Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #136 from isimluk/intel_ruls
New example: Download CrowdStrike Intelligence Rules
- Loading branch information
Showing
5 changed files
with
144 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,6 +17,7 @@ gofalcon | |
gosec | ||
hostnames | ||
initialisation | ||
intel | ||
iocs | ||
oauth | ||
pre | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Falcon Intelligence Rules Download | ||
|
||
Minimalist example to show download CrowdStrike Falcon Intelligence Rules through API. This example can be run interactively or in script when all information is passed in through command-line. | ||
|
||
## Installation | ||
|
||
``` | ||
go get github.com/crowdstrike/gofalcon/examples/falcon_intel_rules_download | ||
``` | ||
|
||
## Example Run | ||
|
||
Download rules file interactively | ||
``` | ||
$ FALCON_CLIENT_ID="abc" FALCON_CLIENT_SECRET="XYZ" FALCON_CLOUD=us-1 falcon_intel_rules_download | ||
Missing--rule-type argument. Valid options are [snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness]. | ||
Requested Rule type: snort-suricata-master | ||
Downloading file snort-suricata-master.tar.gz | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
package main | ||
|
||
import ( | ||
"context" | ||
"flag" | ||
"fmt" | ||
"os" | ||
"path/filepath" | ||
"strings" | ||
|
||
"github.com/crowdstrike/gofalcon/falcon" | ||
"github.com/crowdstrike/gofalcon/falcon/client" | ||
"github.com/crowdstrike/gofalcon/falcon/client/intel" | ||
"github.com/crowdstrike/gofalcon/pkg/falcon_util" | ||
) | ||
|
||
func main() { | ||
clientId := flag.String("client-id", os.Getenv("FALCON_CLIENT_ID"), "Client ID for accessing CrowdStrike Falcon Platform (default taken from FALCON_CLIENT_ID env)") | ||
clientSecret := flag.String("client-secret", os.Getenv("FALCON_CLIENT_SECRET"), "Client Secret for accessing CrowdStrike Falcon Platform (default taken from FALCON_CLIENT_SECRET)") | ||
memberCID := flag.String("member-cid", os.Getenv("FALCON_MEMBER_CID"), "Member CID for MSSP (for cases when OAuth2 authenticates multiple CIDs)") | ||
clientCloud := flag.String("cloud", os.Getenv("FALCON_CLOUD"), "Falcon cloud abbreviation (us-1, us-2, eu-1, us-gov-1)") | ||
intelRuleType := flag.String("rule-type", "", fmt.Sprintf("Falcon Intelligence Rule Type: available types: %s", intel.RuleTypeValidValues)) | ||
flag.Parse() | ||
|
||
if *clientId == "" { | ||
*clientId = falcon_util.PromptUser(`Missing FALCON_CLIENT_ID environment variable. Please provide your OAuth2 API Client ID for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys. | ||
Falcon Client ID`) | ||
} | ||
if *clientSecret == "" { | ||
*clientSecret = falcon_util.PromptUser(`Missing FALCON_CLIENT_SECRET environment variable. Please provide your OAuth2 API Client Secret for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys. | ||
Falcon Client Secret`) | ||
} | ||
|
||
if !intel.RuleType(*intelRuleType).Valid() { | ||
*intelRuleType = falcon_util.PromptUser(fmt.Sprintf("Missing--rule-type argument. Valid options are %s. \nRequested Rule type", intel.RuleTypeValidValues)) | ||
} | ||
|
||
client, err := falcon.NewClient(&falcon.ApiConfig{ | ||
ClientId: *clientId, | ||
ClientSecret: *clientSecret, | ||
MemberCID: *memberCID, | ||
Cloud: falcon.Cloud(*clientCloud), | ||
Context: context.Background(), | ||
Debug: false, | ||
}) | ||
if err != nil { | ||
panic(err) | ||
} | ||
|
||
intelType := *intelRuleType | ||
filepath := fmt.Sprintf("%s.tar.gz", intelType) | ||
fmt.Printf("Downloading file %s\n", filepath) | ||
err = DownloadLatestRuleFile(client, filepath, intelType) | ||
if err != nil { | ||
panic(err) | ||
|
||
} | ||
} | ||
|
||
func DownloadLatestRuleFile(client *client.CrowdStrikeAPISpecification, filename, intelType string) error { | ||
safeLocation := filepath.Clean(filename) | ||
if strings.Contains(safeLocation, "/") || strings.Contains(safeLocation, "\\") || strings.Contains(safeLocation, "..") { | ||
panic("Suspicious file location: " + safeLocation) | ||
} | ||
|
||
file, err := os.OpenFile(safeLocation, os.O_CREATE|os.O_WRONLY, 0600) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
/* #nosec */ | ||
defer func() { | ||
// (ignore possibly false positive https://github.com/securego/gosec/issues/714) | ||
if err := file.Close(); err != nil { | ||
fmt.Fprintf(os.Stderr, "Error closing file: %s\n", err) | ||
} | ||
}() | ||
|
||
gzip := "gzip" | ||
_, err = client.Intel.GetLatestIntelRuleFile(&intel.GetLatestIntelRuleFileParams{ | ||
Context: context.Background(), | ||
Type: intelType, | ||
Format: &gzip, | ||
}, file) | ||
if err != nil { | ||
return err | ||
} | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
package intel | ||
|
||
type RuleType string | ||
|
||
const ( | ||
RuleTypeSnortSuricataMaster RuleType = "snort-suricata-master" | ||
RuleTypeSnortSuricataUpdate RuleType = "snort-suricata-update" | ||
RuleTypeSnortSuricataChangelog RuleType = "snort-suricata-changelog" | ||
RuleTypeYaraMaster RuleType = "yara-master" | ||
RuleTypeYaraUpdate RuleType = "yara-update" | ||
RuleTypeYaraChangelog RuleType = "yara-changelog" | ||
RuleTypeCommonEventFormat RuleType = "common-event-format" | ||
RuleTypeNetwitness RuleType = "netwitness" | ||
) | ||
|
||
var RuleTypeValidValues = []RuleType{ | ||
RuleTypeSnortSuricataMaster, | ||
RuleTypeSnortSuricataUpdate, | ||
RuleTypeSnortSuricataChangelog, | ||
RuleTypeYaraMaster, | ||
RuleTypeYaraUpdate, | ||
RuleTypeYaraChangelog, | ||
RuleTypeCommonEventFormat, | ||
RuleTypeNetwitness, | ||
} | ||
|
||
func (rt RuleType) Valid() bool { | ||
for _, item := range RuleTypeValidValues { | ||
if rt == item { | ||
return true | ||
} | ||
} | ||
return false | ||
} |