CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #162 from Security-Onion-Solutions/feature/strelka

Browse Source 
Strelka - initial config
This commit is contained in:
Mike Reeves
2019-12-20 10:28:37 -05:00
committed by GitHub
parent 574ee6b97a eea08f3515
commit c2a4de3f70
9 changed files with 1449 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
salt/filebeat/etc/filebeat.yml
View File

@@ -3,6 +3,7 @@
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %} {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
{%- set FLEETENABLED = salt['pillar.get']('static:fleet_enabled', '1') %} {%- set FLEETENABLED = salt['pillar.get']('static:fleet_enabled', '1') %}
{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '1') %}
name: {{ HOSTNAME }} name: {{ HOSTNAME }}
@@ -126,6 +127,19 @@ filebeat.prospectors:
clean_removed: false clean_removed: false
close_removed: false close_removed: false
{%- endif %}
{%- if STRELKAENABLED == '1' %}
- type: log
paths:
- /opt/so/log/strelka/strelka.log
fields:
type: strelka
fields_under_root: true
clean_removed: false
close_removed: false
{%- endif %} {%- endif %}
#----------------------------- Logstash output --------------------------------- #----------------------------- Logstash output ---------------------------------
output.logstash: output.logstash:

423
salt/strelka/files/backend/backend.yaml Normal file
View File

@@ -0,0 +1,423 @@
{%- set ip = salt['pillar.get']('static:masterip', '') %}
logging_cfg: '/etc/strelka/logging.yaml'
limits:
max_files: 5000
time_to_live: 900
max_depth: 15
distribution: 600
scanner: 150
coordinator:
addr: '{{ ip }}:6380'
db: 0
tasting:
mime_db: null
yara_rules: '/etc/strelka/taste/'
scanners:
'ScanBase64':
- positive:
filename: '^base64_'
priority: 5
'ScanBatch':
- positive:
flavors:
- 'text/x-msdos-batch'
- 'batch_file'
priority: 5
'ScanBzip2':
- positive:
flavors:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
'ScanDocx':
- positive:
flavors:
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
priority: 5
options:
extract_text: False
'ScanElf':
- positive:
flavors:
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
priority: 5
'ScanEmail':
- positive:
flavors:
- 'application/vnd.ms-outlook'
- 'message/rfc822'
- 'email_file'
priority: 5
'ScanEntropy':
- positive:
flavors:
- '*'
priority: 5
'ScanExiftool':
- positive:
flavors:
- 'application/msword'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'olecf_file'
- 'ooxml_file'
- 'audio/mpeg'
- 'mp3_file'
- 'mhtml_file'
- 'application/pdf'
- 'pdf_file'
- 'text/rtf'
- 'rtf_file'
- 'wordml_file'
- 'application/x-dosexec'
- 'mz_file'
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
- 'lnk_file'
- 'application/x-mach-binary'
- 'macho_file'
- 'image/gif'
- 'gif_file'
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'application/x-shockwave-flash'
- 'fws_file'
- 'psd_file'
- 'video/mp4'
- 'video/quicktime'
- 'video/x-msvideo'
- 'avi_file'
- 'video/x-ms-wmv'
- 'wmv_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanGif':
- positive:
flavors:
- 'image/gif'
- 'gif_file'
priority: 5
'ScanGzip':
- positive:
flavors:
- 'application/gzip'
- 'application/x-gzip'
- 'gzip_file'
priority: 5
'ScanHash':
- positive:
flavors:
- '*'
priority: 5
'ScanHeader':
- positive:
flavors:
- '*'
priority: 5
options:
length: 50
'ScanHtml':
- positive:
flavors:
- 'hta_file'
- 'text/html'
- 'html_file'
priority: 5
options:
parser: "html5lib"
'ScanIni':
- positive:
filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
flavors:
- 'ini_file'
priority: 5
'ScanJarManifest':
- positive:
flavors:
- 'jar_manifest_file'
priority: 5
