CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9931 from Security-Onion-Solutions/2.4/strelka

Browse Source 
2.4/strelka
This commit is contained in:
Josh Patterson
2023-03-14 16:16:53 -04:00
committed by GitHub
parent 4e0390963b f9b8c78d74
commit b809b22566
24 changed files with 732 additions and 636 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
salt/common/tools/sbin/so-yara-update → salt/manager/files/so-yara-update.jinja
View File

@@ -5,14 +5,15 @@
# Elastic License 2.0. # Elastic License 2.0.
{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
echo "Starting to check for yara rule updates at $(date)..." echo "Starting to check for yara rule updates at $(date)..."
output_dir="/opt/so/saltstack/default/salt/strelka/rules" output_dir="/opt/so/saltstack/local/salt/strelka/rules"
mkdir -p $output_dir mkdir -p $output_dir
repos="$output_dir/repos.txt" repos="/opt/so/conf/strelka/repos.txt"
newcounter=0 newcounter=0
excludedcounter=0
excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
{% if ISAIRGAP is sameas true %} {% if ISAIRGAP is sameas true %}
@@ -20,22 +21,29 @@ echo "Airgap mode enabled."
clone_dir="/nsm/repo/rules/strelka" clone_dir="/nsm/repo/rules/strelka"
repo_name="signature-base" repo_name="signature-base"
mkdir -p /opt/so/saltstack/default/salt/strelka/rules/signature-base [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
mkdir -p mkdir -p $output_dir/$repo_name
# Ensure a copy of the license is available for the rules # Ensure a copy of the license is available for the rules
[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name [ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
# Copy over rules # Copy over rules
for i in $(find $clone_dir/yara -name "*.yar*"); do for i in $(find $clone_dir/yara -name "*.yar*"); do
rule_name=$(echo $i | awk -F '/' '{print $NF}') rule_name=$(echo $i | awk -F '/' '{print $NF}')
if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
echo "Adding rule: $rule_name..." echo "Adding rule: $rule_name..."
cp $i $output_dir/$repo_name cp $i $output_dir/$repo_name
((newcounter++)) ((newcounter++))
else
echo "Excluding rule: $rule_name..."
((excludedcounter++))
fi
done done
echo "Done!" echo "Done!"
if [ "$newcounter" -gt 0 ];then if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
echo "$newcounter rules added." echo "$newcounter rules added."
echo "$excludedcounter rule(s) excluded."
fi fi
{% else %} {% else %}
@@ -60,9 +68,15 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then
# Copy over rules # Copy over rules
for i in $(find $clone_dir/$repo_name -name "*.yar*"); do for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
rule_name=$(echo $i | awk -F '/' '{print $NF}') rule_name=$(echo $i | awk -F '/' '{print $NF}')
if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
echo "Adding rule: $rule_name..." echo "Adding rule: $rule_name..."
cp $i $output_dir/$repo_name cp $i $output_dir/$repo_name
((newcounter++)) ((newcounter++))
else
echo "Excluding rule: $rule_name..."
((excludedcounter++))
fi
done done
rm -rf $clone_dir/$repo_name rm -rf $clone_dir/$repo_name
fi fi
@@ -70,8 +84,9 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then
echo "Done!" echo "Done!"
if [ "$newcounter" -gt 0 ];then if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
echo "$newcounter rules added." echo "$newcounter rule(s) added."
echo "$excludedcounter rule(s) excluded."
fi fi
else else

15
salt/manager/init.sls
View File

@@ -5,6 +5,9 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'strelka/map.jinja' import STRELKAMERGED %}
include: include:
- salt.minion - salt.minion
- kibana.secrets - kibana.secrets
@@ -20,6 +23,18 @@ socore_own_saltstack:
- user - user
- group - group
yara_update_script:
file.managed:
- name: /usr/sbin/so-yara-update
- source: salt://manager/files/so-yara-update.jinja
- user: root
- group: root
- mode: 755
- template: jinja
- defaults:
ISAIRGAP: {{ GLOBALS.airgap }}
EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
strelka_yara_update: strelka_yara_update:
cron.present: cron.present:
- user: root - user: root

