Merge pull request #7282 from Security-Onion-Solutions/delta

Initial Support - IDH Node

files/firewall/assigned_hostgroups.local.map.yaml

@@ -13,6 +13,7 @@ role:
   fleet:
   heavynode:
   helixsensor:
+  idh:
   import:
   manager:
   managersearch:

files/firewall/hostgroups.local.yaml

@@ -28,6 +28,10 @@ firewall:
       ips:
         delete:
         insert:
+    idh:
+      ips:
+        delete:
+        insert: 
     manager:
       ips:
         delete:

pillar/top.sls

@@ -98,6 +98,11 @@ base:
     - global
     - minions.{{ grains.id }}
 
+  '*_idh':
+    - data.*
+    - global
+    - minions.{{ grains.id }}
+
   '*_searchnode':
     - logstash
     - logstash.search

salt/allowed_states.map.jinja

@@ -91,6 +91,16 @@
           'schedule',
           'docker_clean'
           ],
+     'so-idh': [
+          'ssl',
+          'telegraf',
+          'firewall',
+          'fleet.install_package',
+          'filebeat',
+          'idh',
+          'schedule',
+          'docker_clean'
+          ],
       'so-import': [
           'salt.master',
           'ca',
@@ -238,7 +248,7 @@
     {% do allowed_states.append('strelka') %}
   {% endif %}
 
-  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver']%}
+  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver','so-idh']%}
     {% do allowed_states.append('wazuh') %}
   {% endif %}
 

salt/common/tools/sbin/so-idh-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart idh $1

salt/common/tools/sbin/so-idh-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start idh $1

salt/common/tools/sbin/so-idh-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop idh $1

salt/common/tools/sbin/so-image-common

@@ -55,6 +55,7 @@ container_list() {
       "so-fleet"
       "so-fleet-launcher"
       "so-grafana"
+      "so-idh"
       "so-idstools"
       "so-influxdb"
       "so-kibana"

salt/filebeat/etc/filebeat.yml

@@ -294,6 +294,48 @@ filebeat.inputs:
   close_removed: false
 {%- endif %}
 
+{%- if grains.role == 'so-idh' %}
+- type: log
+  paths:
+    - /nsm/idh/opencanary.log
+  fields:
+    module: opencanary
+    dataset: idh
+    category: host
+    tags: beat-ext
+  processors:
+    - decode_json_fields:
+        fields: ["message"]
+        target: ""
+        add_error_key: true
+    - drop_fields:
+        when:
+          equals:
+            logtype: 1001
+        fields: ["src_host", "src_port", "dst_host", "dst_port" ]
+        ignore_missing: true
+    - rename:
+        fields:
+          - from: "src_host"
+            to: "source.ip"
+          - from: "src_port"
+            to: "source.port"
+          - from: "dst_host"
+            to: "destination.host"
+          - from: "dst_port"
+            to: "destination.port"
+        ignore_missing: true
+    - convert:
+        fields:
+          - {from: "logtype", to: "event.code", type: "string"}
+        ignore_missing: true
+    - drop_fields:
+        fields: '["prospector", "input", "offset", "beat"]'
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
+{%- endif %}
+
 {%- if INPUTS %}
 # USER PILLAR DEFINED INPUTS
 {{ INPUTS | yaml(False) }}
@@ -352,7 +394,7 @@ output.logstash:
 
   # The Logstash hosts
   hosts:
-{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node'] %}
+{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %}
 {%-   set LOGSTASH = namespace() %}
 {%-   set LOGSTASH.count = 0 %}
 {%-   set LOGSTASH.loadbalance = false %}

salt/firewall/assigned_hostgroups.map.yaml

@@ -653,3 +653,20 @@ role:
           localhost:
             portgroups:
               - {{ portgroups.all }}
+  idh:
+    chain:
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+            {% set idh_services = salt['pillar.get']('idh:services', []) %}
+            {% for service in idh_services %}
+              - {{ portgroups['idh_'~service] }}
+            {% endfor %}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}

