - 'image/x-ms-bmp' - - 'bmp_file' - priority: 5 - options: - extract_text: False - tmp_directory: '/dev/shm/' - 'ScanOle': - - positive: - flavors: - - 'application/CDFV2' - - 'application/msword' - - 'olecf_file' - priority: 5 - 'ScanPdf': - - positive: - flavors: - - 'application/pdf' - - 'pdf_file' - priority: 5 - options: - extract_text: False - limit: 2000 - 'ScanPe': - - positive: - flavors: - - 'application/x-dosexec' - - 'mz_file' - priority: 5 - 'ScanPgp': - - positive: - flavors: - - 'application/pgp-keys' - - 'pgp_file' - priority: 5 - 'ScanPhp': - - positive: - flavors: - - 'text/x-php' - - 'php_file' - priority: 5 - 'ScanPkcs7': - - positive: - flavors: - - 'pkcs7_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanPlist': - - positive: - flavors: - - 'bplist_file' - - 'plist_file' - priority: 5 - options: - keys: - - 'KeepAlive' - - 'Label' - - 'NetworkState' - - 'Program' - - 'ProgramArguments' - - 'RunAtLoad' - - 'StartInterval' - 'ScanRar': - - positive: - flavors: - - 'application/x-rar' - - 'rar_file' - priority: 5 - options: - limit: 1000 - 'ScanRpm': - - positive: - flavors: - - 'application/x-rpm' - - 'rpm_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanRtf': - - positive: - flavors: - - 'text/rtf' - - 'rtf_file' - priority: 5 - options: - limit: 1000 - 'ScanRuby': - - positive: - flavors: - - 'text/x-ruby' - priority: 5 - 'ScanSwf': - - positive: - flavors: - - 'application/x-shockwave-flash' - - 'fws_file' - - 'cws_file' - - 'zws_file' - priority: 5 - 'ScanTar': - - positive: - flavors: - - 'application/x-tar' - - 'tar_file' - priority: 5 - options: - limit: 1000 - 'ScanTnef': - - positive: - flavors: - - 'application/vnd.ms-tnef' - - 'tnef_file' - priority: 5 - 'ScanUpx': - - positive: - flavors: - - 'upx_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanUrl': - - negative: - flavors: - - 'javascript_file' - positive: - flavors: - - 'text/plain' - priority: 5 - 'ScanVb': - - positive: - flavors: - - 'vb_file' - - 'vbscript' - priority: 5 - 'ScanVba': - - positive: - flavors: - - 'mhtml_file' - - 'application/msword' - - 'olecf_file' - - 'wordml_file' - priority: 5 - options: - analyze_macros: True - 'ScanX509': - - positive: - flavors: - - 'x509_der_file' - priority: 5 - options: - type: 'der' - - positive: - flavors: - - 'x509_pem_file' - priority: 5 - options: - type: 'pem' - 'ScanXml': - - positive: - flavors: - - 'application/xml' - - 'text/xml' - - 'xml_file' - - 'mso_file' - - 'soap_file' - priority: 5 - 'ScanYara': - - positive: - flavors: - - '*' - priority: 5 - options: - location: '/etc/yara/' - 'ScanZip': - - positive: - flavors: - - 'application/java-archive' - - 'application/zip' - - 'zip_file' - - 'application/vnd.openxmlformats-officedocument' - - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' - - 'ooxml_file' - priority: 5 - options: - limit: 1000 - password_file: '/etc/strelka/passwords.dat' - 'ScanZlib': - - positive: - flavors: - - 'application/zlib' - - 'zlib_file' - priority: 5 diff --git a/salt/strelka/files/backend/backend.yaml.jinja b/salt/strelka/files/backend/backend.yaml.jinja new file mode 100644 index 000000000..151cff550 --- /dev/null +++ b/salt/strelka/files/backend/backend.yaml.jinja @@ -0,0 +1 @@ +{{ BACKENDCONFIG | yaml(false) }} diff --git a/salt/strelka/files/backend/logging.yaml b/salt/strelka/files/backend/logging.yaml deleted file mode 100644 index b21d3c396..000000000 --- a/salt/strelka/files/backend/logging.yaml +++ /dev/null @@ -1,78 +0,0 @@ -version: 1 -formatters: - simple: - format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' - datefmt: '%Y-%m-%d %H:%M:%S' -handlers: - console: - class: logging.StreamHandler - formatter: simple - stream: ext://sys.stdout -root: - level: DEBUG - handlers: [console] -loggers: - OpenSSL: - propagate: 0 - bs4: - propagate: 0 - bz2: - propagate: 0 - chardet: - propagate: 0 - docx: - propagate: 0 - elftools: - propagate: 0 - email: - propagate: 0 - entropy: - propagate: 0 - esprima: - propagate: 0 - gzip: - propagate: 0 - hashlib: - propagate: 0 - json: - propagate: 0 - libarchive: - propagate: 0 - lxml: - propagate: 0 - lzma: - propagate: 0 - macholibre: - propagate: 0 - olefile: - propagate: 0 - oletools: - propagate: 0 - pdfminer: - propagate: 0 - pefile: - propagate: 0 - pgpdump: - propagate: 0 - pygments: - propagate: 0 - pylzma: - propagate: 0 - rarfile: - propagate: 0 - requests: - propagate: 0 - rpmfile: - propagate: 0 - ssdeep: - propagate: 0 - tarfile: - propagate: 0 - tnefparse: - propagate: 0 - yara: - propagate: 0 - zipfile: - propagate: 0 - zlib: - propagate: 0 diff --git a/salt/strelka/files/backend/logging.yaml.jinja b/salt/strelka/files/backend/logging.yaml.jinja new file mode 100644 index 000000000..f3915e9f1 --- /dev/null +++ b/salt/strelka/files/backend/logging.yaml.jinja @@ -0,0 +1 @@ +{{ LOGGINGCONFIG | yaml(false) }} diff --git a/salt/strelka/files/backend/passwords.dat b/salt/strelka/files/backend/passwords.dat deleted file mode 100644 index e9541f540..000000000 --- a/salt/strelka/files/backend/passwords.dat +++ /dev/null @@ -1,2 +0,0 @@ -infected -password diff --git a/salt/strelka/files/backend/passwords.dat.jinja b/salt/strelka/files/backend/passwords.dat.jinja new file mode 100644 index 000000000..45ac9c6e0 --- /dev/null +++ b/salt/strelka/files/backend/passwords.dat.jinja @@ -0,0 +1 @@ +{{ PASSWORDS | join('\n') }} diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml deleted file mode 100644 index 57ef65127..000000000 --- a/salt/strelka/files/filestream/filestream.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{%- if grains.role in ['so-sensor', 'so-heavynode'] -%} - {%- set mainint = salt['pillar.get']('host:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- else %} - {%- set ip = salt['pillar.get']('global:managerip') %} -{%- endif -%} -conn: - server: '{{ ip }}:57314' - cert: '' - timeout: - dial: 5s - file: 1m -throughput: - concurrency: 8 - chunk: 32768 - delay: 0s -files: - patterns: - - '/nsm/strelka/unprocessed/*' - delete: false - gatekeeper: true - processed: '/nsm/strelka/processed' -response: - report: 5s -delta: 5s -staging: '/nsm/strelka/staging' diff --git a/salt/strelka/files/filestream/filestream.yaml.jinja b/salt/strelka/files/filestream/filestream.yaml.jinja new file mode 100644 index 000000000..dc435fd9c --- /dev/null +++ b/salt/strelka/files/filestream/filestream.yaml.jinja @@ -0,0 +1 @@ +{{ FILESTREAMCONFIG | yaml(false) }} diff --git a/salt/strelka/files/frontend/frontend.yaml b/salt/strelka/files/frontend/frontend.yaml deleted file mode 100644 index 137966c8e..000000000 --- a/salt/strelka/files/frontend/frontend.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{%- if grains.role in ['so-sensor', 'so-heavynode'] -%} - {%- set mainint = salt['pillar.get']('host:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- else %} - {%- set ip = salt['pillar.get']('global:managerip') %} -{%- endif -%} -server: ":57314" -coordinator: - addr: '{{ ip }}:6380' - db: 0 -gatekeeper: - addr: '{{ ip }}:6381' - db: 0 - ttl: 1h -response: - log: "/var/log/strelka/strelka.log" diff --git a/salt/strelka/files/frontend/frontend.yaml.jinja b/salt/strelka/files/frontend/frontend.yaml.jinja new file mode 100644 index 000000000..4cb281736 --- /dev/null +++ b/salt/strelka/files/frontend/frontend.yaml.jinja @@ -0,0 +1 @@ +{{ FRONTENDCONFIG | yaml(false) }} diff --git a/salt/strelka/files/manager/manager.yaml b/salt/strelka/files/manager/manager.yaml deleted file mode 100644 index bd15b6423..000000000 --- a/salt/strelka/files/manager/manager.