Skip to content

Commit

Permalink
Merge pull request #12240 from Security-Onion-Solutions/upgrade/strel…
Browse files Browse the repository at this point in the history 
…ka_0.24.01.18

UPGRADE: Strelka 0.24.01.18
  • Loading branch information
@weslambert
weslambert authored Jan 23, 2024
2 parents b1052dd + 1698d95 commit 8348506
Showing 1 changed file with 194 additions and 3 deletions.
197 changes: 194 additions & 3 deletions salt/strelka/defaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,29 +17,50 @@ strelka:
mime_db: '/usr/lib/file/magic.mgc'
yara_rules: '/etc/strelka/taste/'
scanners:
'ScanBase64':
'ScanBase64PE':
- positive:
filename: '^base64_'
flavors:
- 'base64_pe'
priority: 5
'ScanBatch':
- positive:
flavors:
- 'text/x-msdos-batch'
- 'batch_file'
priority: 5
'ScanBmpEof':
- positive:
flavors:
- 'image/x-ms-bmp'
- 'bmp_file'
negative:
source:
- 'ScanTranscode'
priority: 5
'ScanBzip2':
- positive:
flavors:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
'ScanDmg':
- positive:
flavors:
- 'dmg_disk_image'
- 'hfsplus_disk_image'
priority: 5
'ScanDocx':
- positive:
flavors:
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
priority: 5
options:
extract_text: False
'ScanDonut':
- positive:
flavors:
- 'hacktool_win_shellcode_donut'
priority: 5
'ScanElf':
- positive:
flavors:
Expand All @@ -56,6 +77,26 @@ strelka:
- 'message/rfc822'
- 'email_file'
priority: 5
'ScanEncryptedDoc':
- positive:
flavors:
- 'encrypted_word_document'
priority: 5
options:
max_length: 5
scanner_timeout: 150
log_pws: True
password_file: "/etc/strelka/passwords.dat"
'ScanEncryptedZip':
- positive:
flavors:
- 'encrypted_zip'
priority: 5
options:
max_length: 5
scanner_timeout: 150
log_pws: True
password_file: '/etc/strelka/passwords.dat'
'ScanEntropy':
- positive:
flavors:
Expand Down Expand Up @@ -111,6 +152,16 @@ strelka:
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanFooter':
- positive:
flavors:
- '*'
priority: 5
options:
length: 50
encodings:
- classic
- backslash
'ScanGif':
- positive:
flavors:
Expand Down Expand Up @@ -144,13 +195,25 @@ strelka:
- 'html_file'
priority: 5
options:
parser: "html5lib"
max_hyperlinks: 50
'ScanIqy':
- positive:
flavors:
- 'iqy_file'
priority: 5
'ScanIni':
- positive:
filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
flavors:
- 'ini_file'
priority: 5
'ScanIso':
- positive:
flavors:
- 'application/x-iso9660-image'
priority: 5
options:
limit: 50
'ScanJarManifest':
- positive:
flavors:
Expand Down Expand Up @@ -198,6 +261,25 @@ strelka:
priority: 5
options:
limit: 1000
'ScanLNK':
- positive:
flavors:
- 'lnk_file'
priority: 5
'ScanLsb':
- positive:
flavors:
- 'image/png'
- 'png_file'
- 'image/jpeg'
- 'jpeg_file'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'image/webp'
negative:
source:
- 'ScanTranscode'
priority: 5
'ScanLzma':
- positive:
flavors:
Expand All @@ -214,6 +296,36 @@ strelka:
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanManifest':
- positive:
flavors:
- 'browser_manifest'
priority: 5
'ScanMsi':
- positive:
flavors:
- "image/vnd.fpx"
- "application/vnd.ms-msi"
- "application/x-msi"
priority: 5
options:
tmp_directory: '/dev/shm/'
keys:
- 'Author'
- 'Characters'
- 'Company'
- 'CreateDate'
- 'LastModifiedBy'
- 'Lines'
- 'ModifyDate'
- 'Pages'
- 'Paragraphs'
- 'RevisionNumber'
- 'Software'
- 'Template'
- 'Title'
- 'TotalEditTime'
- 'Words'
'ScanOcr':
- positive:
flavors:
Expand All @@ -236,6 +348,13 @@ strelka:
- 'application/msword'
- 'olecf_file'
priority: 5
'ScanOnenote':
- positive:
flavors:
- 'application/onenote'
- 'application/msonenote'
- 'onenote_file'
priority: 5
'ScanPdf':
- positive:
flavors:
Expand Down Expand Up @@ -285,6 +404,30 @@ strelka:
- 'ProgramArguments'
- 'RunAtLoad'
- 'StartInterval'
'ScanPngEof':
- positive:
flavors:
- 'image/png'
- 'png_file'
negative:
source:
- 'ScanTranscode'
priority: 5
'ScanQr':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'image/webp'
priority: 5
options:
support_inverted: True
'ScanRar':
- positive:
flavors:
Expand All @@ -309,6 +452,19 @@ strelka:
priority: 5
options:
limit: 1000
'ScanSevenZip':
- positive:
flavors:
- 'application/x-7z-compressed'
- '_7zip_file'
- "image/vnd.fpx"
- "application/vnd.ms-msi"
- "application/x-msi"
priority: 5
options:
scanner_timeout: 150
crack_pws: True
log_pws: True
'ScanSwf':
- positive:
flavors:
Expand Down Expand Up @@ -351,6 +507,7 @@ strelka:
flavors:
- 'vb_file'
- 'vbscript'
- 'hta_file'
priority: 5
'ScanVba':
- positive:
Expand All @@ -362,6 +519,20 @@ strelka:
priority: 5
options:
analyze_macros: True
'ScanVhd':
- positive:
flavors:
- 'application/x-vhd'
- 'vhd_file'
- 'vhdx_file'
priority: 5
options:
limit: 100
'ScanVsto':
- positive:
flavors:
- 'vsto_file'
priority: 5
'ScanX509':
- positive:
flavors:
Expand Down Expand Up @@ -391,6 +562,12 @@ strelka:
priority: 5
options:
location: '/etc/yara/'
compiled:
enabled: False
filename: "rules.compiled"
store_offset: True
offset_meta_key: "StrelkaHexDump"
offset_padding: 32
'ScanZip':
- positive:
flavors:
Expand Down Expand Up @@ -530,6 +707,20 @@ strelka:
ttl: 1h
response:
log: "/var/log/strelka/strelka.log"
broker:
bootstrap: "PLACEHOLDER"
protocol: "PLACEHOLDER"
certlocation: "PLACEHOLDER"
keylocation: "PLACEHOLDER"
calocation: "PLACEHOLDER"
topic: "PLACEHOLDER"
s3redundancy: "PLACEHOLDER - This should be a boolean value"
s3:
accesskey: "PLACEHOLDER"
secretkey: "PLACEHOLDER"
bucketName: "PLACEHOLDER'
region: "PLACEHOLDER"
endpoint: "PLACEHOLDER"
manager:
enabled: False
config:
Expand Down

0 comments on commit 8348506

Please sign in to comment.