From ccd79c814d01d16783283ab823ab3c49f0f30862 Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Wed, 27 Aug 2025 09:53:37 -0400
Subject: [PATCH 1/3] Add script for bond0 channels

---
 CLAUDE.md                         | 104 ++++++++++++++++++++++++++++++
 salt/sensor/files/so-combine-bond |  72 +++++++++++++++++++++
 2 files changed, 176 insertions(+)
 create mode 100644 CLAUDE.md
 create mode 100644 salt/sensor/files/so-combine-bond

diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 000000000..76c0577d6
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,104 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Overview
+
+Security Onion is an open-source network security monitoring (NSM) platform that combines multiple security tools into a unified solution. It's designed for threat hunting, enterprise security monitoring, and log management. The platform integrates tools for intrusion detection, packet capture, log management, and security analytics in a comprehensive security monitoring solution.
+
+## Architecture
+
+Security Onion uses a microservice architecture with containerized components:
+
+- **Deployment Models**:
+  - Standalone: Single all-in-one instance
+  - Distributed: Manager/sensor architecture with multiple node types
+    - Manager: Central management server
+    - Search Nodes: Data storage and search
+    - Sensor Nodes: Network monitoring and data collection
+    - Heavy Nodes: Combined sensor/search capabilities
+    - IDH (Intrusion Deception Host): Honeypot services
+
+- **Core Components**:
+  - Data Collection: Zeek, Suricata, Steno (PCAP), Elastic Agents
+  - Data Processing: Logstash, Kafka, Strelka (file analysis)
+  - Data Storage: Elasticsearch, InfluxDB, Redis
+  - User Interface: Kibana, SOC (custom Security Onion web UI), Kratos/Hydra (auth)
+  - Management: Salt, Docker, Registry, Nginx
+
+## Development Environment
+
+### Prerequisites
+
+- Linux environment (Oracle Linux or compatible)
+- Git
+- Docker and Docker Compose
+- SaltStack
+
+### Testing
+
+Run validation tests:
+```bash
+cd tests
+./validation.sh
+```
+
+Run Python tests (requires Python 3):
+```bash
+./pyci.sh salt/sensoroni/files/analyzers/urlhaus
+```
+
+### Key Files and Directories
+
+- `/salt`: SaltStack states for all components
+- `/setup`: Installation scripts and utilities
+- `/pillar`: SaltStack pillar data (configuration)
+- `/files`: Additional configuration files
+- `/tests`: Test utilities and validation
+
+## Common Tasks
+
+### Testing Salt States
+
+To test a specific Salt state without applying it:
+```bash
+salt-call state.show_sls <state_name>
+```
+
+To apply a Salt state in test mode:
+```bash
+salt-call state.apply <state_name> test=True
+```
+
+### Working with Docker Containers
+
+View running containers:
+```bash
+so-status
+```
+
+Access container logs:
+```bash
+docker logs <container_name>
+```
+
+### Development Workflow
+
+1. Make code changes
+2. Run validation: `./tests/validation.sh`
+3. Run Python tests if applicable: `./pyci.sh <directory>`
+
+## Code Conventions
+
+- All Bash scripts should pass ShellCheck analysis
+- YAML (Salt states and pillars) should be properly formatted
+- Python code should pass flake8 checks (configured in pytest.ini)
+- Code should match the pre-existing style of Security Onion
+- All commits must be signed with a valid key
+
+## Important Notes
+
+- Security Onion uses Salt for configuration management
+- Most components run as Docker containers
+- The project follows a distributed architecture with different node types
+- Testing should cover both code functionality and deployment scenarios
\ No newline at end of file
diff --git a/salt/sensor/files/so-combine-bond b/salt/sensor/files/so-combine-bond
new file mode 100644
index 000000000..fdb7dfd4c
--- /dev/null
+++ b/salt/sensor/files/so-combine-bond
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+# Script to find all interfaces of bond0 and set channel parameters
+# Compatible with Oracle Linux 9, Ubuntu, and Debian
+
+. /usr/sbin/so-common
+
+{% set NICCHANNELS = salt['pillar.get']('sensor:channels', '1') %}
+
+# Number of channels to set
+CHANNELS={{ NICCHANNELS }}
+
+# Exit on any error
+set -e
+
+# Check if running as root
+if [[ $EUID -ne 0 ]]; then
+   exit 1
+fi
+
+# Check if bond0 exists
+if ! ip link show bond0 &>/dev/null; then
+    exit 1
+fi
+
+# Function to get slave interfaces - works across distributions
+get_bond_slaves() {
+    local bond_name="$1"
+    local slaves=""
+    
+    # Method 1: Try /sys/class/net first (most reliable)
+    if [ -f "/sys/class/net/$bond_name/bonding/slaves" ]; then
+        slaves=$(cat "/sys/class/net/$bond_name/bonding/slaves" 2>/dev/null)
+    fi
+    
+    # Method 2: Try /proc/net/bonding (older systems)
+    if [ -z "$slaves" ] && [ -f "/proc/net/bonding/$bond_name" ]; then
+        slaves=$(grep "Slave Interface:" "/proc/net/bonding/$bond_name" 2>/dev/null | awk '{print $3}' | tr '\n' ' ')
+    fi
+    
+    # Method 3: Parse ip link output (universal fallback)
+    if [ -z "$slaves" ]; then
+        slaves=$(ip -o link show | grep "master $bond_name" | awk -F': ' '{print $2}' | cut -d'@' -f1 | tr '\n' ' ')
+    fi
+    
+    echo "$slaves"
+}
+
+# Get slave interfaces
+SLAVES=$(get_bond_slaves bond0)
+
+if [ -z "$SLAVES" ]; then
+    exit 1
+fi
+
+# Process each slave interface
+for interface in $SLAVES; do
+    # Skip if interface doesn't exist
+    if ! ip link show "$interface" &>/dev/null; then
+        continue
+    fi
+    
+    # Try combined mode first
+    if ethtool -L "$interface" combined $CHANNELS &>/dev/null; then
+        continue
+    fi
+    
+    # Fall back to separate rx/tx
+    ethtool -L "$interface" rx $CHANNELS tx $CHANNELS &>/dev/null || true
+done
+
+exit 0

