From fc66a549027070ab75eecd9fda9d7fbb7aee074a Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 8 Mar 2024 16:26:14 +0000 Subject: [PATCH] Add Strelka download and update scripts back --- .../manager/tools/sbin_jinja/so-yara-download | 51 +++++++++++++++++++ salt/manager/tools/sbin_jinja/so-yara-update | 41 +++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 salt/manager/tools/sbin_jinja/so-yara-download create mode 100644 salt/manager/tools/sbin_jinja/so-yara-update diff --git a/salt/manager/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download new file mode 100644 index 000000000..aa9576253 --- /dev/null +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -0,0 +1,51 @@ +#!/bin/bash +NOROOT=1 +. /usr/sbin/so-common + +{%- set proxy = salt['pillar.get']('manager:proxy') %} +{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %} + +# Download the rules from the internet +{%- if proxy %} +export http_proxy={{ proxy }} +export https_proxy={{ proxy }} +export no_proxy="{{ noproxy }}" +{%- endif %} + +repos="/opt/so/conf/strelka/repos.txt" +output_dir=/nsm/rules/yara +gh_status=$(curl -s -o /dev/null -w "%{http_code}" https://github.com) +clone_dir="/tmp" +if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then + + while IFS= read -r repo; do + if ! $(echo "$repo" | grep -qE '^#'); then + # Remove old repo if existing bc of previous error condition or unexpected disruption + repo_name=`echo $repo | awk -F '/' '{print $NF}'` + [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name + + # Clone repo and make appropriate directories for rules + git clone $repo $clone_dir/$repo_name + echo "Analyzing rules from $clone_dir/$repo_name..." + mkdir -p $output_dir/$repo_name + # Ensure a copy of the license is available for the rules + [ -f $clone_dir/$repo_name/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name + + # Copy over rules + for i in $(find $clone_dir/$repo_name -name "*.yar*"); do + rule_name=$(echo $i | awk -F '/' '{print $NF}') + cp $i $output_dir/$repo_name + done + rm -rf $clone_dir/$repo_name + fi + done < $repos + + echo "Done!" + +/usr/sbin/so-yara-update + +else + echo "Server returned $gh_status status code." + echo "No connectivity to Github...exiting..." + exit 1 +fi diff --git a/salt/manager/tools/sbin_jinja/so-yara-update b/salt/manager/tools/sbin_jinja/so-yara-update new file mode 100644 index 000000000..07c940f47 --- /dev/null +++ b/salt/manager/tools/sbin_jinja/so-yara-update @@ -0,0 +1,41 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +NOROOT=1 +. /usr/sbin/so-common + +echo "Starting to check for yara rule updates at $(date)..." + +newcounter=0 +excludedcounter=0 +excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) + +# Pull down the SO Rules +SORULEDIR=/nsm/rules/yara +OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules + +mkdir -p $OUTPUTDIR +# remove all rules prior to copy so we can clear out old rules +rm -f $OUTPUTDIR/* + +for i in $(find $SORULEDIR -name "*.yar" -o -name "*.yara"); do + rule_name=$(echo $i | awk -F '/' '{print $NF}') + if [[ ! "${excluded_rules[*]}" =~ ${rule_name} ]]; then + echo "Adding rule: $rule_name..." + cp $i $OUTPUTDIR/$rule_name + ((newcounter++)) + else + echo "Excluding rule: $rule_name..." + ((excludedcounter++)) + fi +done + +if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then + echo "$newcounter rules added." + echo "$excludedcounter rule(s) excluded." +fi + +echo "Finished rule updates at $(date)..."