'ScanJavascript':
- negative:
flavors:
- 'text/html'
- 'html_file'
positive:
flavors:
- 'javascript_file'
- 'text/javascript'
priority: 5
options:
beautify: True
'ScanJpeg':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
priority: 5
'ScanJson':
- positive:
flavors:
- 'application/json'
- 'json_file'
priority: 5
'ScanLibarchive':
- positive:
flavors:
- 'application/vnd.ms-cab-compressed'
- 'cab_file'
- 'application/x-7z-compressed'
- '_7zip_file'
- 'application/x-cpio'
- 'cpio_file'
- 'application/x-xar'
- 'xar_file'
- 'arj_file'
- 'iso_file'
- 'application/x-debian-package'
- 'debian_package_file'
priority: 5
options:
limit: 1000
'ScanLzma':
- positive:
flavors:
- 'application/x-lzma'
- 'lzma_file'
- 'application/x-xz'
- 'xz_file'
priority: 5
'ScanMacho':
- positive:
flavors:
- 'application/x-mach-binary'
- 'macho_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanMmbot':
- positive:
flavors:
- 'vb_file'
- 'vbscript'
priority: 5
options:
server: 'strelka_mmrpc_1:33907'
'ScanOcr':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
priority: 5
options:
extract_text: False
tmp_directory: '/dev/shm/'
'ScanOle':
- positive:
flavors:
- 'application/CDFV2'
- 'application/msword'
- 'olecf_file'
priority: 5
'ScanPdf':
- positive:
flavors:
- 'application/pdf'
- 'pdf_file'
priority: 5
options:
extract_text: False
limit: 2000
'ScanPe':
- positive:
flavors:
- 'application/x-dosexec'
- 'mz_file'
priority: 5
'ScanPgp':
- positive:
flavors:
- 'application/pgp-keys'
- 'pgp_file'
priority: 5
'ScanPhp':
- positive:
flavors:
- 'text/x-php'
- 'php_file'
priority: 5
'ScanPkcs7':
- positive:
flavors:
- 'pkcs7_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanPlist':
- positive:
flavors:
- 'bplist_file'
- 'plist_file'
priority: 5
options:
keys:
- 'KeepAlive'
- 'Label'
- 'NetworkState'
- 'Program'
- 'ProgramArguments'
- 'RunAtLoad'
- 'StartInterval'
'ScanRar':
- positive:
flavors:
- 'application/x-rar'
- 'rar_file'
priority: 5
options:
limit: 1000
'ScanRpm':
- positive:
flavors:
- 'application/x-rpm'
- 'rpm_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanRtf':
- positive:
flavors:
- 'text/rtf'
- 'rtf_file'
priority: 5
options:
limit: 1000
'ScanRuby':
- positive:
flavors:
- 'text/x-ruby'
priority: 5
'ScanSwf':
- positive:
flavors:
- 'application/x-shockwave-flash'
- 'fws_file'
- 'cws_file'
- 'zws_file'
priority: 5
'ScanTar':
- positive:
flavors:
- 'application/x-tar'
- 'tar_file'
priority: 5
options:
limit: 1000
'ScanTnef':
- positive:
flavors:
- 'application/vnd.ms-tnef'
- 'tnef_file'
priority: 5
'ScanUpx':
- positive:
flavors:
- 'upx_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanUrl':
- negative:
flavors:
- 'javascript_file'
positive:
flavors:
- 'text/plain'
priority: 5
'ScanVb':
- positive:
flavors:
- 'vb_file'
- 'vbscript'
priority: 5
'ScanVba':
- positive:
flavors:
- 'mhtml_file'
- 'application/msword'
- 'olecf_file'
- 'wordml_file'
priority: 5
options:
analyze_macros: True
'ScanX509':
- positive:
flavors:
- 'x509_der_file'
priority: 5
options:
type: 'der'
- positive:
flavors:
- 'x509_pem_file'
priority: 5
options:
type: 'pem'
'ScanXml':
- positive:
flavors:
- 'application/xml'
- 'text/xml'
- 'xml_file'
- 'mso_file'
- 'soap_file'
priority: 5
'ScanYara':
- positive:
flavors:
- '*'
priority: 5
options:
location: '/etc/yara/'
'ScanZip':
- positive:
flavors:
- 'application/java-archive'
- 'application/zip'
- 'zip_file'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'ooxml_file'
priority: 5
options:
limit: 1000
password_file: '/etc/strelka/passwords.dat'
'ScanZlib':
- positive:
flavors:
- 'application/zlib'
- 'zlib_file'
priority: 5

