Wednesday, October 30, 2013

FireEye Script To Manage YARA Across An Enterprise



FireEye has been a huge help to cyber security analysts over the years. However, nothing is perfect...and the lack of an API is a huge shortcoming (which I hear they are working on). To compensate for this shortcoming, I've written a bash script that will distribute a file of properly formatted Yara rules (you can also do the same thing for Snort rules) to FireEye devices (even with their latest enforcement of the  rails authenticity token). Enjoy!



# Author: Matthew Myrick
# Date Created: 20131014
# Date Modified: 20131004
# Purpose: This script will auto submit an updated "Custom Rule" yara file to FireEye
# Usage: fe_yara_update.sh <path to custom_signature_file>
#
# Dependencies: Custom yara file must adhere to fireeye restrictions. OS 6.3+ (Auth Token Enforced)
##############################################################################
#DEFINE FIREEYE SERVERS:
ONE="10.0.0.37"
TWO="10.0.0.35"
THREE="10.0.0.36"

#PUT ALL FIREEYE BOXES IN AN ARRAY SO WE CAN ITERATE!
#BOXES=( $ONE $TWO $THREE )

#VERIFY ARGUMENT IS VALID:
if [ ! $# == 1 ]; then
  echo "Usage: $0 fireeye_formatted_yara_file"
  exit
fi

#LOOP THROUGH FIREEYE BOXES:
for i in "${BOXES[@]}"
do
  #echo "################# CONNECTING TO $i #################"
  #LOGIN
  /usr/bin/curl -L -c cookies.txt -d "user%5Baccount%5D=admin&user%5Bpassword%5D=<EnterPassHere>" -k https://$i/login/login > /dev/null 2>&1

  #echo "################# PULLING DOWN FORM FROM $i #################"
  #GET THE FORM - THIS IS A HUGE HACK! THE AUTHENTICITY TOKEN IS A PITA!!!
  AUTHTOKEN=`/usr/bin/curl -L -b cookies.txt -k https://$i/yara/yara | grep -m 1 "<input name=\"authenticity_token\" type=\"hidden\"" | cut -d ' ' -f 17 | cut -d '"' -f 2` >/dev/null 2>&1
  #echo "$AUTHTOKEN"

  #echo "################# SUBMIT YARA SIG TO $i #################"
  /usr/bin/curl -b cookies.txt -F yara_file=@$1 -F f_type="common" -F authenticity_token="$AUTHTOKEN" -k https://$i/yara/update_yara > /dev/null 2>&1
  #echo "################# LOG OUT OF $i #################"
  #LOGOUT
  /usr/bin/curl -b cookies.txt -k https://$i/login/logout > /dev/null 2>&1
done
#ZERO OUT COOKIE JAR:
rm -f cookies.txt


2 comments:

  1. Thank you for your article.
    If come to think, local networks have multiple vulnerabilities and this fact makes them unreliable. On the other hand, there are virtual data room companies that offer cloud services to provide secure access to the data when it's necessary.

    ReplyDelete
  2. Thx for this post, I'm agree with John in time of hacking y need to understand how y can protect your data.
    security online

    ReplyDelete