From 3bcb0bc132e32eb16d0261b2948a53c788fe5449 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 23 Jan 2024 17:18:54 +0000 Subject: [PATCH 1/3] Update defaults --- salt/strelka/defaults.yaml | 197 ++++++++++++++++++++++++++++++++++++- 1 file changed, 194 insertions(+), 3 deletions(-) diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 76110aafef..38c72138a9 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -17,9 +17,10 @@ strelka: mime_db: '/usr/lib/file/magic.mgc' yara_rules: '/etc/strelka/taste/' scanners: - 'ScanBase64': + 'ScanBase64PE': - positive: - filename: '^base64_' + flavors: + - 'base64_pe' priority: 5 'ScanBatch': - positive: @@ -27,12 +28,27 @@ strelka: - 'text/x-msdos-batch' - 'batch_file' priority: 5 + 'ScanBmpEof': + - positive: + flavors: + - 'image/x-ms-bmp' + - 'bmp_file' + negative: + source: + - 'ScanTranscode' + priority: 5 'ScanBzip2': - positive: flavors: - 'application/x-bzip2' - 'bzip2_file' priority: 5 + 'ScanDmg': + - positive: + flavors: + - 'dmg_disk_image' + - 'hfsplus_disk_image' + priority: 5 'ScanDocx': - positive: flavors: @@ -40,6 +56,11 @@ strelka: priority: 5 options: extract_text: False + 'ScanDonut': + - positive: + flavors: + - 'hacktool_win_shellcode_donut' + priority: 5 'ScanElf': - positive: flavors: @@ -56,6 +77,26 @@ strelka: - 'message/rfc822' - 'email_file' priority: 5 + 'ScanEncryptedDoc': + - positive: + flavors: + - 'encrypted_word_document' + priority: 5 + options: + max_length: 5 + scanner_timeout: 150 + log_pws: True + password_file: "/etc/strelka/passwords.dat" + 'ScanEncryptedZip': + - positive: + flavors: + - 'encrypted_zip' + priority: 5 + options: + max_length: 5 + scanner_timeout: 150 + log_pws: True + password_file: '/etc/strelka/passwords.dat' 'ScanEntropy': - positive: flavors: @@ -111,6 +152,16 @@ strelka: priority: 5 options: tmp_directory: '/dev/shm/' + 'ScanFooter': + - positive: + flavors: + - '*' + priority: 5 + options: + length: 50 + encodings: + - classic + - backslash 'ScanGif': - positive: flavors: @@ -144,13 +195,25 @@ strelka: - 'html_file' priority: 5 options: - parser: "html5lib" + max_hyperlinks: 50 + 'ScanIqy': + - positive: + flavors: + - 'iqy_file' + priority: 5 'ScanIni': - positive: filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' flavors: - 'ini_file' priority: 5 + 'ScanIso': + - positive: + flavors: + - 'application/x-iso9660-image' + priority: 5 + options: + limit: 50 'ScanJarManifest': - positive: flavors: @@ -198,6 +261,25 @@ strelka: priority: 5 options: limit: 1000 + 'ScanLNK': + - positive: + flavors: + - 'lnk_file' + priority: 5 + 'ScanLsb': + - positive: + flavors: + - 'image/png' + - 'png_file' + - 'image/jpeg' + - 'jpeg_file' + - 'image/x-ms-bmp' + - 'bmp_file' + - 'image/webp' + negative: + source: + - 'ScanTranscode' + priority: 5 'ScanLzma': - positive: flavors: @@ -214,6 +296,36 @@ strelka: priority: 5 options: tmp_directory: '/dev/shm/' + 'ScanManifest': + - positive: + flavors: + - 'browser_manifest' + priority: 5 + 'ScanMsi': + - positive: + flavors: + - "image/vnd.fpx" + - "application/vnd.ms-msi" + - "application/x-msi" + priority: 5 + options: + tmp_directory: '/dev/shm/' + keys: + - 'Author' + - 'Characters' + - 'Company' + - 'CreateDate' + - 'LastModifiedBy' + - 'Lines' + - 'ModifyDate' + - 'Pages' + - 'Paragraphs' + - 'RevisionNumber' + - 'Software' + - 'Template' + - 'Title' + - 'TotalEditTime' + - 'Words' 'ScanOcr': - positive: flavors: @@ -236,6 +348,13 @@ strelka: - 'application/msword' - 'olecf_file' priority: 5 + 'ScanOnenote': + - positive: + flavors: + - 'application/onenote' + - 'application/msonenote' + - 'onenote_file' + priority: 5 'ScanPdf': - positive: flavors: @@ -285,6 +404,30 @@ strelka: - 'ProgramArguments' - 'RunAtLoad' - 'StartInterval' + 'ScanPngEof': + - positive: + flavors: + - 'image/png' + - 'png_file' + negative: + source: + - 'ScanTranscode' + priority: 5 + 'ScanQr': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + - 'image/png' + - 