78
salt/strelka/files/backend/logging.yaml Normal file
View File

@@ -0,0 +1,78 @@
version: 1
formatters:
simple:
format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s'
datefmt: '%Y-%m-%d %H:%M:%S'
handlers:
console:
class: logging.StreamHandler
formatter: simple
stream: ext://sys.stdout
root:
level: DEBUG
handlers: [console]
loggers:
OpenSSL:
propagate: 0
bs4:
propagate: 0
bz2:
propagate: 0
chardet:
propagate: 0
docx:
propagate: 0
elftools:
propagate: 0
email:
propagate: 0
entropy:
propagate: 0
esprima:
propagate: 0
gzip:
propagate: 0
hashlib:
propagate: 0
json:
propagate: 0
libarchive:
propagate: 0
lxml:
propagate: 0
lzma:
propagate: 0
macholibre:
propagate: 0
olefile:
propagate: 0
oletools:
propagate: 0
pdfminer:
propagate: 0
pefile:
propagate: 0
pgpdump:
propagate: 0
pygments:
propagate: 0
pylzma:
propagate: 0
rarfile:
propagate: 0
requests:
propagate: 0
rpmfile:
propagate: 0
ssdeep:
propagate: 0
tarfile:
propagate: 0
tnefparse:
propagate: 0
yara:
propagate: 0
zipfile:
propagate: 0
zlib:
propagate: 0

