Merge pull request #10725 from Security-Onion-Solutions/yararules

Yararules

salt/manager/files/so-yara-update.jinja

@@ -1,99 +0,0 @@
-#!/bin/bash
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-echo "Starting to check for yara rule updates at $(date)..."
-
-output_dir="/opt/so/saltstack/local/salt/strelka/rules"
-mkdir -p $output_dir
-repos="/opt/so/conf/strelka/repos.txt"
-newcounter=0
-excludedcounter=0
-excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
-
-
-{% if ISAIRGAP is sameas true %}
-
-echo "Airgap mode enabled."
-
-clone_dir="/nsm/repo/rules/strelka"
-repo_name="signature-base"
-[ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
-mkdir -p mkdir -p $output_dir/$repo_name
-# Ensure a copy of the license is available for the rules
-[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
-
-# Copy over rules
-for i in $(find $clone_dir/yara -name "*.yar*"); do
-  rule_name=$(echo $i | awk -F '/' '{print $NF}')
-  if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
-    echo "Adding rule: $rule_name..."
-    cp $i $output_dir/$repo_name
-    ((newcounter++))
-  else
-    echo "Excluding rule: $rule_name..."
-    ((excludedcounter++))
-  fi
-done
-
-echo "Done!"
-
-if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
-  echo "$newcounter rules added."
-  echo "$excludedcounter rule(s) excluded."
-fi
-
-{% else %}
-
-gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com)
-clone_dir="/tmp"
-if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
-
-  while IFS= read -r repo; do
-    if ! $(echo "$repo" | grep -qE '^#'); then
-      # Remove old repo if existing bc of previous error condition or unexpected disruption
-      repo_name=`echo $repo | awk -F '/' '{print $NF}'`
-      [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
-
-      # Clone repo and make appropriate directories for rules
-      git clone $repo $clone_dir/$repo_name
-      echo "Analyzing rules from $clone_dir/$repo_name..."
-      mkdir -p $output_dir/$repo_name
-      # Ensure a copy of the license is available for the rules
-      [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
-
-      # Copy over rules
-      for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
-        rule_name=$(echo $i | awk -F '/' '{print $NF}')
-
-        if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
-          echo "Adding rule: $rule_name..."
-          cp $i $output_dir/$repo_name
-          ((newcounter++))
-        else
-          echo "Excluding rule: $rule_name..."
-          ((excludedcounter++))
-        fi
-     done
-     rm -rf $clone_dir/$repo_name
-    fi
-    done < $repos
-
-  echo "Done!"
-  
-  if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
-    echo "$newcounter rule(s) added."
-    echo "$excludedcounter rule(s) excluded."
-  fi
-  
-else
-  echo "Server returned $gh_status status code."
-  echo "No connectivity to Github...exiting..."
-  exit 1
-fi
-{% endif %}
-
-echo "Finished rule updates at $(date)..."

salt/manager/init.sls

@@ -93,25 +93,52 @@ strelkarepos:
     - makedirs: True
 {%   endif %}
 
-yara_update_script:
+yara_update_scripts:
-  file.managed:
+  file.recurse:
-    - name: /usr/sbin/so-yara-update
+    - name: /usr/sbin/
-    - source: salt://manager/files/so-yara-update.jinja
+    - source: salt://manager/tools/sbin_jinja/
-    - user: root
+    - user: socore
-    - group: root
+    - group: socore
-    - mode: 755
+    - file_mode: 755
     - template: jinja
     - defaults:
-        ISAIRGAP: {{ GLOBALS.airgap }}
         EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
 
+rules_dir:
+  file.directory:
+    - name: /nsm/rules/yara
+    - user: socore
+    - group: socore
+    - makedirs: True
+
+{%   if GLOBALS.airgap %}
+remove_strelka-yara-download:
+  cron.absent:
+    - user: socore
+    - identifier: strelka-yara-download
+
 strelka-yara-update:
   cron.present:
-    - user: root
+    - user: socore
     - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1'
     - identifier: strelka-yara-update
     - hour: '7'
     - minute: '1'
+{%   else %}
+remove_strelka-yara-update:
+  cron.absent:
+    - user: socore
+    - identifier: strelka-yara-update
+
+strelka-yara-download:
+  cron.present:
+    - user: socore
+    - name: '/usr/sbin/so-yara-download >> /nsm/strelka/log/yara-download.log 2>&1'
+    - identifier: strelka-yara-download
+    - hour: '7'
+    - minute: '1'
+{%   endif %}
+
 
 {% else %}
 

salt/manager/tools/sbin_jinja/so-yara-download

@@ -0,0 +1,50 @@
+#!/bin/bash
+NOROOT=1
+. /usr/sbin/so-common
+
+{%- set proxy = salt['pillar.get']('manager:proxy') %}
+
+# Download the rules from the internet
+{%- if proxy %}
+export http_proxy={{ proxy }} 
+export https_proxy={{ proxy }} 
+export no_proxy= salt['pillar.get']('manager:no_proxy') 
+{%- endif %}
+
+repos="/opt/so/conf/strelka/repos.txt"
+output_dir=/nsm/rules/yara
+gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com)
+clone_dir="/tmp"
+if [ "$gh_status" == "200" ]  || [ "$gh_status" == "301" ]; then
+
+  while IFS= read -r repo; do
+    if ! $(echo "$repo" | grep -qE '^#'); then
+      # Remove old repo if existing bc of previous error condition or unexpected disruption
+      repo_name=`echo $repo | awk -F '/' '{print $NF}'`
+      [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
+
+      # Clone repo and make appropriate directories for rules
+      git clone $repo $clone_dir/$repo_name
+      echo "Analyzing rules from $clone_dir/$repo_name..."
+      mkdir -p $output_dir/$repo_name
+      # Ensure a copy of the license is available for the rules
+      [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
+
+      # Copy over rules
+      for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
+        rule_name=$(echo $i | awk -F '/' '{print $NF}')
+        cp $i $output_dir/$repo_name
+     done
+     rm -rf $clone_dir/$repo_name
+    fi
+    done < $repos
+
+  echo "Done!"
+
+/usr/sbin/so-yara-update 
+  
+else
+  echo "Server returned $gh_status status code."
+  echo "No connectivity to Github...exiting..."
+  exit 1
+fi

salt/manager/tools/sbin_jinja/so-yara-update

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+NOROOT=1
+. /usr/sbin/so-common
+
+echo "Starting to check for yara rule updates at $(date)..."
+
+newcounter=0
+excludedcounter=0
+excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
+
+# Pull down the SO Rules
+SORULEDIR=/nsm/rules/yara
+OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules
+
+mkdir -p $OUTPUTDIR
+
+for i in $(find $SORULEDIR -name "*.yar"); do
+  rule_name=$(echo $i | awk -F '/' '{print $NF}')
+  if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
+    echo "Adding rule: $rule_name..."
+    cp $i $OUTPUTDIR/$rule_name
+    ((newcounter++))
+  else
+    echo "Excluding rule: $rule_name..."
+    ((excludedcounter++))
+  fi
+done
+
+if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
+  echo "$newcounter rules added."
+  echo "$excludedcounter rule(s) excluded."
+fi
+
+echo "Finished rule updates at $(date)..."

salt/strelka/config.sls

@@ -43,15 +43,6 @@ strelka_sbin:
     - group: 939
     - file_mode: 755
 
-strelka_sbin_jinja:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://strelka/tools/sbin_jinja
-    - user: 939
-    - group: 939 
-    - file_mode: 755
-    - template: jinja
-
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/strelka/defaults.yaml

@@ -542,7 +542,8 @@ strelka:
     enabled: False
   rules:
     enabled: True
-    repos: []
+    repos:
+      - https://github.com/Security-Onion-Solutions/securityonion-yara.git
     excluded:
       - apt_flame2_orchestrator.yar
       - apt_tetris.yar

salt/strelka/soc_strelka.yaml

@@ -579,7 +579,7 @@ strelka:
       helpLink: strelka.html
       advanced: False
     repos:
-      description: List of repos for so-yara-update to use to download rules.
+      description: List of repos for so-yara-download to use to download rules.
       readonly: False
       global: False
       helpLink: strelka.html

salt/strelka/tools/sbin_jinja/so-yara-update

@@ -1,21 +0,0 @@
-#!/bin/bash
-NOROOT=1
-. /usr/sbin/so-common
-
-{%- set proxy = salt['pillar.get']('manager:proxy') %}
-
-# Download the rules from the internet
-{%- if proxy %}
-export http_proxy={{ proxy }} 
-export https_proxy={{ proxy }} 
-export no_proxy= salt['pillar.get']('manager:no_proxy') 
-{%- endif %}
-
-mkdir -p /tmp/yara
-cd /tmp/yara
-git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git
-mkdir -p /nsm/rules/yara
-rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/
-cd /tmp
-rm -rf /tmp/yara
-

setup/so-functions

@@ -1506,18 +1506,6 @@ create_sensoroni_pillar() {
 
 }
 
-create_strelka_pillar() {
-	title "Create the Strelka pillar file"
-	touch $adv_strelka_pillar_file
-	printf '%s\n'\	
-		"strelka:"\
-		"  enabled: $STRELKA"\
-		"  rules: 1" > "$strelka_pillar_file"
-		printf '%s\n'\
-			"  repos:"\
-			"    - 'https://$HOSTNAME:7788/yara'" >> "$strelka_pillar_file"
-}
-
 backup_pillar() {
 	title "Create the backup pillar file"
 	touch $adv_backup_pillar_file

setup/so-setup

@@ -666,7 +666,7 @@ if ! [[ -f $install_opt_file ]]; then
 			title "Restarting Suricata to pick up the new rules"
 			logCmd "so-suricata-restart"
 			title "Downloading YARA rules"
-			logCmd "runuser -l socore 'so-yara-update'"
+			logCmd "su socore -c '/usr/sbin/so-yara-download'"
 			title "Restarting Strelka to use new rules"
 			logCmd "so-strelka-restart"
 		fi