FireEye has been a huge help to cyber security analysts over the years. However, nothing is perfect...and the lack of an API is a huge shortcoming (which I hear they are working on). To compensate for this shortcoming, I've written a bash script that will distribute a file of properly formatted Yara rules (you can also do the same thing for Snort rules) to FireEye devices (even with their latest enforcement of the rails authenticity token). Enjoy!
# Author: Matthew Myrick
# Date Created: 20131014
# Date Modified: 20131004
# Purpose: This script will auto submit an updated "Custom Rule" yara file to FireEye
# Usage: fe_yara_update.sh <path to custom_signature_file>
#
# Dependencies: Custom yara file must adhere to fireeye restrictions. OS 6.3+ (Auth Token Enforced)
##############################################################################
#DEFINE FIREEYE SERVERS:
ONE="10.0.0.37"
TWO="10.0.0.35"
THREE="10.0.0.36"
#PUT ALL FIREEYE BOXES IN AN ARRAY SO WE CAN ITERATE!
#BOXES=( $ONE $TWO $THREE )
#VERIFY ARGUMENT IS VALID:
if [ ! $# == 1 ]; then
echo "Usage: $0 fireeye_formatted_yara_file"
exit
fi
#LOOP THROUGH FIREEYE BOXES:
for i in "${BOXES[@]}"
do
#echo "################# CONNECTING TO $i #################"
#LOGIN
/usr/bin/curl -L -c cookies.txt -d "user%5Baccount%5D=admin&user%5Bpassword%5D=<EnterPassHere>" -k https://$i/login/login > /dev/null 2>&1
#echo "################# PULLING DOWN FORM FROM $i #################"
#GET THE FORM - THIS IS A HUGE HACK! THE AUTHENTICITY TOKEN IS A PITA!!!
AUTHTOKEN=`/usr/bin/curl -L -b cookies.txt -k https://$i/yara/yara | grep -m 1 "<input name=\"authenticity_token\" type=\"hidden\"" | cut -d ' ' -f 17 | cut -d '"' -f 2` >/dev/null 2>&1
#echo "$AUTHTOKEN"
#echo "################# SUBMIT YARA SIG TO $i #################"
/usr/bin/curl -b cookies.txt -F yara_file=@$1 -F f_type="common" -F authenticity_token="$AUTHTOKEN" -k https://$i/yara/update_yara > /dev/null 2>&1
#echo "################# LOG OUT OF $i #################"
#LOGOUT
/usr/bin/curl -b cookies.txt -k https://$i/login/logout > /dev/null 2>&1
done
#ZERO OUT COOKIE JAR:
rm -f cookies.txt
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.