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{%- if grains.role in ['so-sensor', 'so-heavynode'] -%} - {%- set mainint = salt['pillar.get']('host:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- else %} - {%- set ip = salt['pillar.get']('global:managerip') %} -{%- endif -%} -coordinator: - addr: '{{ ip }}:6380' - db: 0 diff --git a/salt/strelka/files/manager/manager.yaml.jinja b/salt/strelka/files/manager/manager.yaml.jinja new file mode 100644 index 000000000..c91c2e8c8 --- /dev/null +++ b/salt/strelka/files/manager/manager.yaml.jinja @@ -0,0 +1 @@ +{{ MANAGERCONFIG | yaml(false) }} diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index d29053229..bec22c1fa 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -8,15 +8,10 @@ {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} -{% import_yaml 'strelka/defaults.yaml' as strelka_config with context %} -{% set IGNORELIST = salt['pillar.get']('strelka:ignore', strelka_config.strelka.ignore, merge=True, merge_nested_lists=True) %} -{% set ENGINE = salt['pillar.get']('global:mdengine', '') %} -{% if ENGINE == "SURICATA" %} - {% set filecheck_runas = 'suricata' %} -{% else %} - {% set filecheck_runas = 'socore' %} -{% endif %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} +{% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %} +{% from 'strelka/filecheck/map.jinja' import filecheck_runas %} # Strelka config strelkaconfdir: @@ -33,14 +28,65 @@ strelkarulesdir: - group: 939 - makedirs: True -# Sync dynamic config to conf dir -strelkasync: - file.recurse: - - name: /opt/so/conf/strelka/ - - source: salt://strelka/files +backend_backend_config: + file.managed: + - name: /opt/so/conf/strelka/backend/backend.yaml + - source: salt://strelka/files/backend/backend.yaml.jinja + - template: jinja - user: 939 - group: 939 + - defaults: + BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }} + +backend_logging_config: + file.managed: + - name: /opt/so/conf/strelka/backend/logging.yaml + - source: salt://strelka/files/backend/logging.yaml.jinja - template: jinja + - user: 939 + - group: 939 + - defaults: + LOGGINGCONFIG: {{ STRELKAMERGED.config.backend.logging }} + +backend_passwords: + file.managed: + - name: /opt/so/conf/strelka/backend/passwords.dat + - source: salt://strelka/files/backend/passwords.dat.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + PASSWORDS: {{ STRELKAMERGED.config.backend.passwords }} + +filestream_config: + file.managed: + - name: /opt/so/conf/strelka/filestream/filestream.yaml + - source: salt://strelka/files/filestream/filestream.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }} + +frontend_config: + file.managed: + - name: /opt/so/conf/strelka/frontend/frontend.yaml + - source: salt://strelka/files/frontend/frontend.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }} + +manager_config: + file.managed: + - name: /opt/so/conf/strelka/manager/manager.yaml + - source: salt://strelka/files/manager/manager.