From 0858160be224b323f2e3b35f1d67990fb15bdff1 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Wed, 27 Aug 2025 14:51:57 -0400
Subject: [PATCH 2/3] support for modifying nic channels

---
 salt/manager/tools/sbin/so-minion               |  1 +
 salt/sensor/defaults.yaml                       |  4 ++++
 salt/sensor/init.sls                            | 17 +++++++++++++++++
 salt/sensor/map.jinja                           |  7 +++++++
 salt/sensor/soc_sensor.yaml                     |  6 ++++++
 .../{files => tools/sbin_jinja}/so-combine-bond |  4 +---
 6 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 salt/sensor/defaults.yaml
 create mode 100644 salt/sensor/map.jinja
 rename salt/sensor/{files => tools/sbin_jinja}/so-combine-bond (94%)

diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion
index 34ebdaeec..860faf445 100755
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -454,6 +454,7 @@ function add_sensor_to_minion() {
         echo "sensor:"
         echo "  interface: '$INTERFACE'"
         echo "  mtu: 9000"
+		echo "  channels: 1"
         echo "zeek:"
         echo "  enabled: True"
         echo "  config:"
diff --git a/salt/sensor/defaults.yaml b/salt/sensor/defaults.yaml
new file mode 100644
index 000000000..f071f04ba
--- /dev/null
+++ b/salt/sensor/defaults.yaml
@@ -0,0 +1,4 @@
+sensor:
+  interface: bond0
+  mtu: 9000
+  channels: 1
diff --git a/salt/sensor/init.sls b/salt/sensor/init.sls
index 9c7e52d62..1d7899b62 100644
--- a/salt/sensor/init.sls
+++ b/salt/sensor/init.sls
@@ -9,6 +9,8 @@
 #    in the software, and you may not remove or obscure any functionality in the
 #    software that is protected by the license key."
 
+{% from 'sensor/map.jinja' import SENSORMERGED %}
+
 {% if 'vrt' in salt['pillar.get']('features') and salt['grains.get']('salt-cloud', {}) %}
 
 include:
@@ -28,3 +30,18 @@ execute_checksum:
     - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable
     - onchanges:
       - file: offload_script
+
+combine_bond_script:
+  file.managed:
+    - name: /usr/sbin/so-combine-bond
+    - source: salt://sensor/tools/sbin_jinja/so-combine-bond
+    - mode: 755
+    - template: jinja
+    - defaults:
+         CHANNELS: {{ SENSORMERGED.channels }}
+
+execute_combine_bond:
+  cmd.run:
+    - name: /usr/sbin/so-combine-bond
+    - onchanges:
+      - file: combine_bond_script
diff --git a/salt/sensor/map.jinja b/salt/sensor/map.jinja
new file mode 100644
index 000000000..beabaa66e
--- /dev/null
+++ b/salt/sensor/map.jinja
@@ -0,0 +1,7 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% import_yaml 'sensor/defaults.yaml' as SENSORDEFAULTS %}
+{% set SENSORMERGED = salt['pillar.get']('sensor', SENSORDEFAULTS.sensor, merge=True) %}
diff --git a/salt/sensor/soc_sensor.yaml b/salt/sensor/soc_sensor.yaml
index 9ab0c236e..f97c8d849 100644
--- a/salt/sensor/soc_sensor.yaml
+++ b/salt/sensor/soc_sensor.yaml
@@ -7,3 +7,9 @@ sensor:
     description: Maximum Transmission Unit (MTU) of the sensor monitoring interface.
     helpLink: network.html
     readonly: True
+  channels:
+    description: Set the size of the nic channels. This is rarely changed from 1 
+    helpLink: network.html
+    forcedType: int
+    node: True
+    advanced: True
diff --git a/salt/sensor/files/so-combine-bond b/salt/sensor/tools/sbin_jinja/so-combine-bond
similarity index 94%
rename from salt/sensor/files/so-combine-bond
rename to salt/sensor/tools/sbin_jinja/so-combine-bond
index fdb7dfd4c..0a8a2e66a 100644
--- a/salt/sensor/files/so-combine-bond
+++ b/salt/sensor/tools/sbin_jinja/so-combine-bond
@@ -5,10 +5,8 @@
 
