From a3b5db5945fd2a8a315f17aed3aa8fe8e62b9e7a Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@defensivedepth.com>
Date: Fri, 6 Jun 2025 16:17:14 -0400
Subject: [PATCH 1/5] Add support for Airgap for Playbooks

---
 salt/manager/tools/sbin/soup | 8 ++++++++
 salt/soc/defaults.yaml       | 4 +++-
 salt/soc/merged.map.jinja    | 7 +++++++
 setup/so-functions           | 6 ++++++
 setup/so-setup               | 4 ++++
 5 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 987c599f1..257699c4e 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -1069,6 +1069,11 @@ update_airgap_rules() {
   rsync -a $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/
 }
 
+update_airgap_playbooks() {
+  # Copy the playbooks over to update them for airgap.
+  rsync -a --delete --chown=socore:socore $UPDATE_DIR/airgap-resources/playbooks/* /nsm/airgap-resources/playbooks/
+}
+
 update_airgap_repo() {
   # Update the files in the repo
   echo "Syncing new updates to /nsm/repo"
@@ -1253,6 +1258,7 @@ apply_hotfix() {
   elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then
     if [[ $is_airgap -eq 0 ]]; then
       update_airgap_rules
+      update_airgap_playbooks
     fi
     if [[ -f /etc/pki/managerssl.key.old ]]; then
       echo "Skipping Certificate Generation"
@@ -1418,6 +1424,8 @@ main() {
     if [[ $is_airgap -eq 0 ]]; then
       echo "Updating Rule Files to the Latest."
       update_airgap_rules
+      echo "Updating Playbooks to the Latest."
+      update_airgap_playbooks
     fi
 
     # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 24b9aaba2..66355fa24 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1464,7 +1464,9 @@ soc:
           autoUpdateEnabled: true
           playbookImportFrequencySeconds: 86400
           playbookImportErrorSeconds: 600
-          playbookRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
+          playbookRepoUrl:
+            default: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
+            airgap: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks
           playbookRepoBranch: main
           playbookRepoPath: /opt/sensoroni/playbooks/
           playbookPathInRepo: securityonion-normalized
diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
index 25b62683c..c950d8a60 100644
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -61,6 +61,13 @@
 {%   do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
 {% endif %}
 
+{# set playbookRepoUrl based on airgap or not #}
+{% if GLOBALS.airgap %}
+{%   do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.airgap}) %}
+{% else %}
+{%   do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.default}) %}
+{% endif %}
+
 {# remove these modules if detections is disabled #}
 {% if not SOCMERGED.config.server.client.detectionsEnabled %}
 {%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}
diff --git a/setup/so-functions b/setup/so-functions
index 82dd9d375..54fb49f9f 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -56,6 +56,12 @@ airgap_detection_summaries() {
 	logCmd "git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources"
 	logCmd "git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published"
 }
+airgap_playbooks() {
+	# Copy playbooks if using airgap
+	mkdir -p /nsm/airgap-resources/playbooks
+	logCmd "rsync -av --chown=socore:socore /root/SecurityOnion/airgap-resources/playbooks/ /nsm/airgap-resources/playbooks/"
+	logCmd "git config --global --add safe.directory /nsm/airgap-resources/playbooks"
+}
 
 add_admin_user() {
 	title "Adding $ADMINUSER to the system with sudo rights"
diff --git a/setup/so-setup b/setup/so-setup
index b7723da37..7f2e87c16 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -769,6 +769,10 @@ if ! [[ -f $install_opt_file ]]; then
 			title "Syncing AI-Generated Detection Summaries"
 			airgap_detection_summaries
 		fi
+		if [[ $is_airgap ]]; then
+			title "Syncing Playbooks"
+			airgap_playbooks
+		fi
 		title "Setting up Kibana Default Space"
 		logCmd "so-kibana-space-defaults"
 		add_web_user

From b428573a0ad7a6916f20718f15b26aad2b44eea4 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@defensivedepth.com>
Date: Fri, 6 Jun 2025 17:48:49 -0400
Subject: [PATCH 2/5] Airgap tweaks

---
 salt/manager/init.sls        | 9 +++++++++
 salt/manager/tools/sbin/soup | 3 +--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/salt/manager/init.sls b/salt/manager/init.sls
index 07a1b8816..737d753f4 100644
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -156,6 +156,13 @@ rules_dir:
     - group: socore
     - makedirs: True
 
+nsm_playbooks_dir:
+  file.directory:
+    - name: /nsm/airgap-resources/playbooks
+    - user: socore
+    - group: socore
+    - makedirs: True
+
 git_config_set_safe_dirs:
   git.config_set:
     - name: safe.directory
@@ -166,6 +173,8 @@ git_config_set_safe_dirs:
       - /nsm/rules/custom-local-repos/local-yara
       - /nsm/securityonion-resources
       - /opt/so/conf/soc/ai_summary_repos/securityonion-resources
+      - /nsm/airgap-resources/playbooks
+      - /opt/so/conf/soc/playbooks
 {% else %}
 