542
salt/strelka/defaults.yaml
View File

@@ -1,5 +1,545 @@
strelka: strelka:
ignore: config:
backend:
backend:
logging_cfg: '/etc/strelka/logging.yaml'
limits:
max_files: 0
time_to_live: 0
max_depth: 15
distribution: 600
scanner: 150
coordinator:
addr: 'HOST:6380'
db: 0
tasting:
mime_db: '/usr/lib/file/magic.mgc'
yara_rules: '/etc/strelka/taste/'
scanners:
'ScanBase64':
- positive:
filename: '^base64_'
priority: 5
'ScanBatch':
- positive:
flavors:
- 'text/x-msdos-batch'
- 'batch_file'
priority: 5
'ScanBzip2':
- positive:
flavors:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
'ScanDocx':
- positive:
flavors:
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
priority: 5
options:
extract_text: False
'ScanElf':
- positive:
flavors:
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
priority: 5
'ScanEmail':
- positive:
flavors:
- 'application/vnd.ms-outlook'
- 'message/rfc822'
- 'email_file'
priority: 5
'ScanEntropy':
- positive:
flavors:
- '*'
priority: 5
'ScanExiftool':
- positive:
flavors:
- 'application/msword'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'olecf_file'
- 'ooxml_file'
- 'audio/mpeg'
- 'mp3_file'
- 'mhtml_file'
- 'application/pdf'
- 'pdf_file'
- 'text/rtf'
- 'rtf_file'
- 'wordml_file'
- 'application/x-dosexec'
- 'mz_file'
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
- 'lnk_file'
- 'application/x-mach-binary'
- 'macho_file'
- 'image/gif'
- 'gif_file'
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'application/x-shockwave-flash'
- 'fws_file'
- 'psd_file'
- 'video/mp4'
- 'video/quicktime'
- 'video/x-msvideo'
- 'avi_file'
- 'video/x-ms-wmv'
- 'wmv_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanGif':
- positive:
flavors:
- 'image/gif'
- 'gif_file'
priority: 5
'ScanGzip':
- positive:
flavors:
- 'application/gzip'
- 'application/x-gzip'
- 'gzip_file'
priority: 5
'ScanHash':
- positive:
flavors:
- '*'
priority: 5
'ScanHeader':
- positive:
flavors:
- '*'
priority: 5
options:
length: 50
'ScanHtml':
- positive:
flavors:
- 'hta_file'
- 'text/html'
- 'html_file'
priority: 5
options:
parser: "html5lib"
'ScanIni':
- positive:
filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
flavors:
- 'ini_file'
priority: 5
'ScanJarManifest':
- positive:
flavors:
- 'jar_manifest_file'
priority: 5
'ScanJavascript':
- negative:
flavors:
- 'text/html'
- 'html_file'
positive:
flavors:
- 'javascript_file'
- 'text/javascript'
priority: 5
options:
beautify: True
'ScanJpeg':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
priority: 5
'ScanJson':
- positive:
flavors:
- 'application/json'
- 'json_file'
priority: 5
'ScanLibarchive':
- positive:
flavors:
- 'application/vnd.ms-cab-compressed'
- 'cab_file'
- 'application/x-7z-compressed'
- '_7zip_file'
- 'application/x-cpio'
- 'cpio_file'
- 'application/x-xar'
- 'xar_file'
- 'arj_file'
- 'iso_file'
- 'application/x-debian-package'
- 'debian_package_file'
priority: 5
options:
limit: 1000
'ScanLzma':
- positive:
flavors:
- 'application/x-lzma'
- 'lzma_file'
- 'application/x-xz'
- 'xz_file'
priority: 5
'ScanMacho':
- positive:
flavors:
- 'application/x-mach-binary'
- 'macho_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanOcr':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
priority: 5
options:
extract_text: False
tmp_directory: '/dev/shm/'
'ScanOle':
- positive:
flavors:
- 'application/CDFV2'
- 'application/msword'
- 'olecf_file'
priority: 5
'ScanPdf':
- positive:
flavors:
- 'application/pdf'
- 'pdf_file'
priority: 5
options:
extract_text: False
limit: 2000
'ScanPe':
- positive:
flavors:
- 'application/x-dosexec'
- 'mz_file'
priority: 5
'ScanPgp':
- positive:
flavors:
- 'application/pgp-keys'
- 'pgp_file'
priority: 5
'ScanPhp':
- positive:
flavors:
- 'text/x-php'
- 'php_file'
priority: 5
'ScanPkcs7':