2
salt/strelka/files/backend/passwords.dat Normal file
View File

@@ -0,0 +1,2 @@
infected
password

748
salt/strelka/files/backend/taste/taste.yara Normal file
View File

@@ -0,0 +1,748 @@
// Archive Files
rule _7zip_file
{
meta:
type = "archive"
strings:
$a = { 37 7A BC AF 27 1C }
condition:
$a at 0
}
rule arj_file
{
meta:
type = "archive"
condition:
uint16(0) == 0xEA60
}
rule cab_file
{
meta:
type = "archive"
strings:
$a = { 4D 53 43 46 00 00 00 00 }
condition:
$a at 0 or
( uint16(0) == 0x5A4D and $a )
}
rule cpio_file
{
meta:
type = "archive"
strings:
$a = { 30 37 30 37 30 31 }
condition:
$a at 0
}
rule iso_file
{
meta:
type = "archive"
strings:
$a = { 43 44 30 30 31 }
condition:
$a at 0x8001 and $a at 0x8801 and $a at 0x9001
}
rule mhtml_file
{
meta:
type = "archive"
strings:
$a = "MIME-Version: 1.0"
$b = "This document is a Single File Web Page, also known as a Web Archive file"
condition:
$a at 0 and $b
}
rule rar_file
{
meta:
type = "archive"
condition:
uint16(0) == 0x6152 and uint8(2) == 0x72 and uint16(3) == 0x1A21 and uint8(5) == 0x07
}
rule tar_file
{
meta:
type = "archive"
strings:
$a = { 75 73 74 61 72 }
condition:
uint16(0) == 0x9D1F or
uint16(0) == 0xA01F or
$a at 257
}
rule xar_file
{
meta:
type = "archive"
condition:
uint32(0) == 0x21726178
}
rule zip_file
{
meta:
type = "archive"
condition:
( uint32(0) == 0x04034B50 and not uint32(4) == 0x00060014 )
}
// Audio Files
rule mp3_file
{
meta:
type = "audio"
condition:
uint16(0) == 0x4449 and uint8(2) == 0x33
}
// Certificate Files
rule pkcs7_file
{
meta:
type = "certificate"
strings:
$a = "-----BEGIN PKCS7-----"
condition:
(uint16(0) == 0x8230 and uint16(4) == 0x0906) or
uint32(0) == 0x09068030 or
$a at 0
}
rule x509_der_file
{
meta:
type = "certificate"
condition:
uint16(0) == 0x8230 and ( uint16(4) == 0x8230 or uint16(4) == 0x8130 )
}
rule x509_pem_file
{
meta:
type = "certificate"
strings:
$a = "-----BEGIN CERTI"
condition:
$a at 0
}
// Compressed Files
rule bzip2_file
{
meta:
type = "compressed"
condition:
uint16(0) == 0x5A42 and uint8(2) == 0x68
}
rule gzip_file
{
meta:
type = "compressed"
condition:
uint16(0) == 0x8B1F and uint8(2) == 0x08
}
rule lzma_file
{
meta:
type = "compressed"
condition:
uint16(0) == 0x005D and uint8(2) == 0x00
}
rule xz_file
{
meta:
type = "compressed"
condition:
uint32(0) == 0x587A37FD and uint16(4) == 0x005A
}
// Document Files
rule doc_subheader_file
{
meta:
type = "document"
condition:
uint32(0) == 0x00C1A5EC
}
rule mso_file
{
meta:
type = "document"
strings:
$a = { 3C 3F 6D 73 6F 2D 61 70 70 6C 69 63 61 74 69 6F 6E 20 } // <?mso-application
$b = { 3C 3F 6D 73 6F 2D 63 6F 6E 74 65 6E 74 54 79 70 65 } // <?mso-contentType
condition:
$a at 0 or
$b at 0
}
rule olecf_file
{
meta:
description = "Object Linking and Embedding (OLE) Compound File (CF)"
type = "document"
condition:
uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1
}
rule ooxml_file
{
meta:
description = "Microsoft Office Open XML Format"
type = "document"
condition:
uint32(0) == 0x04034B50 and uint32(4) == 0x00060014
}
rule pdf_file
{
meta:
description = "Portable Document Format"
type = "document"
condition:
uint32(0) == 0x46445025
}
rule poi_hpbf_file
{
meta:
description = "https://poi.apache.org/components/hpbf/file-format.html"
type = "document"
strings:
$a = { 43 48 4E 4B 49 4E 4B } // CHNKINK
condition:
