search

target / strelka

Real-time, container-based file scanning at enterprise scale
Other
857 stars 111 forks source link

[REQUEST] New Yara rules and auto-update #387

Closed derfel1989 closed 8 months ago

derfel1989 commented 1 year ago

Possibility to have the auto-update for Yara rules (Step - 3)

It would be good if we have the possibility to add new Yara repos like Neo23x0 and have them updated automatically.

If not possible, add to the actual documentation how to add new Yara sources in the Docker installation, for example. (Yes, it is possible, answered in the next comment below)

Possible solution (ChatGPT)

Explanation:

~~Step 1: Clones the Neo23x0/signature-base repository and places it in a directory named neo_signature_base. Step 2: Copies all the YARA rules (*.yar files) from the neo_signature_base/yara/ directory to the configs/python/backend/yara/rules/ directory. Step 3: Concatenate all the YARA rules in the configs/python/backend/yara/rules/ directory into a single index.yar file. Step 4: Creates the rules.yara file in the configs/python/backend/yara/ directory and includes the index.yar file, which now contains all the YARA rules from the Neo23x0/signature-base repository. After running these commands, you should have both index.yar and rules.yara files updated with the YARA rules from the https://github.com/Neo23x0/signature-base/tree/master/yara repository.~~

Many thanks.

derfel1989 commented 1 year ago

Additional information, that might help others.

I have updated the index.yar running the script index_gen.sh (/opt/strelka/configs/python/backend/yara/rules) with the new yara rules from Neo23x0.

Steps:

  1. Copied the new yara folder to: /opt/strelka/configs/python/backend/yara/rules
  2. Executed the command: sudo ./index_gen.sh
  3. Reviewed the file: index.yar

Question: Will restarting the strelka-backend-1 container update the Yara rules?

Thank you.

phutelmyer commented 1 year ago

@derfel1989 When a container restarts, the YARA rules will need to be reloaded back into the new container. It's recommended to generate a compiled YARA bundle externally and pull it in on container start - or load it with a local Docker volume.

Doing either of this will ensure that your container has the YARA bundle you intend to use.

Let me know if you'd like help getting that working.

derfel1989 commented 1 year ago

@phutelmyer, I would appreciate it if you could provide guidance on how to do it in the best way.

BTW, there is an excellent idea from SecurityOnion - https://docs.securityonion.net/en/latest/local-rules.html#yara

It seems that they have a repo list where that when updated. The Yara rules are auto-added to Strelka accordingly.

Thank you.

derfel1989 commented 11 months ago

Thank you for your help @phutelmyer ! I tried the option "load it with a local Docker volume," and could not start the container.

What is the best approach to map a volume to the specific folder, which hosts the Yara rules?

Thank you in advance.

derfel1989 commented 10 months ago

@phutelmyer, at time permits, could you please provide further clues on how to load a bundle of Yara rules with a local Docker volume?

I tried using Portainer to map a Docker volume, but the container failed to start.

Thank you.

phutelmyer commented 8 months ago

While not necessarily allowing for an auto-update, this post in a related issue should get you a YARA compiled rules bundle that can be loaded into the container.