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + MANAGERCONFIG: {{ STRELKAMERGED.config.manager }} {% if STRELKA_RULES == 1 %} @@ -51,16 +97,6 @@ strelkarules: - user: 939 - group: 939 - clean: True - - exclude_pat: - {% for IGNOREDRULE in IGNORELIST %} - - {{ IGNOREDRULE }} - {% endfor %} - - {% for IGNOREDRULE in IGNORELIST %} -remove_rule_{{ IGNOREDRULE }}: - file.absent: - - name: /opt/so/conf/strelka/rules/signature-base/{{ IGNOREDRULE }} - {% endfor %} {% if grains['role'] in GLOBALS.manager_roles %} strelkarepos: @@ -133,8 +169,10 @@ filecheck_history: filecheck_conf: file.managed: - name: /opt/so/conf/strelka/filecheck.yaml - - source: salt://strelka/filecheck/filecheck.yaml + - source: salt://strelka/filecheck/filecheck.yaml.jinja - template: jinja + - defaults: + FILECHECKCONFIG: {{ FILECHECKDEFAULTS }} filecheck_script: file.managed: @@ -173,7 +211,7 @@ strelka_coordinator: - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} - {{ BINDING }} @@ -193,7 +231,7 @@ strelka_gatekeeper: - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} - {{ BINDING }} @@ -217,7 +255,7 @@ strelka_frontend: - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} - {{ BINDING }} @@ -240,7 +278,7 @@ strelka_backend: - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - command: strelka-backend - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - restart_policy: on-failure append_so-strelka-backend_so-status.conf: @@ -259,7 +297,7 @@ strelka_manager: - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} append_so-strelka-manager_so-status.conf: file.append: @@ -278,7 +316,7 @@ strelka_filestream: - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} append_so-strelka-filestream_so-status.conf: file.append: diff --git a/salt/strelka/map.jinja b/salt/strelka/map.jinja new file mode 100644 index 000000000..bf0a29a17 --- /dev/null +++ b/salt/strelka/map.jinja @@ -0,0 +1,20 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'strelka/defaults.yaml' as STRELKADEFAULTS %} +{% set HOST = GLOBALS.hostname %} + +{% set backend_coordinator_port = STRELKADEFAULTS.strelka.config.backend.backend.coordinator.addr.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.backend.backend.coordinator.update({'addr': HOST ~ ':' ~ backend_coordinator_port}) %} + +{% set filestream_conn_port = STRELKADEFAULTS.strelka.config.filestream.conn.server.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.filestream.conn.update({'server': HOST ~ ':' ~ filestream_conn_port}) %} + +{% set frontend_coordinator_port = STRELKADEFAULTS.strelka.config.frontend.coordinator.addr.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.frontend.coordinator.update({'addr': HOST ~ ':' ~ frontend_coordinator_port}) %} + +{% set frontend_gatekeeper_port = STRELKADEFAULTS.strelka.config.frontend.gatekeeper.addr.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.frontend.gatekeeper.update({'addr': HOST ~ ':' ~ frontend_gatekeeper_port}) %} + +{% set manager_coordinator_port = STRELKADEFAULTS.strelka.config.manager.coordinator.addr.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.manager.coordinator.update({'addr': HOST ~ ':' ~ manager_coordinator_port}) %} + +{% set STRELKAMERGED = salt['pillar.get']('strelka', STRELKADEFAULTS.strelka, merge=True) %} From 9d4e1cc1499dd6b957bee814b650bb48882857af Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 13 Mar 2023 16:48:21 -0400 Subject: [PATCH 2/5] jinja for strelka --- salt/manager/files/so-yara-update.jinja | 2 +- salt/manager/init.sls | 2 +- salt/strelka/defaults.yaml | 58 ++++++++++--------------- salt/strelka/init.sls | 13 ++++-- salt/strelka/repos.txt.jinja | 2 + salt/strelka/rules/ignore.txt | 4 -- salt/strelka/rules/repos.txt | 1 - salt/strelka/rules/repos.txt.jinja | 4 -- 8 files changed, 36 insertions(+), 50 deletions(-) create mode 100644 salt/strelka/repos.txt.jinja delete mode 100644 salt/strelka/rules/ignore.txt delete mode 100644 salt/strelka/rules/repos.txt delete mode 100644 salt/strelka/rules/repos.txt.jinja diff --git a/salt/manager/files/so-yara-update.jinja b/salt/manager/files/so-yara-update.jinja index ea07f72e4..beaa97ab6 100755 --- a/salt/manager/files/so-yara-update.jinja +++ b/salt/manager/files/so-yara-update.jinja @@ -9,7 +9,7 @@ echo "Starting to check for yara rule updates at $(date)..." output_dir="/opt/so/saltstack/default/salt/strelka/rules" mkdir -p $output_dir -repos="$output_dir/repos.txt" +repos="/opt/so/conf/strelka/repos.txt" newcounter=0 excludedcounter=0 excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 5f2b0005a..a360fb2c5 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -33,7 +33,7 @@ yara_update_script: - template: jinja - defaults: ISAIRGAP: {{ GLOBALS.airgap }} - EXCLUDEDRULES: {{ STRELKAMERGED.excluded_rules }} + EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} strelka_yara_update: cron.present: diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 12f0edda3..cdd75a22d 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -13,7 +13,7 @@ strelka: addr: 'HOST:6380' db: 0 tasting: - mime_db: '' + mime_db: null yara_rules: '/etc/strelka/taste/' scanners: 'ScanBase64': @@ -535,37 +535,25 @@ strelka: addr: 'HOST:6380' db: 0 - - - - - - - - - - - - - - - - - excluded_rules: - - apt_flame2_orchestrator.yar - - apt_tetris.yar - - gen_susp_js_obfuscatorio.yar - - gen_webshells.yar - - generic_anomalies.yar - - general_cloaking.yar - - thor_inverse_matches.yar - - yara_mixed_ext_vars.yar - - apt_apt27_hyperbro.yar - - apt_turla_gazer.yar - - gen_google_anomaly.yar - - gen_icon_anomalies.yar - - gen_nvidia_leaked_cert.yar - - gen_sign_anomalies.yar - - gen_susp_xor.yar - - gen_webshells_ext_vars.yar - - configured_vulns_ext_vars.yar + rules: + enabled: True + repos: + - https://github.com/Neo23x0/signature-base + excluded: + - apt_flame2_orchestrator.yar + - apt_tetris.yar + - gen_susp_js_obfuscatorio.yar + - gen_webshells.yar + - generic_anomalies.yar + - general_cloaking.yar + - thor_inverse_matches.yar + - yara_mixed_ext_vars.yar + - apt_apt27_hyperbro.yar + - apt_turla_gazer.yar + - gen_google_anomaly.yar + - gen_icon_anomalies.yar + - gen_nvidia_leaked_cert.yar + - gen_sign_anomalies.yar + - gen_susp_xor.yar + - gen_webshells_ext_vars.yar + - configured_vulns_ext_vars.yar diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index bec22c1fa..bded9ca70 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -7,7 +7,6 @@ {% if sls in allowed_states %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} {% from 'strelka/map.jinja' import STRELKAMERGED %} {% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %} @@ -35,6 +34,7 @@ backend_backend_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }} @@ -65,6 +65,7 @@ filestream_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }} @@ -75,6 +76,7 @@ frontend_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }} @@ -85,10 +87,11 @@ manager_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: MANAGERCONFIG: {{ STRELKAMERGED.config.manager }} -{% if STRELKA_RULES == 1 %} +{% if STRELKAMERGED.rules.enabled %} strelkarules: file.recurse: @@ -101,9 +104,11 @@ strelkarules: {% if grains['role'] in GLOBALS.manager_roles %} strelkarepos: file.managed: - - name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt - - source: salt://strelka/rules/repos.txt.jinja + - name: /opt/so/conf/strelka/repos.txt + - source: salt://strelka/repos.txt.jinja - template: jinja + - defaults: + STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} {% endif %} {% endif %} diff --git a/salt/strelka/repos.txt.jinja b/salt/strelka/repos.txt.jinja new file mode 100644 index 000000000..043a02203 --- /dev/null +++ b/salt/strelka/repos.txt.jinja @@ -0,0 +1,2 @@ +# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka:rules:repos pillar section +{{ STRELKAREPOS | join('\n') }} diff --git a/salt/strelka/rules/ignore.txt b/salt/strelka/rules/ignore.txt deleted file mode 100644 index a803f8c28..000000000 --- a/salt/strelka/rules/ignore.txt +++ /dev/null @@ -1,4 +0,0 @@ -generic_anomalies.yar -general_cloaking.yar -thor_inverse_matches.yar -yara_mixed_ext_vars.yar diff --git a/salt/strelka/rules/repos.txt b/salt/strelka/rules/repos.txt deleted file mode 100644 index e26687ea9..000000000 --- a/salt/strelka/rules/repos.txt +++ /dev/null @@ -1 +0,0 @@ -https://github.com/Neo23x0/signature-base diff --git a/salt/strelka/rules/repos.txt.jinja b/salt/strelka/rules/repos.txt.jinja deleted file mode 100644 index 7d449f18d..000000000 --- a/salt/strelka/rules/repos.txt.jinja +++ /dev/null @@ -1,4 +0,0 @@ -# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka.repos pillar section -{%- for repo in salt['pillar.get']('strelka:repos', {}) %} -{{ repo }} -{%- endfor %} From b38d5df68407b2ed38a64e4a0a272951a3012a8d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 14 Mar 2023 13:25:51 -0400 Subject: [PATCH 3/5] set default mime_db --- salt/strelka/defaults.yaml | 2 +- salt/strelka/init.sls | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index cdd75a22d..8060f520d 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -13,7 +13,7 @@ strelka: addr: 'HOST:6380' db: 0 tasting: - mime_db: null + mime_db: '/usr/lib/file/magic.mgc' yara_rules: '/etc/strelka/taste/' scanners: 'ScanBase64': diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index bded9ca70..80b43a017 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -58,6 +58,14 @@ backend_passwords: - defaults: PASSWORDS: {{ STRELKAMERGED.config.backend.passwords }} +backend_taste: + file.managed: + - name: /opt/so/conf/strelka/backend/taste/taste.yara + - source: salt://strelka/files/backend/taste/taste.yara + - makedirs: True + - user: 939 + - group: 939 + filestream_config: file.managed: - name: /opt/so/conf/strelka/filestream/filestream.yaml From 7cf4e6b03b92a5c08c4833b96a94ed79a78f3728 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 14 Mar 2023 13:59:31 -0400 Subject: [PATCH 4/5] add rules dir, change so-yar-update to save to local/salt/strelka/rules --- salt/manager/files/so-yara-update.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/files/so-yara-update.jinja b/salt/manager/files/so-yara-update.jinja index beaa97ab6..d11ba1a76 100755 --- a/salt/manager/files/so-yara-update.jinja +++ b/salt/manager/files/so-yara-update.jinja @@ -7,7 +7,7 @@ echo "Starting to check for yara rule updates at $(date)..." -output_dir="/opt/so/saltstack/default/salt/strelka/rules" +output_dir="/opt/so/saltstack/local/salt/strelka/rules" mkdir -p $output_dir repos="/opt/so/conf/strelka/repos.txt" newcounter=0 From f9b8c78d74cd0686280412211757a741bc1ba5d3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 14 Mar 2023 14:43:13 -0400 Subject: [PATCH 5/5] move repos to rules dir --- salt/strelka/init.sls | 2 +- salt/strelka/{ => rules}/repos.txt.jinja | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename salt/strelka/{ => rules}/repos.txt.jinja (100%) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 80b43a017..f8b8262b0 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -113,7 +113,7 @@ strelkarules: strelkarepos: file.managed: - name: /opt/so/conf/strelka/repos.txt - - source: salt://strelka/repos.txt.jinja + - source: salt://strelka/rules/repos.txt.jinja - template: jinja - defaults: STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} diff --git a/salt/strelka/repos.txt.jinja b/salt/strelka/rules/repos.txt.jinja similarity index 100% rename from salt/strelka/repos.txt.jinja rename to salt/strelka/rules/repos.txt.jinja