$a at 0
}
rule rtf_file
{
meta:
type = "document"
condition:
uint32(0) == 0x74725C7B
}
rule vbframe_file
{
meta:
type = "document"
strings:
$a = { 56 45 52 53 49 4F 4E 20 35 2E 30 30 0D 0A 42 65 67 69 6E } // VERSION 5.00\r\nBegin
condition:
$a at 0
}
rule wordml_file
{
meta:
description = "Microsoft Office Word 2003 XML format"
type = "document"
strings:
$a = { 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D } // <?xml version=
$b = "http://schemas.microsoft.com/office/word/2003/wordml"
condition:
$a at 0 and $b
}
rule xfdf_file
{
meta:
description = "XML Forms Data Format"
type = "document"
strings:
$a = { 3C 78 66 64 66 20 78 6D 6C 6E 73 3D } // <xfdf xmlns=
condition:
$a at 0
}
// Email Files
rule email_file
{
meta:
type = "email"
strings:
$a = "\x0aReceived:" nocase fullword
$b = "\x0AReturn-Path:" nocase fullword
$c = "\x0aMessage-ID:" nocase fullword
$d = "\x0aReply-To:" nocase fullword
$e = "\x0aX-Mailer:" nocase fullword
condition:
$a in (0..2048) or
$b in (0..2048) or
$c in (0..2048) or
$d in (0..2048) or
$e in (0..2048)
}
rule tnef_file
{
meta:
description = "Transport Neutral Encapsulation Format"
type = "email"
condition:
uint32(0) == 0x223E9F78
}
// Encryption Files
rule pgp_file
{
meta:
type = "encryption"
strings:
$a = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 50 55 42 4C 49 43 20 4B 45 59 20 42 4C 4F 43 4B 2D } // (.{2})(\x2D\x2D\x2DBEGIN PGP PUBLIC KEY BLOCK\x2D)
$b = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 53 49 47 4E 41 54 55 52 45 2D } // (\x2D\x2D\x2D\x2D\x2DBEGIN PGP SIGNATURE\x2D)
$c = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 4D 45 53 53 41 47 45 2D } // (\x2D\x2D\x2D\x2D\x2DBEGIN PGP MESSAGE\x2D)
condition:
$a at 0 or
$b at 0 or
$c at 0
}
// Executable Files
rule elf_file
{
meta:
description = "Executable and Linkable Format"
type = "executable"
condition:
uint32(0) == 0x464C457F
}
rule lnk_file
{
meta:
description = "Windows Shortcut file"
type = "executable"
condition:
uint32(0) == 0x0000004C
}
rule macho_file
{
meta:
description = "Mach object"
type = "executable"
condition:
uint32(0) == 0xCEFAEDFE or
uint32(0) == 0xCFFAEDFE or
uint32(0) == 0xFEEDFACE or
uint32(0) == 0xFEEDFACF
}
rule mz_file
{
meta:
description = "DOS MZ executable"
type = "executable"
condition:
uint16(0) == 0x5A4D
}
// Image Files
rule bmp_file
{
meta:
type = "image"
strings:
$a = { 42 4D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ( 0C | 28 | 40 | 6C | 7C | 80 ) 00 } // BM
condition:
$a at 0
}
rule cmap_file
{
meta:
type = "image"
strings:
$a = { 62 65 67 69 6E 63 6D 61 70 } // begincmap
condition:
$a at 0
}
rule gif_file
{
meta:
description = "Graphics Interchange Format"
type = "image"
condition:
uint32(0) == 0x38464947 and ( uint16(4) == 0x6137 or uint16(4) == 0x6139 )
}
rule jpeg_file
{
meta:
type = "image"
condition:
uint32(0) == 0xE0FFD8FF or
uint32(0) == 0xE1FFD8FF or
uint32(0) == 0xE2FFD8FF or
uint32(0) == 0xE8FFD8FF
}
rule postscript_file
{
meta:
type = "image"
strings:
$a = { 25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 } // %!PS-Adobe-3.0
condition:
$a at 0
}
rule png_file
{
meta:
type = "image"
condition:
uint32(0) == 0x474E5089
}
rule psd_file
{
meta:
description = "Photoshop Document"
type = "image"
condition:
uint32(0) == 0x53504238
}
rule psd_image_file
{
meta:
description = "Photoshop Document image resource block"