'png_file' + - 'image/tiff' + - 'type_is_tiff' + - 'image/x-ms-bmp' + - 'bmp_file' + - 'image/webp' + priority: 5 + options: + support_inverted: True 'ScanRar': - positive: flavors: @@ -309,6 +452,19 @@ strelka: priority: 5 options: limit: 1000 + 'ScanSevenZip': + - positive: + flavors: + - 'application/x-7z-compressed' + - '_7zip_file' + - "image/vnd.fpx" + - "application/vnd.ms-msi" + - "application/x-msi" + priority: 5 + options: + scanner_timeout: 150 + crack_pws: True + log_pws: True 'ScanSwf': - positive: flavors: @@ -351,6 +507,7 @@ strelka: flavors: - 'vb_file' - 'vbscript' + - 'hta_file' priority: 5 'ScanVba': - positive: @@ -362,6 +519,20 @@ strelka: priority: 5 options: analyze_macros: True + 'ScanVhd': + - positive: + flavors: + - 'application/x-vhd' + - 'vhd_file' + - 'vhdx_file' + priority: 5 + options: + limit: 100 + 'ScanVsto': + - positive: + flavors: + - 'vsto_file' + priority: 5 'ScanX509': - positive: flavors: @@ -391,6 +562,12 @@ strelka: priority: 5 options: location: '/etc/yara/' + compiled: + enabled: False + filename: "rules.compiled" + store_offset: True + offset_meta_key: "StrelkaHexDump" + offset_padding: 32 'ScanZip': - positive: flavors: @@ -530,6 +707,20 @@ strelka: ttl: 1h response: log: "/var/log/strelka/strelka.log" + broker: + bootstrap: "full broker here" + protocol: "protocol here" + certlocation: "path to cert location" + keylocation: "path to key location" + calocation: "path to target ca bundle" + topic: "topic name here" + s3redundancy: "Boolean to pipe logs to S3 if kafka connection interrupted" + s3: + accesskey: "S3 Access Key" + secretkey: "S3 Secret Key" + bucketName: "S3 bucket name" + region: "Region that the S3 Bucket resides in" + endpoint: "Endpoint that the S3 bucket refers to" manager: enabled: False config: From 72319e33db33aea5a936260994d05bab04a906ea Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 23 Jan 2024 12:38:09 -0500 Subject: [PATCH 2/3] Avoid leak test triggering --- salt/strelka/defaults.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 38c72138a9..f338ce3ffa 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -710,15 +710,15 @@ strelka: broker: bootstrap: "full broker here" protocol: "protocol here" - certlocation: "path to cert location" - keylocation: "path to key location" - calocation: "path to target ca bundle" + certlocation: "path" + keylocation: "path" + calocation: "path" topic: "topic name here" s3redundancy: "Boolean to pipe logs to S3 if kafka connection interrupted" s3: - accesskey: "S3 Access Key" - secretkey: "S3 Secret Key" - bucketName: "S3 bucket name" + accesskey: "abcd" + secretkey: "abcd" + bucketName: "bucket name" region: "Region that the S3 Bucket resides in" endpoint: "Endpoint that the S3 bucket refers to" manager: From 1698d95efe660ac057d2616ce67a7dc163d9b3ba Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 23 Jan 2024 13:45:26 -0500 Subject: [PATCH 3/3] Use PLACEHOLDER for key values --- salt/strelka/defaults.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index f338ce3ffa..2183c01526 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -708,19 +708,19 @@ strelka: response: log: "/var/log/strelka/strelka.log" broker: - bootstrap: "full broker here" - protocol: "protocol here" - certlocation: "path" - keylocation: "path" - calocation: "path" - topic: "topic name here" - s3redundancy: "Boolean to pipe logs to S3 if kafka connection interrupted" + bootstrap: "PLACEHOLDER" + protocol: "PLACEHOLDER" + certlocation: "PLACEHOLDER" + keylocation: "PLACEHOLDER" + calocation: "PLACEHOLDER" + topic: "PLACEHOLDER" + s3redundancy: "PLACEHOLDER - This should be a boolean value" s3: - accesskey: "abcd" - secretkey: "abcd" - bucketName: "bucket name" - region: "Region that the S3 Bucket resides in" - endpoint: "Endpoint that the S3 bucket refers to" + accesskey: "PLACEHOLDER" + secretkey: "PLACEHOLDER" + bucketName: "PLACEHOLDER' + region: "PLACEHOLDER" + endpoint: "PLACEHOLDER" manager: enabled: False config: