add yara downloader

TelkomIndonesia · Oct 12, 2023 · 18a9dfb · 18a9dfb
1 parent a35bb65
commit 18a9dfb
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -20,12 +20,22 @@ RUN wget -c https://github.com/nicolas-van/multirun/releases/download/1.1.3/mult
 
 FROM golang:1.20.4-bullseye AS fsnotify
 WORKDIR /src
-RUN git clone https://github.com/fsnotify/fsnotify
-RUN cd fsnotify/cmd/fsnotify \
+RUN git clone https://github.com/fsnotify/fsnotify .
+RUN --mount=type=cache,target=/go/pkg/mod \
+  --mount=type=cache,target=/root/.cache/go-build \
+  cd cmd/fsnotify \
   && GOOS=linux go build -tags release -a -ldflags "-extldflags -static" -o fsnotify
 
 
 
+FROM golang:1.20.4-bullseye AS job
+WORKDIR /src
+RUN git clone --depth 1 --branch v0.2.0 https://github.com/liujianping/job .
+RUN --mount=type=cache,target=/go/pkg/mod \
+  --mount=type=cache,target=/root/.cache/go-build \
+  GOOS=linux go build -o job-
+
+
 FROM debian:bullseye AS yara
 RUN apt-get update -y && apt-get install -y \
   ca-certificates wget automake libtool make gcc pkg-config libjansson-dev libmagic-dev libssl-dev git
@@ -69,19 +79,23 @@ RUN apt-get update -y && apt-get install -y \
   libjansson4 \
   libmagic1 \
   libssl1.1 \
+  curl \
+  unzip \
   && rm -rf /var/cache/apt/lists
 
 COPY --from=gomplate /gomplate /usr/bin/gomplate
 COPY --from=multirun /src/multirun /usr/bin/multirun
+COPY --from=job /src/job- /usr/bin/job
 COPY --from=yara /usr/local/yara /usr/local/yara
 
 COPY --from=wazuh-agent /var/ossec /var/ossec
 COPY --from=wazuh-manager /var/ossec/ruleset/sca.disabled /var/ossec/ruleset/sca.disabled
-COPY --from=fsnotify /src/fsnotify/cmd/fsnotify/fsnotify /var/ossec/bin/fsnotify
+COPY --from=fsnotify /src/cmd/fsnotify/fsnotify /var/ossec/bin/fsnotify
 COPY --from=wazuh-container-exec /src/wazuh-container-exec /var/ossec/active-response/bin/wazuh-container-exec
 COPY active-response/* /var/ossec/active-response/bin
 
 COPY entrypoint.sh /entrypoint.sh 
+COPY yara-rule-downloader.sh /yara-rule-downloader.sh
 COPY wazuh-start.sh /var/ossec/bin/wazuh-start.sh
 COPY wazuh-tail-logs.sh /var/ossec/bin/wazuh-tail-logs.sh
 COPY ossec.tpl.conf /var/ossec/etc/ossec.tpl.conf

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -32,7 +32,10 @@ if [ "$desiredname" != "$currentname" ]; then
     echo -n "" >"$WAZUH_AGENT_HOST_DIR/var/ossec/etc/client.keys"
 fi
 
+/yara-rule-downloader.sh
+
 exec multirun \
     "env PATH='/var/ossec/active-response/bin:$PATH' wazuh-container-exec server" \
+    "job -s '0 1 * * *' -- /yara-rule-downloader.sh" \
     "chroot $WAZUH_AGENT_HOST_DIR /var/ossec/bin/wazuh-start.sh" \
     "chroot $WAZUH_AGENT_HOST_DIR /var/ossec/bin/wazuh-tail-logs.sh"
diff --git a/yara-rule-downloader.sh b/yara-rule-downloader.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -euo pipefail
+
+WAZUH_YARA_HOME="${WAZUH_YARA_HOME:-"/usr/local/yara"}"
+WAZUH_YARA_RULES_URLS="${WAZUH_YARA_RULES_URLS:-}"
+
+if [ -z "$WAZUH_YARA_RULES_URLS" ]; then
+    echo "INFO: No yara rules to download."
+    exit 0
+fi
+
+mkdir -p /tmp/rules
+cd /tmp/rules
+for url in $WAZUH_YARA_RULES_URLS; do
+    echo "Downloading yara rules from '$url'."
+    curl -sfL "$url" -o temp.zip
+    unzip -qq temp.zip
+    rm temp.zip
+done
+rm -rf "$WAZUH_YARA_HOME/rules"
+mv /tmp/rules "$WAZUH_YARA_HOME/rules"