 {{sls}}_state_not_allowed:
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 257699c4e..d1c84ec2f 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -1071,7 +1071,7 @@ update_airgap_rules() {
 
 update_airgap_playbooks() {
   # Copy the playbooks over to update them for airgap.
-  rsync -a --delete --chown=socore:socore $UPDATE_DIR/airgap-resources/playbooks/* /nsm/airgap-resources/playbooks/
+  rsync -a --delete --chown=socore:socore $UPDATE_DIR/airgap-resources/playbooks/ /nsm/airgap-resources/playbooks/
 }
 
 update_airgap_repo() {
@@ -1258,7 +1258,6 @@ apply_hotfix() {
   elif [[ "$INSTALLEDVERSION" == "2.4.30" ]] ; then
     if [[ $is_airgap -eq 0 ]]; then
       update_airgap_rules
-      update_airgap_playbooks
     fi
     if [[ -f /etc/pki/managerssl.key.old ]]; then
       echo "Skipping Certificate Generation"

From f360c6ecbc5f07302cccf279b3e0415d5e77c74a Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@defensivedepth.com>
Date: Sat, 7 Jun 2025 09:29:59 -0400
Subject: [PATCH 3/5] Supress alerts

---
 salt/idstools/rules/extraction.rules | 40 ++++++++++++++--------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/salt/idstools/rules/extraction.rules b/salt/idstools/rules/extraction.rules
index bccfc69d6..3ebbd41b1 100644
--- a/salt/idstools/rules/extraction.rules
+++ b/salt/idstools/rules/extraction.rules
@@ -1,26 +1,26 @@
 # Extract all PDF mime type
-alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100000; rev:1;)
-alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100001; rev:1;)
-alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100002; rev:1;)
-alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100003; rev:1;)
+alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100000; rev:1;)
+alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100001; rev:1;)
+alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100002; rev:1;)
+alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; noalert; sid:1100003; rev:1;)
 # Extract EXE/DLL file types
-alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100004; rev:1;)
-alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100005; rev:1;)
-alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100006; rev:1;)
-alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100007; rev:1;)
-alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100008; rev:1;)
-alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100009; rev:1;)
-alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100010; rev:1;)
-alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100011; rev:1;)
+alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100004; rev:1;)
+alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100005; rev:1;)
+alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100006; rev:1;)
+alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; noalert; sid:1100007; rev:1;)
+alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100008; rev:1;)
+alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100009; rev:1;)
+alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100010; rev:1;)
+alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; noalert; sid:1100011; rev:1;)
 
 # Extract all Zip files
-alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100012; rev:1;)
-alert smtp any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100013; rev:1;)
-alert nfs any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100014; rev:1;)
-alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100015; rev:1;)
+alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100012; rev:1;)
+alert smtp any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100013; rev:1;)
+alert nfs any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100014; rev:1;)
+alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; noalert; sid:1100015; rev:1;)
 
 # Extract Word Docs
-alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100016; rev:1;)
-alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100017; rev:1;)
-alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100018; rev:1;)
-alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100019; rev:1;)
\ No newline at end of file
+alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100016; rev:1;)
+alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100017; rev:1;)
+alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100018; rev:1;)
+alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100019; rev:1;)
\ No newline at end of file

From dbdbffa4b01a4ba87a2b9c8a145c0a21fa3e386a Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@defensivedepth.com>
Date: Sun, 8 Jun 2025 08:23:09 -0400
Subject: [PATCH 4/5] Add nsm bind

---
 salt/soc/enabled.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls
index 4b39d036e..09e2c16a8 100644
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -31,6 +31,7 @@ so-soc:
       - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
       - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
       - /nsm/soc/uploads:/nsm/soc/uploads:rw
+      - /nsm/airgap-resources:/nsm/airgap-resources:rw
       - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
       - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
       - /opt/so/conf/soc/ai_summary_repos:/opt/sensoroni/ai_summary_repos:rw

From a600c64229c83fd454c56aac255dcb39e6b022a7 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@defensivedepth.com>
Date: Mon, 9 Jun 2025 07:33:02 -0400
Subject: [PATCH 5/5] Create dir if needed

---
 salt/manager/tools/sbin/soup | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index d1c84ec2f..aa030bcdb 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -1071,6 +1071,8 @@ update_airgap_rules() {
 
 update_airgap_playbooks() {
   # Copy the playbooks over to update them for airgap.
+  mkdir -p /nsm/airgap-resources/playbooks
+  chown -R socore:socore /nsm/airgap-resources/playbooks
   rsync -a --delete --chown=socore:socore $UPDATE_DIR/airgap-resources/playbooks/ /nsm/airgap-resources/playbooks/
 }