salt/firewall/portgroups.yaml

@@ -1,3 +1,8 @@
+{% if grains.role == 'so-idh' %}
+  {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
+  {% set idh_services = salt['pillar.get']('idh:services', []) %}
+{% endif %}
+
 firewall:
   aliases:
     ports:
@@ -106,3 +111,16 @@ firewall:
       yum:
         tcp:
           - 443
+
+{% if idh_services is defined %}
+  {% for service in idh_services %}
+  {% if service in ["smnp","ntp", "tftp"] %}
+    {% set proto = 'udp' %}
+  {% else %}
+    {% set proto = 'tcp' %}
+  {% endif %}
+      idh_{{service}}:
+        {{proto}}:
+          - {{ OPENCANARYCONFIG[service~'.port'] }}
+  {% endfor %}
+{% endif %}

salt/idh/Plays/IDH_SSH.yaml

@@ -0,0 +1,18 @@
+title: SO IDH - SSH Accessed
+status: experimental
+description: Detects when the SSH service on a SO IDH node has been probed.
+author: Security Onion Solutions
+logsource:
+  product: idh
+detection:
+  selection:
+    event.code:
+    - 4000
+    - 4001
+    - 4002
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical

salt/idh/defaults/defaults.yaml

@@ -0,0 +1,35 @@
+idh:
+  opencanary:
+    config:
+      device.node_id: {{ grains.host }}
+      logger:
+        class: PyLogger
+        kwargs:
+            formatters:
+              plain:
+                  format: '%(message)s'
+            handlers:
+              console:
+                  class: logging.StreamHandler
+                  stream: ext://sys.stdout
+              file:
+                  class: logging.FileHandler
+                  filename: /var/tmp/opencanary.log
+      portscan.enabled: false
+      portscan.logfile: /var/log/kern.log
+      portscan.synrate: 5
+      portscan.nmaposrate: 5
+      portscan.lorate: 3
+      tcpbanner.maxnum: 10
+      tcpbanner.enabled: false
+      tcpbanner_1.enabled: false
+      tcpbanner_1.port: 8001
+      tcpbanner_1.datareceivedbanner: ''
+      tcpbanner_1.initbanner: ''
+      tcpbanner_1.alertstring.enabled: false
+      tcpbanner_1.alertstring: ''
+      tcpbanner_1.keep_alive.enabled: false
+      tcpbanner_1.keep_alive_secret: ''
+      tcpbanner_1.keep_alive_probes: 11
+      tcpbanner_1.keep_alive_interval: 300
+      tcpbanner_1.keep_alive_idle: 300

salt/idh/defaults/ftp.defaults.yaml

@@ -0,0 +1,6 @@
+idh:
+  opencanary:
+    config:
+      ftp.enabled: true
+      ftp.port: 21
+      ftp.banner: FTP server ready

salt/idh/defaults/git.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      git.enabled: true
+      git.port: 9418      

salt/idh/defaults/http.defaults.yaml

@@ -0,0 +1,12 @@
+idh:
+  opencanary:
+    config:
+      http.banner: Apache/2.2.22 (Ubuntu)
+      http.enabled: true
+      http.port: 80
+      http.skin: nasLogin
+      http.skin.list:
+      - desc: Plain HTML Login
+        name: basicLogin
+      - desc: Synology NAS Login
+        name: nasLogin

salt/idh/defaults/httpproxy.defaults.yaml

@@ -0,0 +1,11 @@
+idh:
+  opencanary:
+    config:
+      httpproxy.enabled: true
+      httpproxy.port: 8080
+      httpproxy.skin: squid
+      httproxy.skin.list:
+      - desc: Squid
+        name: squid
+      - desc: Microsoft ISA Server Web Proxy
+        name: ms-isa

salt/idh/defaults/mssql.defaults.yaml

@@ -0,0 +1,6 @@
+idh:
+  opencanary:
+    config:
+      mssql.enabled: true
+      mssql.version: '2012'
+      mssql.port: 1433

salt/idh/defaults/mysql.defaults.yaml

@@ -0,0 +1,6 @@
+idh:
+  opencanary:
+    config:
+      mysql.enabled: true
+      mysql.port: 3306
+      mysql.banner: 5.5.43-0ubuntu0.14.04.1

