Local YARA rules

[Hammer-Bear]

Hi,

Been looking to add some custom YARA rules and have been following the docs https://docs.securityonion.net/en/2.3/local-rules.html?#id1 however I'm a little confused. we run SO in a distributed deployment and the manager doesn't run strelka but does run on the sensor, the paths however (/opt/so/saltstack/local/salt/strelka/rules) exist on the manger but not the sensor, I did find the default repo under opt/so/saltstack/default/salt/strelka/rules/ on the manager and I can run so-yara-update but not so-strelka-restart because its not running on the manager so I'm a little confused on where I should be putting the custom YARA rules because things don't line up with the documentation or I'm just getting super confused. Any pointers would be appreciated.

[weslambert]

Hi @Trash-P4nda ,

I've just updated the documentation to be clearer.

After adding your rules, update the configuration by running so-strelka-restart on all nodes running Strelka.

Alternatively, run salt -G 'role:so-sensor' cmd.run "so-strelka-restart" to restart Strelka on all sensors at once.