 . /usr/sbin/so-common
 
-{% set NICCHANNELS = salt['pillar.get']('sensor:channels', '1') %}
-
 # Number of channels to set
-CHANNELS={{ NICCHANNELS }}
+CHANNELS={{ CHANNELS }}
 
 # Exit on any error
 set -e

From 69a5e1e2f54b0556c3dff3f6ec1257e76ff22c5b Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Wed, 27 Aug 2025 15:14:15 -0400
Subject: [PATCH 3/3] remove md file

---
 CLAUDE.md | 104 ------------------------------------------------------
 1 file changed, 104 deletions(-)
 delete mode 100644 CLAUDE.md

diff --git a/CLAUDE.md b/CLAUDE.md
deleted file mode 100644
index 76c0577d6..000000000
--- a/CLAUDE.md
+++ /dev/null
@@ -1,104 +0,0 @@
-# CLAUDE.md
-
-This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
-
-## Overview
-
-Security Onion is an open-source network security monitoring (NSM) platform that combines multiple security tools into a unified solution. It's designed for threat hunting, enterprise security monitoring, and log management. The platform integrates tools for intrusion detection, packet capture, log management, and security analytics in a comprehensive security monitoring solution.
-
-## Architecture
-
-Security Onion uses a microservice architecture with containerized components:
-
-- **Deployment Models**:
-  - Standalone: Single all-in-one instance
-  - Distributed: Manager/sensor architecture with multiple node types
-    - Manager: Central management server
-    - Search Nodes: Data storage and search
-    - Sensor Nodes: Network monitoring and data collection
-    - Heavy Nodes: Combined sensor/search capabilities
-    - IDH (Intrusion Deception Host): Honeypot services
-
-- **Core Components**:
-  - Data Collection: Zeek, Suricata, Steno (PCAP), Elastic Agents
-  - Data Processing: Logstash, Kafka, Strelka (file analysis)
-  - Data Storage: Elasticsearch, InfluxDB, Redis
-  - User Interface: Kibana, SOC (custom Security Onion web UI), Kratos/Hydra (auth)
-  - Management: Salt, Docker, Registry, Nginx
-
-## Development Environment
-
-### Prerequisites
-
-- Linux environment (Oracle Linux or compatible)
-- Git
-- Docker and Docker Compose
-- SaltStack
-
-### Testing
-
-Run validation tests:
-```bash
-cd tests
-./validation.sh
-```
-
-Run Python tests (requires Python 3):
-```bash
-./pyci.sh salt/sensoroni/files/analyzers/urlhaus
-```
-
-### Key Files and Directories
-
-- `/salt`: SaltStack states for all components
-- `/setup`: Installation scripts and utilities
-- `/pillar`: SaltStack pillar data (configuration)
-- `/files`: Additional configuration files
-- `/tests`: Test utilities and validation
-
-## Common Tasks
-
-### Testing Salt States
-
-To test a specific Salt state without applying it:
-```bash
-salt-call state.show_sls <state_name>
-```
-
-To apply a Salt state in test mode:
-```bash
-salt-call state.apply <state_name> test=True
-```
-
-### Working with Docker Containers
-
-View running containers:
-```bash
-so-status
-```
-
-Access container logs:
-```bash
-docker logs <container_name>
-```
-
-### Development Workflow
-
-1. Make code changes
-2. Run validation: `./tests/validation.sh`
-3. Run Python tests if applicable: `./pyci.sh <directory>`
-
-## Code Conventions
-
-- All Bash scripts should pass ShellCheck analysis
-- YAML (Salt states and pillars) should be properly formatted
-- Python code should pass flake8 checks (configured in pytest.ini)
-- Code should match the pre-existing style of Security Onion
-- All commits must be signed with a valid key
-
-## Important Notes
-
-- Security Onion uses Salt for configuration management
-- Most components run as Docker containers
-- The project follows a distributed architecture with different node types
-- Testing should cover both code functionality and deployment scenarios
\ No newline at end of file