type = "image"
condition:
uint32(0) == 0x4D494238
}
rule svg_file
{
meta:
type = "image"
strings:
$a = { 3C 73 76 67 20 } // <svg
condition:
$a at 0
}
rule xicc_file
{
meta:
type = "image"
strings:
$a = { 58 49 43 43 5F 50 52 4F 46 49 4C 45 } // XICC_PROFILE
condition:
$a at 0
}
rule xmp_file
{
meta:
type = "image"
strings:
$a = { 3C 3F 78 70 61 63 6B 65 74 20 62 65 67 69 6E 3D } // <?xpacket begin=
$b = { 3C 78 3A 78 6D 70 6D 65 74 61 20 78 6D 6C 6E 73 3A 78 3D } // <x:xmpmeta xmlns:x=
condition:
$a at 0 or $b at 0
}
// Metadata Files
rule jar_manifest_file
{
meta:
type = "metadata"
condition:
uint32(0) == 0x696E614D and uint32(4) == 0x74736566
}
rule bplist_file
{
meta:
description = "Binary Property List"
type = "metadata"
condition:
uint32(0) == 0x696C7062 and uint32(4) == 0x30307473
}
// Multimedia Files
rule fws_file
{
meta:
type = "multimedia"
condition:
uint16(0) == 0x5746 and uint8(2) == 0x53
}
rule cws_file
{
meta:
description = "zlib compressed Flash file"
type = "multimedia"
condition:
uint16(0) == 0x5743 and uint8(2) == 0x53
}
rule zws_file
{
meta:
description = "LZMA compressed Flash file"
type = "multimedia"
condition:
uint16(0) == 0x575A and uint8(2) == 0x53
}
// Package Files
rule debian_package_file
{
meta:
type = "package"
strings:
$a = { 21 3C 61 72 63 68 3E 0A 64 65 62 69 61 6E } // \x21\x3Carch\x3E\x0Adebian
condition:
$a at 0
}
rule rpm_file
{
meta:
type = "package"
condition:
uint32(0) == 0x6D707264 or uint32(0) == 0xDBEEABED
}
// Packer Files
rule upx_file
{
meta:
description = "Ultimate Packer for Executables"
type = "packer"
strings:
$a = {55505830000000}
$b = {55505831000000}
$c = "UPX!"
condition:
uint16(0) == 0x5A4D and
$a in (0..1024) and
$b in (0..1024) and
$c in (0..1024)
}
// Script Files
rule batch_file
{
meta:
type = "script"
strings:
$a = { ( 45 | 65 ) ( 43 | 63 ) ( 48 | 68 ) ( 4F | 6F ) 20 ( 4F | 6F) ( 46 | 66 ) ( 46 | 66 ) } // [Ee][Cc][Hh][Oo] [Oo][Ff][Ff]
condition:
$a at 0
}
rule javascript_file
{
meta:
type = "script"
strings:
$var = { 76 61 72 20 } // var
$function1 = { 66 75 6E 63 74 69 6F 6E } // function
$function2 = { 28 66 75 6E 63 74 69 6F 6E } // (function
$function3 = { 66 75 6E 63 74 69 6F 6E [0-1] 28 } // function[0-1](
$if = { 69 66 [0-1] 28 } // if[0-1](
$misc1 = { 24 28 } // $(
$misc2 = { 2F ( 2A | 2F ) } // \/(\/|\*)
$jquery = { 6A 51 75 65 72 79 } // jQuery
$try = { 74 72 79 [0-1] 7B } // try[0-1]{
$catch = { 63 61 74 63 68 28 } // catch(
$push = { 2E 70 75 73 68 28 } // .push(
$array = { 6E 65 77 20 41 72 72 61 79 28 } // new Array(
$document1 = { 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 } // document.create
$document2 = { 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 } // document.write
$window = { 77 69 6E 64 6F 77 ( 2E | 5B ) } // window[.\[]
$define = { 64 65 66 69 6E 65 28 } // define(
$eval = { 65 76 61 6C 28 } // eval(
$unescape = { 75 6E 65 73 63 61 70 65 28 } // unescape(
condition:
$var at 0 or
$function1 at 0 or
$function2 at 0 or
$if at 0 or
$jquery at 0 or
$function3 in (0..30) or
$push in (0..30) or
$array in (0..30) or
( $try at 0 and $catch in (5..5000) ) or
$document1 in (0..100) or
$document2 in (0..100) or
$window in (0..100) or
$define in (0..100) or
$eval in (0..100) or
$unescape in (0..100) or
( ( $misc1 at 0 or $misc2 at 0 ) and $var and $function1 and $if )