- positive:
flavors:
- 'pkcs7_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanPlist':
- positive:
flavors:
- 'bplist_file'
- 'plist_file'
priority: 5
options:
keys:
- 'KeepAlive'
- 'Label'
- 'NetworkState'
- 'Program'
- 'ProgramArguments'
- 'RunAtLoad'
- 'StartInterval'
'ScanRar':
- positive:
flavors:
- 'application/x-rar'
- 'rar_file'
priority: 5
options:
limit: 1000
'ScanRpm':
- positive:
flavors:
- 'application/x-rpm'
- 'rpm_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanRtf':
- positive:
flavors:
- 'text/rtf'
- 'rtf_file'
priority: 5
options:
limit: 1000
'ScanRuby':
- positive:
flavors:
- 'text/x-ruby'
priority: 5
'ScanSwf':
- positive:
flavors:
- 'application/x-shockwave-flash'
- 'fws_file'
- 'cws_file'
- 'zws_file'
priority: 5
'ScanTar':
- positive:
flavors:
- 'application/x-tar'
- 'tar_file'
priority: 5
options:
limit: 1000
'ScanTnef':
- positive:
flavors:
- 'application/vnd.ms-tnef'
- 'tnef_file'
priority: 5
'ScanUpx':
- positive:
flavors:
- 'upx_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanUrl':
- negative:
flavors:
- 'javascript_file'
positive:
flavors:
- 'text/plain'
priority: 5
'ScanVb':
- positive:
flavors:
- 'vb_file'
- 'vbscript'
priority: 5
'ScanVba':
- positive:
flavors:
- 'mhtml_file'
- 'application/msword'
- 'olecf_file'
- 'wordml_file'
priority: 5
options:
analyze_macros: True
'ScanX509':
- positive:
flavors:
- 'x509_der_file'
priority: 5
options:
type: 'der'
- positive:
flavors:
- 'x509_pem_file'
priority: 5
options:
type: 'pem'
'ScanXml':
- positive:
flavors:
- 'application/xml'
- 'text/xml'
- 'xml_file'
- 'mso_file'
- 'soap_file'
priority: 5
'ScanYara':
- positive:
flavors:
- '*'
priority: 5
options:
location: '/etc/yara/'
'ScanZip':
- positive:
flavors:
- 'application/java-archive'
- 'application/zip'
- 'zip_file'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'ooxml_file'
priority: 5
options:
limit: 1000
password_file: '/etc/strelka/passwords.dat'
'ScanZlib':
- positive:
flavors:
- 'application/zlib'
- 'zlib_file'
priority: 5
logging:
version: 1
formatters:
simple:
format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s'
datefmt: '%Y-%m-%d %H:%M:%S'
handlers:
console:
class: logging.StreamHandler
formatter: simple
stream: ext://sys.stdout
root:
level: DEBUG
handlers: [console]
loggers:
OpenSSL:
propagate: 0
bs4:
propagate: 0
bz2:
propagate: 0
chardet:
propagate: 0
docx:
propagate: 0
elftools:
propagate: 0
email:
propagate: 0
entropy:
propagate: 0
esprima:
propagate: 0
gzip:
propagate: 0
hashlib:
propagate: 0
json:
propagate: 0
libarchive:
propagate: 0
lxml:
propagate: 0
lzma:
propagate: 0
macholibre:
propagate: 0
olefile:
propagate: 0
oletools:
propagate: 0
pdfminer:
propagate: 0
pefile:
propagate: 0
pgpdump:
propagate: 0
pygments:
propagate: 0
pylzma:
propagate: 0
rarfile:
propagate: 0
requests:
propagate: 0
rpmfile:
propagate: 0
ssdeep:
propagate: 0
tarfile:
propagate: 0
tnefparse:
propagate: 0
yara:
propagate: 0
zipfile:
propagate: 0
zlib:
propagate: 0
passwords:
- infected
- password
filestream:
conn:
server: 'HOST:57314'
cert: ''
timeout:
dial: 5s
file: 1m
throughput:
concurrency: 8
chunk: 32768
delay: 0s
files:
patterns:
- '/nsm/strelka/unprocessed/*'
delete: false
gatekeeper: true
processed: '/nsm/strelka/processed'
response:
report: 5s
delta: 5s
staging: '/nsm/strelka/staging'
frontend:
server: ":57314"
coordinator:
addr: 'HOST:6380'
db: 0
gatekeeper:
addr: 'HOST:6381'
db: 0
ttl: 1h
response:
log: "/var/log/strelka/strelka.log"
manager:
coordinator:
addr: 'HOST:6380'
db: 0
rules:
enabled: True
repos:
- https://github.com/Neo23x0/signature-base
excluded:
- apt_flame2_orchestrator.yar - apt_flame2_orchestrator.yar
- apt_tetris.yar - apt_tetris.yar
- gen_susp_js_obfuscatorio.yar - gen_susp_js_obfuscatorio.yar