salt/idh/defaults/ntp.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      ntp.enabled: true
+      ntp.port: '123'

salt/idh/defaults/redis.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      redis.enabled: true
+      redis.port: 6379

salt/idh/defaults/sip.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      sip.enabled: true
+      sip.port: 5060

salt/idh/defaults/smb.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      smb.auditfile: /var/log/samba-audit.log
+      smb.enabled: true

salt/idh/defaults/snmp.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      snmp.enabled: true
+      snmp.port: 161

salt/idh/defaults/ssh.defaults.yaml

@@ -0,0 +1,6 @@
+idh:
+  opencanary:
+    config:
+      ssh.enabled: true
+      ssh.port: 22
+      ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4

salt/idh/defaults/telnet.defaults.yaml

@@ -0,0 +1,11 @@
+idh:
+  opencanary:
+    config:
+      telnet.enabled: true
+      telnet.port: '23'
+      telnet.banner: ''
+      telnet.honeycreds:
+      - username: admin
+        password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA
+      - username: admin
+        password: admin1

salt/idh/defaults/tftp.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      tftp.enabled: true
+      tftp.port: 69

salt/idh/defaults/vnc.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      vnc.enabled: true
+      vnc.port: 5900

salt/idh/idh.conf.jinja

@@ -0,0 +1 @@
+{{ OPENCANARYCONFIG | tojson(True) }}

salt/idh/init.sls

@@ -0,0 +1,75 @@
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+
+{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
+{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
+{% set MANAGER = salt['grains.get']('master') %}
+
+# IDH State
+
+# Create a config directory
+temp:
+  file.directory:
+    - name: /opt/so/conf/idh
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+# Create a log directory
+configdir:
+  file.directory:
+    - name: /nsm/idh
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG with context %}
+opencanary_config:
+  file.managed:
+    - name: /opt/so/conf/idh/opencanary.conf
+    - source: salt://idh/idh.conf.jinja
+    - template: jinja
+    - defaults:
+        OPENCANARYCONFIG: {{ OPENCANARYCONFIG }}
+
+so-idh:
+  docker_container.running:
+    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idh:{{ VERSION }}
+    - name: so-idh
+    - detach: True
+    - network_mode: host
+    - binds:
+      - /nsm/idh:/var/tmp:rw
+      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
+    - watch:
+      - file: opencanary_config
+    - require:
+      - file: opencanary_config
+
+append_so-idh_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-idh
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/idh/opencanary_config.map.jinja

@@ -0,0 +1,9 @@
+{% set idh_services = salt['pillar.get']('idh:services', []) %}
+
+{% import_yaml "idh/defaults/defaults.yaml" as OPENCANARYCONFIG with context %}
+{% for service in idh_services %}
+      {% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %}
+      {% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %}
+{% endfor %}
+
+{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %}

salt/ssl/init.sls

@@ -447,7 +447,7 @@ fleetkeyperms:
 
 {% endif %}
 
-{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-import', 'so-receiver'] %}
+{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %}
    
 fbcertdir:
   file.directory:

salt/top.sls

@@ -503,3 +503,20 @@ base:
     {%- endif %}
     - schedule
     - docker_clean
+
+  '*_idh and G@saltversion:{{saltversion}}':
+    - match: compound
+    - ssl
+    - sensoroni
+    - telegraf
+    - firewall
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    {%- if FLEETMANAGER or FLEETNODE %}
+    - fleet.install_package
+    {%- endif %}
+    - schedule
+    - docker_clean
+    - filebeat
+    - idh

setup/so-functions

@@ -447,6 +447,25 @@ collect_hostname_validate() {
 	done
 }
 
+collect_idh_services() {
+	whiptail_idh_services
+
+	case "$idh_services" in
+		'Linux Webserver')
+			idh_services=("HTTP" "FTP" "SSH")
+		;;
+		'MySQL Server')
+			idh_services=("MYSQL" "SSH")
+		;;
+		'MSSQL Server')
+			idh_services=("MSSQL" "VNC")
+		;;
+		'Custom')
+			whiptail_idh_services_custom
+		;;
+	esac
+}
+
 collect_int_ip_mask() {
 	whiptail_management_interface_ip_mask
 