}
rule vb_file
{
meta:
type = "script"
strings:
$a = { 41 74 74 72 69 62 75 74 65 20 56 42 5F 4E 61 6D 65 20 3D } // Attribute VB_Name =
$b = { 4F 70 74 69 6F 6E 20 45 78 70 6C 69 63 69 74 } // Option Explicit
$c = { 44 69 6D 20 } // Dim
$d = { 50 75 62 6C 69 63 20 53 75 62 20 } // Public Sub
$e = { 50 72 69 76 61 74 65 20 53 75 62 20 } // Private Sub
condition:
$a at 0 or
$b at 0 or
$c at 0 or
$d at 0 or
$e at 0
}
// Text Files
rule hta_file
{
meta:
type = "text"
strings:
$a = { 3C 48 54 41 3A 41 50 50 4C 49 43 41 54 49 4F 4E 20 } // <HTA:APPLICATION
condition:
$a in (0..2000)
}
rule html_file
{
meta:
type = "text"
strings:
$a = { 3C 21 ( 64 | 44 ) ( 6F | 4F ) ( 63 |43 ) ( 74 | 54 ) ( 79 | 59 ) ( 70 | 50 ) ( 65 | 45 ) 20 ( 68 | 48 ) ( 74 | 54 ) ( 6D | 4D ) ( 6C | 4C ) } // <![Dd][Oo][Cc][Tt][Yy][Pp][Ee] [Hh][Tt][Mm][Ll]
$b = { 3C ( 68 | 48 ) ( 74 | 54 ) ( 6D | 4D ) ( 6C | 4C ) } // <[Hh][Tt][Mm][Ll]
$c = { 3C ( 62 | 42 ) ( 72 | 52 ) } // <br
$d = { 3C ( 44 | 64 ) ( 49 | 69 ) ( 56 | 76 ) } // <[Dd][Ii][Vv]
$e = { 3C ( 41 | 61 ) 20 ( 48 |68 ) ( 52 | 72 ) ( 45 | 65 ) ( 46 | 66 ) 3D } // <[Aa] [Hh][Rr][Ee][Ff]=
$f = { 3C ( 48 | 68 ) ( 45 | 65 ) ( 41 | 61 ) ( 44 | 64 ) } // <[Hh][Ee][Aa][Dd]
$g = { 3C ( 53 | 73 ) ( 43 | 63 ) ( 52 | 72 ) ( 49 | 69 ) ( 50 | 70 ) ( 54 | 74 ) } // <[Ss][Cc][Rr][Ii][Pp][Tt]
$h = { 3C ( 53 | 73 ) ( 54 | 74 ) ( 59 | 79 ) ( 4C | 6C ) ( 45 | 65 ) } // <[Ss][Tt][Yy][Ll][Ee]
$i = { 3C ( 54 | 74 ) ( 41 | 61 ) ( 42 | 62 ) ( 4C | 6C ) ( 45 | 65 ) } // <[Tt][Aa][Bb][Ll][Ee]
$j = { 3C ( 50 | 70 ) } // <[Pp]
$k = { 3C ( 49 | 69 ) ( 4D | 6D ) ( 47 | 67 ) } // <[Ii][Mm][Gg]
$l = { 3C ( 53 | 73 ) ( 50 |70 ) ( 41 | 61 ) ( 4E | 6E ) } // <[Ss][Pp][Aa][Nn]
$m = { 3C ( 48 | 68 ) ( 52 | 72 | 31 | 32 | 33 | 34 | 35 | 36 ) } // <[Hh][Rr] <[Hh][1-6]
$n = { 3C ( 54 | 74) ( 49 | 69 ) ( 54 | 74 ) ( 4C | 6C ) ( 45 | 65 ) 3E } // <[Tt][Ii][Tt][Ll][Ee]>
condition:
$a at 0 or
$b at 0 or
$c at 0 or
$d at 0 or
$e at 0 or
$f at 0 or
$g at 0 or
$h at 0 or
$i at 0 or
$j at 0 or
$k at 0 or
$l at 0 or
$m at 0 or
$n at 0
}
rule json_file
{
meta:
type = "text"
strings:
$a = { 7B [0-5] 22 }
condition:
$a at 0
}
rule php_file
{
meta:
type = "text"
strings:
$a = { 3c 3f 70 68 70 }
condition:
$a at 0
}
rule soap_file
{
meta:
description = "Simple Object Access Protocol"
type = "text"
strings:
$a = { 3C 73 6F 61 70 65 6E 76 3A 45 6E 76 65 6C 6F 70 65 } // <soapenv:Envelope xmlns
$b = { 3C 73 3A 45 6E 76 65 6C 6F 70 65 } // <s:Envelope
condition:
$a at 0 or
$b at 0
}
rule xml_file
{
meta:
type = "text"
strings:
$a = { 3C 3F ( 58 | 78) ( 4D | 6D ) ( 4C | 6C ) 20 76 65 72 73 69 6F 6E 3D } // <?[Xx][Mm][Ll] version=
$b = { 3C 3F 78 6D 6C 3F 3E } // <?xml?>
$c = { 3C 73 74 79 6C 65 53 68 65 65 74 20 78 6D 6C 6E 73 3D } // <styleSheet xmlns=
$d = { 3C 77 6F 72 6B 62 6F 6F 6B 20 78 6D 6C 6E 73 } // <workbook xmlns
$e = { 3C 78 6D 6C 20 78 6D 6C 6E 73 } // <xml xmlns
$f = { 3C 69 6E 74 20 78 6D 6C 6E 73 } // <int xmlns
condition:
$a at 0 or
$b at 0 or
$c at 0 or
$d at 0 or
$e at 0 or
$f at 0
}
// Video Files
rule avi_file
{
meta:
type = "video"
strings:
$a = { 52 49 46 46 ?? ?? ?? ?? 41 56 49 20 4C 49 53 54 }
condition:
$a at 0
}
rule wmv_file
{
meta:
type = "video"
condition:
uint32(0) == 0x75B22630 and uint32(4) == 0x11CF668E and uint32(8) == 0xAA00D9A6 and uint32(12) == 0x6CCE6200
}

