Merge pull request #10725 from Security-Onion-Solutions/yararules

Yararules

salt/strelka/config.sls

@@ -43,15 +43,6 @@ strelka_sbin:
     - group: 939
     - file_mode: 755
 
-strelka_sbin_jinja:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://strelka/tools/sbin_jinja
-    - user: 939
-    - group: 939 
-    - file_mode: 755
-    - template: jinja
-
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/strelka/defaults.yaml

@@ -542,7 +542,8 @@ strelka:
     enabled: False
   rules:
     enabled: True
-    repos: []
+    repos:
+      - https://github.com/Security-Onion-Solutions/securityonion-yara.git
     excluded:
       - apt_flame2_orchestrator.yar
       - apt_tetris.yar

salt/strelka/soc_strelka.yaml

@@ -579,7 +579,7 @@ strelka:
       helpLink: strelka.html
       advanced: False
     repos:
-      description: List of repos for so-yara-update to use to download rules.
+      description: List of repos for so-yara-download to use to download rules.
       readonly: False
       global: False
       helpLink: strelka.html

salt/strelka/tools/sbin_jinja/so-yara-update

@@ -1,21 +0,0 @@
-#!/bin/bash
-NOROOT=1
-. /usr/sbin/so-common
-
-{%- set proxy = salt['pillar.get']('manager:proxy') %}
-
-# Download the rules from the internet
-{%- if proxy %}
-export http_proxy={{ proxy }} 
-export https_proxy={{ proxy }} 
-export no_proxy= salt['pillar.get']('manager:no_proxy') 
-{%- endif %}
-
-mkdir -p /tmp/yara
-cd /tmp/yara
-git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git
-mkdir -p /nsm/rules/yara
-rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/
-cd /tmp
-rm -rf /tmp/yara
-