4
salt/strelka/filecheck/defaults.yaml Normal file
View File

@@ -0,0 +1,4 @@
filecheck:
historypath: '/nsm/strelka/history/'
strelkapath: '/nsm/strelka/unprocessed/'
logfile: '/opt/so/log/strelka/filecheck.log'

10
salt/strelka/filecheck/filecheck.yaml
View File

@@ -1,10 +0,0 @@
{%- set ENGINE = salt['pillar.get']('global:mdengine', '') %}
filecheck:
{%- if ENGINE == "SURICATA" %}
extract_path: '/nsm/suricata/extracted'
{%- else %}
extract_path: '/nsm/zeek/extracted/complete'
{%- endif %}
historypath: '/nsm/strelka/history/'
strelkapath: '/nsm/strelka/unprocessed/'
logfile: '/opt/so/log/strelka/filecheck.log'

1
salt/strelka/filecheck/filecheck.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ FILECHECKCONFIG | yaml(false) }}

12
salt/strelka/filecheck/map.jinja Normal file
View File

@@ -0,0 +1,12 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'strelka/filecheck/defaults.yaml' as FILECHECKDEFAULTS %}
{% if GLOBALS.md_engine == "SURICATA" %}
{% set extract_path = '/nsm/suricata/extracted' %}
{% set filecheck_runas = 'suricata' %}
{% else %}
{% set extract_path = '/nsm/zeek/extracted/complete' %}
{% set filecheck_runas = 'socore' %}
{% endif %}
{% do FILECHECKDEFAULTS.filecheck.update({'extract_path': extract_path}) %}

420
salt/strelka/files/backend/backend.yaml
View File

@@ -1,420 +0,0 @@
{%- if grains.role in ['so-sensor', 'so-heavynode'] -%}
{%- set mainint = salt['pillar.get']('host:mainint') %}
{%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
{%- else %}
{%- set ip = salt['pillar.get']('global:managerip') %}
{%- endif -%}
logging_cfg: '/etc/strelka/logging.yaml'
limits:
max_files: 0
time_to_live: 0
max_depth: 15
distribution: 600
scanner: 150
coordinator:
addr: '{{ ip }}:6380'
db: 0
tasting:
mime_db: null
yara_rules: '/etc/strelka/taste/'
scanners:
'ScanBase64':
- positive:
filename: '^base64_'
priority: 5
'ScanBatch':
- positive:
flavors:
- 'text/x-msdos-batch'
- 'batch_file'
priority: 5
'ScanBzip2':
- positive:
flavors:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
'ScanDocx':
- positive:
flavors:
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
priority: 5
options:
extract_text: False
'ScanElf':
- positive:
flavors:
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
priority: 5
'ScanEmail':
- positive:
flavors:
- 'application/vnd.ms-outlook'
- 'message/rfc822'
- 'email_file'
priority: 5
'ScanEntropy':
- positive:
flavors:
- '*'
priority: 5
'ScanExiftool':
- positive:
flavors:
- 'application/msword'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'olecf_file'
- 'ooxml_file'
- 'audio/mpeg'
- 'mp3_file'
- 'mhtml_file'
- 'application/pdf'
- 'pdf_file'
- 'text/rtf'
- 'rtf_file'
- 'wordml_file'
- 'application/x-dosexec'
- 'mz_file'
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
- 'lnk_file'
- 'application/x-mach-binary'
- 'macho_file'
- 'image/gif'
- 'gif_file'
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'application/x-shockwave-flash'
- 'fws_file'
- 'psd_file'
- 'video/mp4'
- 'video/quicktime'
- 'video/x-msvideo'
- 'avi_file'
- 'video/x-ms-wmv'
- 'wmv_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanGif':
- positive:
flavors:
- 'image/gif'
- 'gif_file'
priority: 5
'ScanGzip':
- positive:
flavors:
- 'application/gzip'
- 'application/x-gzip'
- 'gzip_file'
priority: 5
'ScanHash':
- positive:
flavors:
- '*'
priority: 5
'ScanHeader':
- positive:
flavors:
- '*'
priority: 5
options:
length: 50
'ScanHtml':
- positive:
flavors:
- 'hta_file'
- 'text/html'
- 'html_file'
priority: 5
options:
parser: "html5lib"
'ScanIni':
- positive:
filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
flavors:
- 'ini_file'
priority: 5
'ScanJarManifest':
- positive:
flavors:
- 'jar_manifest_file'
priority: 5
'ScanJavascript':
- negative:
flavors:
- 'text/html'
- 'html_file'
positive:
flavors:
- 'javascript_file'
- 'text/javascript'
priority: 5
options:
beautify: True
'ScanJpeg':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
priority: 5
'ScanJson':
- positive:
flavors:
- 'application/json'
- 'json_file'
priority: 5
'ScanLibarchive':
- positive:
flavors:
- 'application/vnd.ms-cab-compressed'
- 'cab_file'
- 'application/x-7z-compressed'
- '_7zip_file'
- 'application/x-cpio'
- 'cpio_file'
- 'application/x-xar'
- 'xar_file'
- 'arj_file'
- 'iso_file'
- 'application/x-debian-package'
- 'debian_package_file'
priority: 5
options:
limit: 1000
'ScanLzma':
- positive:
flavors:
- 'application/x-lzma'
- 'lzma_file'
- 'application/x-xz'
- 'xz_file'
priority: 5
'ScanMacho':
- positive:
flavors:
- 'application/x-mach-binary'
- 'macho_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanOcr':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
priority: 5
options:
extract_text: False
tmp_directory: '/dev/shm/'
'ScanOle':
- positive:
flavors:
- 'application/CDFV2'
- 'application/msword'
- 'olecf_file'
priority: 5
'ScanPdf':
- positive:
flavors:
- 'application/pdf'
- 'pdf_file'
priority: 5
options:
extract_text: False
limit: 2000
'ScanPe':
- positive:
flavors:
- 'application/x-dosexec'
- 'mz_file'
priority: 5
'ScanPgp':
- positive:
flavors:
- 'application/pgp-keys'
- 'pgp_file'
priority: 5
'ScanPhp':
- positive:
flavors:
- 'text/x-php'
- 'php_file'
priority: 5
'ScanPkcs7':
- positive:
flavors:
- 'pkcs7_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanPlist':
- positive:
flavors:
- 'bplist_file'
- 'plist_file'
priority: 5
options:
keys:
- 'KeepAlive'
- 'Label'
- 'NetworkState'
- 'Program'
- 'ProgramArguments'
- 'RunAtLoad'
- 'StartInterval'
'ScanRar':
- positive:
flavors:
- 'application/x-rar'
- 'rar_file'
priority: 5
options:
limit: 1000
'ScanRpm':
- positive:
flavors:
- 'application/x-rpm'
- 'rpm_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanRtf':
- positive:
flavors:
- 'text/rtf'
- 'rtf_file'
priority: 5
options:
limit: 1000
'ScanRuby':
- positive:
flavors:
- 'text/x-ruby'
priority: 5
'ScanSwf':
- positive:
flavors:
- 'application/x-shockwave-flash'
- 'fws_file'
- 'cws_file'
- 'zws_file'
priority: 5
'ScanTar':
- positive:
flavors:
- 'application/x-tar'
- 'tar_file'
priority: 5
options:
limit: 1000
'ScanTnef':
- positive:
flavors:
- 'application/vnd.ms-tnef'
- 'tnef_file'
priority: 5
'ScanUpx':
- positive:
flavors:
- 'upx_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanUrl':
- negative:
flavors:
- 'javascript_file'
positive:
flavors:
- 'text/plain'
priority: 5
'ScanVb':
- positive:
flavors:
- 'vb_file'
- 'vbscript'
priority: 5
'ScanVba':
- positive:
flavors:
- 'mhtml_file'
- 'application/msword'
- 'olecf_file'
- 'wordml_file'
priority: 5
options:
analyze_macros: True
'ScanX509':
- positive:
flavors:
- 'x509_der_file'
priority: 5
options:
type: 'der'
- positive:
flavors:
- 'x509_pem_file'
priority: 5
options:
type: 'pem'
'ScanXml':
- positive:
flavors:
- 'application/xml'
- 'text/xml'
- 'xml_file'
- 'mso_file'
- 'soap_file'
priority: 5
'ScanYara':
- positive:
flavors:
- '*'
priority: 5
options:
location: '/etc/yara/'
'ScanZip':
- positive:
flavors:
- 'application/java-archive'
- 'application/zip'
- 'zip_file'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'ooxml_file'
priority: 5
options:
limit: 1000
password_file: '/etc/strelka/passwords.dat'
'ScanZlib':
- positive:
flavors:
- 'application/zlib'
- 'zlib_file'
priority: 5