20
salt/strelka/files/filestream/filestream.yaml Normal file
View File

@@ -0,0 +1,20 @@
{%- set ip = salt['pillar.get']('static:masterip', '') %}
conn:
server: '{{ ip }}:57314'
cert: ''
timeout:
dial: 5s
file: 1m
throughput:
concurrency: 8
chunk: 32768
delay: 0s
files:
patterns:
- '/nsm/strelka/*'
delete: false
gatekeeper: true
response:
report: 5s
delta: 5s
staging: '/nsm/strelka/processed'

11
salt/strelka/files/frontend/frontend.yaml Normal file
View File

@@ -0,0 +1,11 @@
{%- set ip = salt['pillar.get']('static:masterip', '') %}
server: ":57314"
coordinator:
addr: '{{ ip }}:6380'
db: 0
gatekeeper:
addr: '{{ ip }}:6381'
db: 0
ttl: 1h
response:
log: "/var/log/strelka/strelka.log"

4
salt/strelka/files/manager/manager.yaml Normal file
View File

@@ -0,0 +1,4 @@
{%- set ip = salt['pillar.get']('static:masterip', '') %}
coordinator:
addr: '{{ ip }}:6380'
db: 0

149
salt/strelka/init.sls Normal file
View File

@@ -0,0 +1,149 @@
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set MASTER = grains['master'] %}
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
# Strelka config
strelkaconfdir:
file.directory:
- name: /opt/so/conf/strelka
- user: 939
- group: 939
- makedirs: True
# Strelka logs
strelkalogdir:
file.directory:
- name: /opt/so/log/strelka
- user: 939
- group: 939
- makedirs: True
# Sync dynamic config to conf dir
strelkasync:
file.recurse:
- name: /opt/so/conf/strelka/
- source: salt://strelka/files
- user: 939
- group: 939
- template: jinja
strelkadatadir:
file.directory:
- name: /nsm/strelka
- user: 939
- group: 939
- makedirs: True
strelkastagedir:
file.directory:
- name: /nsm/strelka/processed
- user: 939
- group: 939
- makedirs: True
so-strelka-frontendimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
so-strelka-coordinatorimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10
so-strelka-gatekeeperimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10
so-strelka-backendimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
so-strelka-managerimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-manager:HH1.1.5
so-strelka-backendimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
strelka_coordinator:
docker_container.running:
- require:
- so-strelka-coordinatorimage
- image: docker.io/redis:5.0.5-alpine3.10
- name: so-strelka-coordinator
- command: redis-server --save "" --appendonly no
- port_bindings:
- 0.0.0.0:6380:6379
strelka_gatekeeper:
docker_container.running:
- require:
- so-strelka-gatekeeperimage
- image: docker.io/redis:5.0.5-alpine3.10
- name: so-strelka-gatekeeper
- command: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
- port_bindings:
- 0.0.0.0:6381:6379
strelka_frontend:
docker_container.running:
- require:
- so-strelka-frontendimage
- image: docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
- binds:
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
- /opt/so/log/strelka/:/var/log/strelka/:rw
- privileged: True
- name: so-strelka-frontend
- command: strelka-frontend
- port_bindings:
- 0.0.0.0:57314:57314
strelka_backend:
docker_container.running:
- require:
- so-strelka-backendimage
- image: docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
- restart_policy: unless-stopped
- binds:
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro
- /opt/so/conf/strelka/backend/yara:/etc/yara/:ro
- name: so-strelka-backend
- command: strelka-backend
strelka_manager:
docker_container.running:
- require:
- so-strelka-managerimage
- image: docker.io/soshybridhunter/so-strelka-manager:HH1.1.5
- binds:
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro
- name: so-strelka-manager
- command: strelka-manager
strelka_filestream:
docker_container.running:
- require:
- so-strelka-filestreamimage
- image: docker.io/soshybridhunter/so-strelka-filestream:HH1.1.5
- image: docker.io/wlambert/sfilestream:grpc
- binds:
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
- /nsm/strelka:/nsm/strelka
- name: so-strelka-filestream
- command: strelka-filestream