@@ -864,6 +883,7 @@ check_requirements() {
 		req_cores=4
 		if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
 		if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
+		if [[ "$node_type" == 'idh' ]]; then req_mem=1 req_cores=2; fi
 	elif [[ "$standalone_or_dist" == 'import' ]]; then
 		req_mem=4
 		req_cores=2
@@ -1521,7 +1541,7 @@ get_redirect() {
 get_minion_type() {
 	local minion_type
 	case "$install_type" in
-		'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'STANDALONE' | 'IMPORT' | 'RECEIVER')
+		'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER')
 			minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]')
 			;;
 		'HELIXSENSOR')
@@ -2659,7 +2679,7 @@ set_initial_firewall_policy() {
 			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
             $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
 			;;
-		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'RECEIVER')
+		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'RECEIVER')
 			$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
 			case "$install_type" in
 				'SENSOR')
@@ -2679,6 +2699,9 @@ set_initial_firewall_policy() {
 				'FLEET')
 				    $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
 					;;
+				'IDH')
+				    $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
+					;;
 				'RECEIVER')
 					$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP"
 					$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receiverstab "$MINION_ID" "$MAINIP"
@@ -2866,6 +2889,17 @@ wait_for_salt_minion() {
 	retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || exit 1
 }
 
+write_out_idh_services() {
+	local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls
+
+	printf '%s\n'\
+	"idh:"\
+	"  services:" >> "$pillar_file"
+	for service in ${idh_services[@]}; do
+	  echo "    - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file"
+    done
+}
+
 # Enable Zeek Logs
 zeek_logs_enabled() {
 	echo "Enabling Zeek Logs" >> "$setup_log" 2>&1

setup/so-setup

@@ -251,6 +251,10 @@ elif [ "$install_type" = 'FLEET' ]; then
 	is_minion=true
 	is_fleet_standalone=true
 	OSQUERY=1
+elif [ "$install_type" = 'IDH' ]; then
+	is_minion=true
+	is_idh=true
+	IDH=1
 elif [ "$install_type" = 'HELIXSENSOR' ]; then
 	is_helix=true
 elif [ "$install_type" = 'IMPORT' ]; then
@@ -267,11 +271,17 @@ if [[ $is_manager || $is_import ]]; then
 	check_elastic_license
 fi
 
+if [[ $is_idh ]]; then
+	collect_idh_services
+fi
+
 if ! [[ -f $install_opt_file ]]; then
 	if [[ $is_manager && $is_sensor ]]; then
 		check_requirements "standalone"
 	elif [[ $is_fleet_standalone ]]; then
 		check_requirements "dist" "fleet"
+	elif [[ $is_idh ]]; then
+		check_requirements "dist" "idh"
 	elif [[ $is_sensor && ! $is_eval ]]; then
 		check_requirements "dist" "sensor"
 	elif [[ $is_distmanager || $is_minion ]] && [[ ! $is_import ]]; then
@@ -742,6 +752,12 @@ echo "1" > /root/accept_changes
 		logstash_pillar >> $setup_log 2>&1
 	fi
 
+	if [[ $is_idh ]]; then
+		# Write out services to minion pillar file
+		set_progress_str 19 'Generating IDH services pillar'
+		write_out_idh_services
+	fi
+
 
 	if [[ $is_minion ]]; then
 		set_progress_str 20 'Accepting Salt key on manager'
@@ -805,7 +821,7 @@ echo "1" > /root/accept_changes
 	set_progress_str 62 "$(print_salt_state_apply 'common')"
 	salt-call state.apply -l info common >> $setup_log 2>&1
 
