From f4dc73a206af8aa5becbcb0b64a4d90f2c055738 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jul 2023 09:42:37 -0400 Subject: [PATCH] yara download and update --- salt/manager/init.sls | 36 ++++++++++++++----- .../tools/sbin_jinja/so-yara-download | 3 +- salt/manager/tools/sbin_jinja/so-yara-update | 4 ++- salt/strelka/soc_strelka.yaml | 2 +- setup/so-setup | 2 +- 5 files changed, 35 insertions(+), 12 deletions(-) rename salt/{strelka => manager}/tools/sbin_jinja/so-yara-download (98%) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 816ed22ff..6b1944521 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -93,25 +93,45 @@ strelkarepos: - makedirs: True {% endif %} -yara_update_script: - file.managed: - - name: /usr/sbin/so-yara-update - - source: salt://manager/tools/sbin_jinja/so-yara-update - - user: root - - group: root +yara_update_scripts: + file.recurse: + - name: /usr/sbin/ + - source: salt://manager/tools/sbin_jinja/ + - user: socore + - group: socore - mode: 755 - template: jinja - defaults: - ISAIRGAP: {{ GLOBALS.airgap }} EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} +{% if GLOBALS.airgap %} +remove_strelka-yara-download: + cron.absent: + - user: socore + - identifier: strelka-yara-download + strelka-yara-update: cron.present: - - user: root + - user: socore - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1' - identifier: strelka-yara-update - hour: '7' - minute: '1' +{% else %} +remove_strelka-yara-update: + cron.absent: + - user: socore + - identifier: strelka-yara-update + +strelka-yara-download: + cron.present: + - user: socore + - name: '/usr/sbin/so-yara-download >> /nsm/strelka/log/yara-download.log 2>&1' + - identifier: strelka-yara-download + - hour: '7' + - minute: '1' +{% endif %} + {% else %} diff --git a/salt/strelka/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download similarity index 98% rename from salt/strelka/tools/sbin_jinja/so-yara-download rename to salt/manager/tools/sbin_jinja/so-yara-download index 69c5ffc1d..2fc9c129d 100644 --- a/salt/strelka/tools/sbin_jinja/so-yara-download +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -39,7 +39,8 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then done < $repos echo "Done!" - + +/usr/sbin/so-yara-update else echo "Server returned $gh_status status code." diff --git a/salt/manager/tools/sbin_jinja/so-yara-update b/salt/manager/tools/sbin_jinja/so-yara-update index fff5bb806..b57bb0d4b 100755 --- a/salt/manager/tools/sbin_jinja/so-yara-update +++ b/salt/manager/tools/sbin_jinja/so-yara-update @@ -4,6 +4,8 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +NOROOT=1 +. /usr/sbin/so-common echo "Starting to check for yara rule updates at $(date)..." @@ -19,7 +21,7 @@ OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules mkdir -p $OUTPUTDIR -for i in $(find $SORUKLEDIR -name "*.yar*"); do +for i in $(find $SORULEDIR -name "*.yar*"); do rule_name=$(echo $i | awk -F '/' '{print $NF}') if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then echo "Adding rule: $rule_name..." diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml index 5cdf442d5..e5240b9c9 100644 --- a/salt/strelka/soc_strelka.yaml +++ b/salt/strelka/soc_strelka.yaml @@ -579,7 +579,7 @@ strelka: helpLink: strelka.html advanced: False repos: - description: List of repos for so-yara-update to use to download rules. + description: List of repos for so-yara-download to use to download rules. readonly: False global: False helpLink: strelka.html diff --git a/setup/so-setup b/setup/so-setup index 0471a39fa..2a847bfbd 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -666,7 +666,7 @@ if ! [[ -f $install_opt_file ]]; then title "Restarting Suricata to pick up the new rules" logCmd "so-suricata-restart" title "Downloading YARA rules" - logCmd "runuser -l socore 'so-yara-update'" + logCmd "runuser -l socore 'so-yara-download'" title "Restarting Strelka to use new rules" logCmd "so-strelka-restart" fi