Importing additional YARA rules to Strelka

[f4ncyz4nz4]

Hello,
I'm using Security Onion 2.4.90 in the Distributed configuration, currently I have only one sensor, but I would like to try using more.
I want to import additional YARA rules which I made, along with the existing ones, but I'm quite unsure on how to do it.

1. I read that local rules on sensors are stored in /opt/so/conf/strelka/rules/localrules, and since this folder it's not present I think I should create that folder and move rules inside (?)
2. But I'd like more to update the master node and propagate the rules on all the sensors, so I modify soc->config->server->modules->strelkaengine->rulesRepo->default with the following:

   {"community":true,"license":"DRL","repo":"https://github.com/Security-Onion-Solutions/securityonion-yara"}
   {"community":true,"license":"DRL","repo":"file:///nsm/rules/detect-yara/repos/custom-yara"}
   

   But it seems not working, also I cannot find the new rules on the sensor.
   How I should change the field in order to use my custom rules?
3. Is there a specific folder on the master where I should put the YARA rules in order to be propagated on all the sensors?
4. Why soc->config->server->modules->strelkaengine->yaraRulesFolder has /opt/sensoroni/yara/rules as default value, but neither in the master nor in the sensor this folder exists, what am I missing?
   Thanks for your time.

[jpancrazio]

following , interested in same

[defensivedepth]

You can add custom git repos, as described by our docs: https://docs.securityonion.net/en/2.4/yara.html#custom-yara-repositories

Once you have added them, Synchronize the Grid, give it about 15 min, then run manually run a Strelka Full Update in the Detections interface.

[f4ncyz4nz4]

Thanks very much.
Just to be sure, is the format of the configuration good?

{"community":true,"license":"DRL","repo":"https://github.com/Security-Onion-Solutions/securityonion-yara"}
{"community":true,"license":"DRL","repo":"file:///nsm/rules/detect-yara/repos/custom-yara"}

[defensivedepth]

Yes, if your git repo is at /nsm/rules/detect-yara/repos/custom-yara

[f4ncyz4nz4]

Last question, where should I find those imported rules on the sensor?

[defensivedepth]

They will show up in Detections, you can enable them from there.

[f4ncyz4nz4]

I followed every step mentioned above, I also looked and followed the istructions of discussion #13405.
So I created my custom repo but I did not get anything in Detection interface.

The only way I found to do that is to copy the created repo also at /opt/so/conf/strelka/repos/, in this way the custom rules appear but they are duplicated, and also it gives me "Rule Mismatch".

But if I eliminate one of the 2 repos, again the Detection interface shows only the "securityonion-yara" rules.

Please, can someone help me?

[defensivedepth]

Please post the output of the following command - this should be run on your Manager:

sudo salt-call pillar.get soc:config:server:modules:strelkaengine

[f4ncyz4nz4]

local:
----------
allowRegex:
autoEnabledYaraRules:
- securityonion-yara
- custom-yara
rulesRepos:
----------
default:
|_
----------
community:
True
license:
DRL
repo:
https://github.com/Security-Onion-Solutions/securityonion-yara
|_
----------
community:
True
license:
DRL
repo:
file:///nsm/rules/custom-yara

[defensivedepth]

Is this still an issue?