mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-23 09:23:13 +01:00
42 lines
1.2 KiB
Bash
Executable File
42 lines
1.2 KiB
Bash
Executable File
#!/bin/bash
|
|
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
# Elastic License 2.0.
|
|
|
|
NOROOT=1
|
|
. /usr/sbin/so-common
|
|
|
|
echo "Starting to check for yara rule updates at $(date)..."
|
|
|
|
newcounter=0
|
|
excludedcounter=0
|
|
excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
|
|
|
|
# Pull down the SO Rules
|
|
SORULEDIR=/nsm/rules/yara
|
|
OUTPUTDIR=/opt/so/saltstack/local/salt/strelka/rules
|
|
|
|
mkdir -p $OUTPUTDIR
|
|
# remove all rules prior to copy so we can clear out old rules
|
|
rm -f $OUTPUTDIR/*
|
|
|
|
for i in $(find $SORULEDIR -name "*.yar" -o -name "*.yara"); do
|
|
rule_name=$(echo $i | awk -F '/' '{print $NF}')
|
|
if [[ ! "${excluded_rules[*]}" =~ ${rule_name} ]]; then
|
|
echo "Adding rule: $rule_name..."
|
|
cp $i $OUTPUTDIR/$rule_name
|
|
((newcounter++))
|
|
else
|
|
echo "Excluding rule: $rule_name..."
|
|
((excludedcounter++))
|
|
fi
|
|
done
|
|
|
|
if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
|
|
echo "$newcounter rules added."
|
|
echo "$excludedcounter rule(s) excluded."
|
|
fi
|
|
|
|
echo "Finished rule updates at $(date)..."
|