From e857a8487afda758f552575c299dfe9986cb8968 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 20 Mar 2026 15:35:44 -0400
Subject: [PATCH 1/2] convert suricata pillar data yes/no to true/false

---
 salt/manager/tools/sbin/soup | 52 +++++++++++++++++++++++++++++++++---
 1 file changed, 48 insertions(+), 4 deletions(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 3a4edc170..093624d0f 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -383,11 +383,45 @@ check_minimum_version() {
 
 ### 3.0.0 Scripts ###
 
-up_to_3.0.0() {
-  determine_elastic_agent_upgrade
-  migrate_pcap_to_suricata
+convert_suricata_yes_no() {
+  local SURICATA_FILE=/opt/so/saltstack/local/pillar/suricata/soc_suricata.sls
+  local MINIONDIR=/opt/so/saltstack/local/pillar/minions
+  local pillar_files=()
 
-  INSTALLEDVERSION=3.0.0
+  [[ -f "$SURICATA_FILE" ]] && pillar_files+=("$SURICATA_FILE")
+  for suffix in _eval _heavynode _sensor _standalone; do
+    for f in "$MINIONDIR"/*${suffix}.sls; do
+      [[ -f "$f" ]] && pillar_files+=("$f")
+    done
+  done
+
+  for pillar_file in "${pillar_files[@]}"; do
+    local yaml_output
+    yaml_output=$(so-yaml.py get -r "$pillar_file" suricata 2>/dev/null) || continue
+
+    local keys_to_fix
+    keys_to_fix=$(python3 -c "
+import yaml, sys
+def find(d, prefix=''):
+    if isinstance(d, dict):
+        for k, v in d.items():
+            path = f'{prefix}.{k}' if prefix else k
+            if isinstance(v, dict):
+                find(v, path)
+            elif isinstance(v, str) and v.lower() in ('yes', 'no'):
+                print(f'{path} {v.lower()}')
+find(yaml.safe_load(sys.stdin) or {})
+" <<< "$yaml_output") || continue
+
+    while IFS=' ' read -r key value; do
+      [[ -z "$key" ]] && continue
+      if [[ "$value" == "yes" ]]; then
+        so-yaml.py replace "$pillar_file" "suricata.${key}" true
+      else
+        so-yaml.py replace "$pillar_file" "suricata.${key}" false
+      fi
+    done <<< "$keys_to_fix"
+  done
 }
 
 migrate_pcap_to_suricata() {
@@ -402,6 +436,13 @@ migrate_pcap_to_suricata() {
   done
 }
 
+up_to_3.0.0() {
+  determine_elastic_agent_upgrade
+  migrate_pcap_to_suricata
+
+  INSTALLEDVERSION=3.0.0
+}
+
 post_to_3.0.0() {
   for idx in "logs-idh-so" "logs-redis.log-default"; do
     rollover_index "$idx"
@@ -412,6 +453,9 @@ post_to_3.0.0() {
     so-elasticsearch-query $idx/_ilm/remove -XPOST
   done
 
+  # convert yes/no in suricata pillars to true/false
+  convert_suricata_yes_no
+
   POSTVERSION=3.0.0
 }
 

From f0f9de4b440316293a1663242c7570bd1157e836 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 20 Mar 2026 16:12:10 -0400
Subject: [PATCH 2/2] add status updates for pillar conversions

---
 salt/manager/tools/sbin/soup | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 093624d0f..064f84286 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -384,6 +384,7 @@ check_minimum_version() {
 ### 3.0.0 Scripts ###
 
 convert_suricata_yes_no() {
+  echo "Starting suricata yes/no values to true/false conversion."
   local SURICATA_FILE=/opt/so/saltstack/local/pillar/suricata/soc_suricata.sls
   local MINIONDIR=/opt/so/saltstack/local/pillar/minions
   local pillar_files=()
@@ -396,6 +397,7 @@ convert_suricata_yes_no() {
   done
 
   for pillar_file in "${pillar_files[@]}"; do
+    echo "Checking $pillar_file for suricata yes/no values."
     local yaml_output
     yaml_output=$(so-yaml.py get -r "$pillar_file" suricata 2>/dev/null) || continue
 
@@ -416,24 +418,30 @@ find(yaml.safe_load(sys.stdin) or {})
     while IFS=' ' read -r key value; do
       [[ -z "$key" ]] && continue
       if [[ "$value" == "yes" ]]; then
+        echo "Replacing suricata.${key} yes -> true in $pillar_file"
         so-yaml.py replace "$pillar_file" "suricata.${key}" true
       else
+        echo "Replacing suricata.${key} no -> false in $pillar_file"
         so-yaml.py replace "$pillar_file" "suricata.${key}" false
       fi
     done <<< "$keys_to_fix"
   done
+  echo "Completed suricata yes/no conversion."
 }
 
 migrate_pcap_to_suricata() {
+  echo "Starting pillar pcap.enabled to suricata.pcap.enabled migration."
   local MINIONDIR=/opt/so/saltstack/local/pillar/minions
   local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
 
   for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
     [[ -f "$pillar_file" ]] || continue
     pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
+    echo "Migrating pcap.enabled -> suricata.pcap.enabled in $pillar_file"
     so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
     so-yaml.py remove "$pillar_file" pcap
   done
+  echo "Completed pcap.enabled to suricata.pcap.enabled pillar migration."
 }
 
 up_to_3.0.0() {