1
salt/strelka/files/backend/backend.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ BACKENDCONFIG | yaml(false) }}

78
salt/strelka/files/backend/logging.yaml
View File

@@ -1,78 +0,0 @@
version: 1
formatters:
simple:
format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s'
datefmt: '%Y-%m-%d %H:%M:%S'
handlers:
console:
class: logging.StreamHandler
formatter: simple
stream: ext://sys.stdout
root:
level: DEBUG
handlers: [console]
loggers:
OpenSSL:
propagate: 0
bs4:
propagate: 0
bz2:
propagate: 0
chardet:
propagate: 0
docx:
propagate: 0
elftools:
propagate: 0
email:
propagate: 0
entropy:
propagate: 0
esprima:
propagate: 0
gzip:
propagate: 0
hashlib:
propagate: 0
json:
propagate: 0
libarchive:
propagate: 0
lxml:
propagate: 0
lzma:
propagate: 0
macholibre:
propagate: 0
olefile:
propagate: 0
oletools:
propagate: 0
pdfminer:
propagate: 0
pefile:
propagate: 0
pgpdump:
propagate: 0
pygments:
propagate: 0
pylzma:
propagate: 0
rarfile:
propagate: 0
requests:
propagate: 0
rpmfile:
propagate: 0
ssdeep:
propagate: 0
tarfile:
propagate: 0
tnefparse:
propagate: 0
yara:
propagate: 0
zipfile:
propagate: 0
zlib:
propagate: 0

1
salt/strelka/files/backend/logging.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ LOGGINGCONFIG | yaml(false) }}

2
salt/strelka/files/backend/passwords.dat
View File

@@ -1,2 +0,0 @@
infected
password

1
salt/strelka/files/backend/passwords.dat.jinja Normal file
View File

@@ -0,0 +1 @@
{{ PASSWORDS | join('\n') }}

26
salt/strelka/files/filestream/filestream.yaml
View File

@@ -1,26 +0,0 @@
{%- if grains.role in ['so-sensor', 'so-heavynode'] -%}
{%- set mainint = salt['pillar.get']('host:mainint') %}
{%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
{%- else %}
{%- set ip = salt['pillar.get']('global:managerip') %}
{%- endif -%}
conn:
server: '{{ ip }}:57314'
cert: ''
timeout:
dial: 5s
file: 1m
throughput:
concurrency: 8
chunk: 32768
delay: 0s
files:
patterns:
- '/nsm/strelka/unprocessed/*'
delete: false
gatekeeper: true
processed: '/nsm/strelka/processed'
response:
report: 5s
delta: 5s
staging: '/nsm/strelka/staging'

1
salt/strelka/files/filestream/filestream.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ FILESTREAMCONFIG | yaml(false) }}

16
salt/strelka/files/frontend/frontend.yaml
View File

@@ -1,16 +0,0 @@
{%- if grains.role in ['so-sensor', 'so-heavynode'] -%}
{%- set mainint = salt['pillar.get']('host:mainint') %}
{%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
{%- else %}
{%- set ip = salt['pillar.get']('global:managerip') %}
{%- endif -%}
server: ":57314"
coordinator:
addr: '{{ ip }}:6380'
db: 0
gatekeeper:
addr: '{{ ip }}:6381'
db: 0
ttl: 1h
response:
log: "/var/log/strelka/strelka.log"

1
salt/strelka/files/frontend/frontend.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ FRONTENDCONFIG | yaml(false) }}