-	if [[ ! $is_helix && ! $is_receiver ]]; then
+	if [[ ! $is_helix && ! $is_receiver && ! $is_idh ]]; then
 		set_progress_str 62 "$(print_salt_state_apply 'nginx')"
 		salt-call state.apply -l info nginx >> $setup_log 2>&1
 	fi
@@ -910,6 +926,12 @@ echo "1" > /root/accept_changes
 
 	fi
 
+	if [[ $is_idh ]]; then
+		set_progress_str 79 "$(print_salt_state_apply 'idh')"
+		salt-call state.apply -l info idh >> $setup_log 2>&1
+
+	fi
+
 	if [[ "$WAZUH" = 1 ]]; then
 		set_progress_str 79 "$(print_salt_state_apply 'wazuh')"
 		salt-call state.apply -l info wazuh >> $setup_log 2>&1

setup/so-whiptail

@@ -432,6 +432,14 @@ whiptail_end_settings() {
 	Hostname: $HOSTNAME
 	EOM
 
+	if [[ $is_idh ]]; then
+		__append_end_msg "IDH Services Enabled:"
+	   for service in ${idh_services[@]}; do
+		__append_end_msg "- $service"
+      done
+
+	fi
+
 	[[ -n $NODE_DESCRIPTION ]] && __append_end_msg "Description: $NODE_DESCRIPTION"
 
 	[[ $is_airgap ]] && __append_end_msg "Airgap: True"
@@ -717,6 +725,47 @@ whiptail_homenet_sensor() {
 	export HNSENSOR
 }
 
+
+whiptail_idh_services() {
+
+	[ -n "$TESTING" ] && return
+
+	idh_services=$(whiptail --title "$whiptail_title" --radiolist \
+		"\nThe IDH node can mimic many different services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \
+		"Linux Webserver" "Apache (80), FTP (21), SSH (22)" ON \
+		"MySQL Server" "MySQL (3306), SSH (22)" OFF \
+		"MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \
+		"Custom" "Select a custom set of services on next screen" OFF 3>&1 1>&2 2>&3 )
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
+
+whiptail_idh_services_custom() {
+
+	[ -n "$TESTING" ] && return
+
+	idh_services=$(whiptail --title "$whiptail_title" --checklist \
+		"\nThe IDH node can mimic many different services.\n\nChoose one or more of the following services along with their default ports (TCP). Some services have additional configuration options, please consult the documentation for further information." 25 75 8 \
+		"FTP" "  TCP/21,   Additional Configuration Available   " OFF \
+		"Git" "  TCP/9418                                       " OFF \
+		"HTTP" "  TCP/80,   Additional Configuration Available   " OFF \
+		"HTTPPROXY" "  TCP/8080, Additional Configuration Available   " OFF \
+		"MSSQL" "  TCP/1433                                         " OFF \
+		"MySQL" "  TCP/3306, Additional Configuration Available   " OFF \
+		"NTP" "  UDP/123                                        " OFF \
+		"REDIS" "  TCP/6379                                       " OFF \
+		"SNMP" "  UDP/161                                        " OFF \
+		"SSH" "  TCP/22,   Additional Configuration Available   " OFF \
+		"TELNET" "  TCP/23,   Additional Configuration Available   " OFF \
+		"TFTP" "  UDP/69                                         " OFF \
+		"VNC" "  TCP/5900                                         " OFF 3>&1 1>&2 2>&3 )
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
 whiptail_install_type() {
 
 	[ -n "$TESTING" ] && return
@@ -791,18 +840,17 @@ whiptail_install_type_dist_existing() {
 
 	local node_msg
 	read -r -d '' node_msg <<- EOM
-	Choose a distributed node type to join to an existing grid.
+	Choose a distributed node type to join to an existing grid. See https://docs.securityonion.net/architecture for details.
-	
-	See https://docs.securityonion.net/architecture for details.
 
 	Note: Heavy nodes (HEAVYNODE) are NOT recommended for most users.
 	EOM
 	
-	install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 5 \
+	install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 6 \
 		"SENSOR" "Create a forward only sensor " ON \
 		"SEARCHNODE" "Add a search node with parsing " OFF \
 		"FLEET" "Dedicated Fleet Osquery Node " OFF \
 		"HEAVYNODE" "Sensor + Search Node " OFF \
+		"IDH" "Intrusion Detection Honeypot Node " OFF \
 		"RECEIVER" "Receiver Node " OFF \
 		3>&1 1>&2 2>&3
 		# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO