Wednesday, October 30, 2013

FireEye Script To Manage YARA Across An Enterprise



FireEye has been a huge help to cyber security analysts over the years. However, nothing is perfect...and the lack of an API is a huge shortcoming (which I hear they are working on). To compensate for this shortcoming, I've written a bash script that will distribute a file of properly formatted Yara rules (you can also do the same thing for Snort rules) to FireEye devices (even with their latest enforcement of the  rails authenticity token). Enjoy!



# Author: Matthew Myrick
# Date Created: 20131014
# Date Modified: 20131004
# Purpose: This script will auto submit an updated "Custom Rule" yara file to FireEye
# Usage: fe_yara_update.sh <path to custom_signature_file>
#
# Dependencies: Custom yara file must adhere to fireeye restrictions. OS 6.3+ (Auth Token Enforced)
##############################################################################
#DEFINE FIREEYE SERVERS:
ONE="10.0.0.37"
TWO="10.0.0.35"
THREE="10.0.0.36"

#PUT ALL FIREEYE BOXES IN AN ARRAY SO WE CAN ITERATE!
#BOXES=( $ONE $TWO $THREE )

#VERIFY ARGUMENT IS VALID:
if [ ! $# == 1 ]; then
  echo "Usage: $0 fireeye_formatted_yara_file"
  exit
fi

#LOOP THROUGH FIREEYE BOXES:
for i in "${BOXES[@]}"
do
  #echo "################# CONNECTING TO $i #################"
  #LOGIN
  /usr/bin/curl -L -c cookies.txt -d "user%5Baccount%5D=admin&user%5Bpassword%5D=<EnterPassHere>" -k https://$i/login/login > /dev/null 2>&1

  #echo "################# PULLING DOWN FORM FROM $i #################"
  #GET THE FORM - THIS IS A HUGE HACK! THE AUTHENTICITY TOKEN IS A PITA!!!
  AUTHTOKEN=`/usr/bin/curl -L -b cookies.txt -k https://$i/yara/yara | grep -m 1 "<input name=\"authenticity_token\" type=\"hidden\"" | cut -d ' ' -f 17 | cut -d '"' -f 2` >/dev/null 2>&1
  #echo "$AUTHTOKEN"

  #echo "################# SUBMIT YARA SIG TO $i #################"
  /usr/bin/curl -b cookies.txt -F yara_file=@$1 -F f_type="common" -F authenticity_token="$AUTHTOKEN" -k https://$i/yara/update_yara > /dev/null 2>&1
  #echo "################# LOG OUT OF $i #################"
  #LOGOUT
  /usr/bin/curl -b cookies.txt -k https://$i/login/logout > /dev/null 2>&1
done
#ZERO OUT COOKIE JAR:
rm -f cookies.txt


Posted by Matt Myrick at 4:35 PM
Labels: , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)