9
salt/strelka/files/manager/manager.yaml
View File

@@ -1,9 +0,0 @@
{%- if grains.role in ['so-sensor', 'so-heavynode'] -%}
{%- set mainint = salt['pillar.get']('host:mainint') %}
{%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
{%- else %}
{%- set ip = salt['pillar.get']('global:managerip') %}
{%- endif -%}
coordinator:
addr: '{{ ip }}:6380'
db: 0

1
salt/strelka/files/manager/manager.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ MANAGERCONFIG | yaml(false) }}

119
salt/strelka/init.sls
View File

@@ -7,16 +7,10 @@
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
{% import_yaml 'strelka/defaults.yaml' as strelka_config with context %}
{% set IGNORELIST = salt['pillar.get']('strelka:ignore', strelka_config.strelka.ignore, merge=True, merge_nested_lists=True) %}
{% set ENGINE = salt['pillar.get']('global:mdengine', '') %}
{% if ENGINE == "SURICATA" %} {% from 'strelka/map.jinja' import STRELKAMERGED %}
{% set filecheck_runas = 'suricata' %} {% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %}
{% else %} {% from 'strelka/filecheck/map.jinja' import filecheck_runas %}
{% set filecheck_runas = 'socore' %}
{% endif %}
# Strelka config # Strelka config
strelkaconfdir: strelkaconfdir:
@@ -33,16 +27,79 @@ strelkarulesdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
# Sync dynamic config to conf dir backend_backend_config:
strelkasync: file.managed:
file.recurse: - name: /opt/so/conf/strelka/backend/backend.yaml
- name: /opt/so/conf/strelka/ - source: salt://strelka/files/backend/backend.yaml.jinja
- source: salt://strelka/files - template: jinja
- user: 939 - user: 939
- group: 939 - group: 939
- template: jinja - makedirs: True
- defaults:
BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }}
{% if STRELKA_RULES == 1 %} backend_logging_config:
file.managed:
- name: /opt/so/conf/strelka/backend/logging.yaml
- source: salt://strelka/files/backend/logging.yaml.jinja
- template: jinja
- user: 939
- group: 939
- defaults:
LOGGINGCONFIG: {{ STRELKAMERGED.config.backend.logging }}
backend_passwords:
file.managed:
- name: /opt/so/conf/strelka/backend/passwords.dat
- source: salt://strelka/files/backend/passwords.dat.jinja
- template: jinja
- user: 939
- group: 939
- defaults:
PASSWORDS: {{ STRELKAMERGED.config.backend.passwords }}
backend_taste:
file.managed:
- name: /opt/so/conf/strelka/backend/taste/taste.yara
- source: salt://strelka/files/backend/taste/taste.yara
- makedirs: True
- user: 939
- group: 939
filestream_config:
file.managed:
- name: /opt/so/conf/strelka/filestream/filestream.yaml
- source: salt://strelka/files/filestream/filestream.yaml.jinja
- template: jinja
- user: 939
- group: 939
- makedirs: True
- defaults:
FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }}
frontend_config:
file.managed:
- name: /opt/so/conf/strelka/frontend/frontend.yaml
- source: salt://strelka/files/frontend/frontend.yaml.jinja
- template: jinja
- user: 939
- group: 939
- makedirs: True
- defaults:
FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }}
manager_config:
file.managed:
- name: /opt/so/conf/strelka/manager/manager.yaml
- source: salt://strelka/files/manager/manager.yaml.jinja
- template: jinja
- user: 939
- group: 939
- makedirs: True
- defaults:
MANAGERCONFIG: {{ STRELKAMERGED.config.manager }}
{% if STRELKAMERGED.rules.enabled %}
strelkarules: strelkarules:
file.recurse: file.recurse:
@@ -51,23 +108,15 @@ strelkarules:
- user: 939 - user: 939
- group: 939 - group: 939
- clean: True - clean: True
- exclude_pat:
{% for IGNOREDRULE in IGNORELIST %}
- {{ IGNOREDRULE }}
{% endfor %}
{% for IGNOREDRULE in IGNORELIST %}
remove_rule_{{ IGNOREDRULE }}:
file.absent:
- name: /opt/so/conf/strelka/rules/signature-base/{{ IGNOREDRULE }}
{% endfor %}
{% if grains['role'] in GLOBALS.manager_roles %} {% if grains['role'] in GLOBALS.manager_roles %}
strelkarepos: strelkarepos:
file.managed: file.managed:
- name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt - name: /opt/so/conf/strelka/repos.txt
- source: salt://strelka/rules/repos.txt.jinja - source: salt://strelka/rules/repos.txt.jinja
- template: jinja - template: jinja
- defaults:
STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
{% endif %} {% endif %}
{% endif %} {% endif %}
@@ -133,8 +182,10 @@ filecheck_history:
filecheck_conf: filecheck_conf:
file.managed: file.managed:
- name: /opt/so/conf/strelka/filecheck.yaml - name: /opt/so/conf/strelka/filecheck.yaml
- source: salt://strelka/filecheck/filecheck.yaml - source: salt://strelka/filecheck/filecheck.yaml.jinja
- template: jinja - template: jinja
- defaults:
FILECHECKCONFIG: {{ FILECHECKDEFAULTS }}
filecheck_script: filecheck_script:
file.managed: file.managed:
@@ -173,7 +224,7 @@ strelka_coordinator:
- ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
- entrypoint: redis-server --save "" --appendonly no - entrypoint: redis-server --save "" --appendonly no
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
@@ -193,7 +244,7 @@ strelka_gatekeeper:
- ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
@@ -217,7 +268,7 @@ strelka_frontend:
- ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
- command: strelka-frontend - command: strelka-frontend
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
@@ -240,7 +291,7 @@ strelka_backend:
- ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
- command: strelka-backend - command: strelka-backend
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- restart_policy: on-failure - restart_policy: on-failure
append_so-strelka-backend_so-status.conf: append_so-strelka-backend_so-status.conf:
@@ -259,7 +310,7 @@ strelka_manager:
- ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
- command: strelka-manager - command: strelka-manager
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
append_so-strelka-manager_so-status.conf: append_so-strelka-manager_so-status.conf:
file.append: file.append:
@@ -278,7 +329,7 @@ strelka_filestream:
- ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
- command: strelka-filestream - command: strelka-filestream
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
append_so-strelka-filestream_so-status.conf: append_so-strelka-filestream_so-status.conf:
file.append: file.append:

20
salt/strelka/map.jinja Normal file
View File

@@ -0,0 +1,20 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'strelka/defaults.yaml' as STRELKADEFAULTS %}
{% set HOST = GLOBALS.hostname %}
{% set backend_coordinator_port = STRELKADEFAULTS.strelka.config.backend.backend.coordinator.addr.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.backend.backend.coordinator.update({'addr': HOST ~ ':' ~ backend_coordinator_port}) %}
{% set filestream_conn_port = STRELKADEFAULTS.strelka.config.filestream.conn.server.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.filestream.conn.update({'server': HOST ~ ':' ~ filestream_conn_port}) %}
{% set frontend_coordinator_port = STRELKADEFAULTS.strelka.config.frontend.coordinator.addr.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.frontend.coordinator.update({'addr': HOST ~ ':' ~ frontend_coordinator_port}) %}
{% set frontend_gatekeeper_port = STRELKADEFAULTS.strelka.config.frontend.gatekeeper.addr.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.frontend.gatekeeper.update({'addr': HOST ~ ':' ~ frontend_gatekeeper_port}) %}
{% set manager_coordinator_port = STRELKADEFAULTS.strelka.config.manager.coordinator.addr.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.manager.coordinator.update({'addr': HOST ~ ':' ~ manager_coordinator_port}) %}
{% set STRELKAMERGED = salt['pillar.get']('strelka', STRELKADEFAULTS.strelka, merge=True) %}

4
salt/strelka/rules/ignore.txt
View File

@@ -1,4 +0,0 @@
generic_anomalies.yar
general_cloaking.yar
thor_inverse_matches.yar
yara_mixed_ext_vars.yar

1
salt/strelka/rules/repos.txt
View File

@@ -1 +0,0 @@
https://github.com/Neo23x0/signature-base

6
salt/strelka/rules/repos.txt.jinja
View File

@@ -1,4 +1,2 @@
# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka.repos pillar section # DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka:rules:repos pillar section
{%- for repo in salt['pillar.get']('strelka:repos', {}) %} {{ STRELKAREPOS | join('\n') }}
{{ repo }}
{%- endfor %}