From 820b01405f428307aa23286ed7c9e9ef0c5f8a24 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 31 Mar 2021 14:57:36 -0400
Subject: [PATCH 1/7] For hunt quick actions, pipe value to 'escape' operator
 to escape backslashes and double quotes

---
 salt/soc/files/soc/alerts.actions.json | 2 +-
 salt/soc/files/soc/hunt.actions.json   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json
index 364c59d27..c0543d8fc 100644
--- a/salt/soc/files/soc/alerts.actions.json
+++ b/salt/soc/files/soc/alerts.actions.json
@@ -1,7 +1,7 @@
 [
   { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", 
             "links": [
-              "/#/hunt?q=\"{value}\" | groupby event.module event.dataset"
+              "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset"
             ]},
   { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "",
             "links": [
diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json
index 364c59d27..c0543d8fc 100644
--- a/salt/soc/files/soc/hunt.actions.json
+++ b/salt/soc/files/soc/hunt.actions.json
@@ -1,7 +1,7 @@
 [
   { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", 
             "links": [
-              "/#/hunt?q=\"{value}\" | groupby event.module event.dataset"
+              "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset"
             ]},
   { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "",
             "links": [

From f7e99b496134345e81ef8f787bb627997773358d Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 31 Mar 2021 15:17:15 -0400
Subject: [PATCH 2/7] 
 https://github.com/Security-Onion-Solutions/securityonion/issues/3709

---
 salt/firewall/map.jinja | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja
index 2df668a07..496e6f568 100644
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -18,14 +18,18 @@
 
 {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
 {% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
+  {% set translated_pillar_assigned_hostgroups = {'chain': {}} %}
 
   {% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %}
     {% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %}
-      {% do translated_pillar_assigned_hostgroups.update({"chain": {chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}}) %}
+      {% if translated_pillar_assigned_hostgroups.chain[chain] is defined %}
+        {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups.update({pillar_hostgroup: {"portgroups": []}}) %}
+      {% else %}
+        {% do translated_pillar_assigned_hostgroups.chain.update({chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}) %}
+      {% endif %}
       {% for pillar_portgroup in pillar_portgroups.portgroups %}
         {% set pillar_portgroup = pillar_portgroup.split('.') | last %}
         {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %}
-
       {% endfor %}
     {% endfor %}
   {% endfor %}
@@ -39,7 +43,6 @@
   {% set assigned_hostgroups = default_assigned_hostgroups.role[role] %}
 {% endif %}
 
-
 {% if translated_pillar_assigned_hostgroups %}
   {% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}
 {% endif %}
\ No newline at end of file

From bc04cae91896c986575a44bcc0a812cb3d575d24 Mon Sep 17 00:00:00 2001
From: Masaya-A <68965261+Masaya-A@users.noreply.github.com>
Date: Thu, 1 Apr 2021 16:59:47 +0900
Subject: [PATCH 3/7] Fix: Connection to ES is "https" from 2.3.40

---
 salt/curator/files/bin/so-curator-closed-delete-delete | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete
index 58433ee1a..9cc94833c 100755
--- a/salt/curator/files/bin/so-curator-closed-delete-delete
+++ b/salt/curator/files/bin/so-curator-closed-delete-delete
@@ -34,7 +34,7 @@ overlimit() {
 
 closedindices() {
 
-        INDICES=$(curl -s -k {% if grains['role'] in ['so-node','so-heavynode'] %}https://{% endif %}{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null)
+        INDICES=$(curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null)
         [ $? -eq 1 ] && return false 
         echo ${INDICES} | grep -q -E "(logstash-|so-)"
 }
@@ -49,12 +49,12 @@ while overlimit && closedindices; do
 	# First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed.
 	# Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field.
 	# Finally, select the first entry in that sorted list.
-	OLDEST_INDEX=$(curl -s -k {% if grains['role'] in ['so-node','so-heavynode'] %}https://{% endif %}{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1)
+	OLDEST_INDEX=$(curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1)
 	
 	# Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it.
-	curl -XDELETE -k {% if grains['role'] in ['so-node','so-heavynode'] %}https://{% endif %}{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX}
+	curl -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX}
 
 	# Finally, write a log entry that says we deleted it.
 	echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${OLDEST_INDEX} deleted ..." >> ${LOG}
 
-done
\ No newline at end of file
+done

From 0d056123934fb754469191ac3ceb6e63abc04e40 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 1 Apr 2021 10:00:55 -0400
Subject: [PATCH 4/7] Reserve ports for Zeek

---
 salt/common/files/99-reserved-ports.conf | 2 +-
 salt/common/init.sls                     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/common/files/99-reserved-ports.conf b/salt/common/files/99-reserved-ports.conf
index a846341a5..208ef0acc 100644
--- a/salt/common/files/99-reserved-ports.conf
+++ b/salt/common/files/99-reserved-ports.conf
@@ -1 +1 @@
-net.ipv4.ip_local_reserved_ports=55000,57314
+net.ipv4.ip_local_reserved_ports=55000,57314,47760,47761,47762
diff --git a/salt/common/init.sls b/salt/common/init.sls
index 3e6774219..6d0e567c5 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -268,7 +268,7 @@ docker:
 # Reserve OS ports for Docker proxy in case boot settings are not already applied/present
 dockerapplyports:
     cmd.run:
-      - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi
+      - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760,47761,47762"; fi
 
 # Reserve OS ports for Docker proxy
 dockerreserveports:

From 40313fc2f5fd9b087f89bb1adda7f4ce0269da52 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 1 Apr 2021 10:29:58 -0400
Subject: [PATCH 5/7] Reserve ports for Zeek

---
 salt/common/files/99-reserved-ports.conf | 2 +-
 salt/common/init.sls                     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/common/files/99-reserved-ports.conf b/salt/common/files/99-reserved-ports.conf
index 208ef0acc..ac4391693 100644
--- a/salt/common/files/99-reserved-ports.conf
+++ b/salt/common/files/99-reserved-ports.conf
@@ -1 +1 @@
-net.ipv4.ip_local_reserved_ports=55000,57314,47760,47761,47762
+net.ipv4.ip_local_reserved_ports=55000,57314,55000,57314,47760-47860
\ No newline at end of file
diff --git a/salt/common/init.sls b/salt/common/init.sls
index 6d0e567c5..7945a678a 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -266,9 +266,10 @@ docker:
       - file: docker_daemon
 
 # Reserve OS ports for Docker proxy in case boot settings are not already applied/present
+# 55000 = Wazuh, 57314 = Strelka, 47760-47860 = Zeek
 dockerapplyports:
     cmd.run:
-      - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760,47761,47762"; fi
+      - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760-47860"; fi
 
 # Reserve OS ports for Docker proxy
 dockerreserveports:

From 7c6b037ae55ef36727e49b4b3786cc3fd8eff57c Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 1 Apr 2021 10:30:52 -0400
Subject: [PATCH 6/7] Reserve ports for Zeek

---
 salt/common/files/99-reserved-ports.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/files/99-reserved-ports.conf b/salt/common/files/99-reserved-ports.conf
index ac4391693..82eb03f79 100644
--- a/salt/common/files/99-reserved-ports.conf
+++ b/salt/common/files/99-reserved-ports.conf
@@ -1 +1 @@
-net.ipv4.ip_local_reserved_ports=55000,57314,55000,57314,47760-47860
\ No newline at end of file
+net.ipv4.ip_local_reserved_ports=55000,57314,47760-47860
\ No newline at end of file

From 8ca0626387b6c8f61a4e79b92180c2e816cc8f2d Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@gmail.com>
Date: Mon, 5 Apr 2021 06:55:40 -0400
Subject: [PATCH 7/7] FIX: Hunt query for HTTP EXE downloads should work for
 both Zeek and Suricata #3753

---
 salt/soc/files/soc/hunt.queries.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json
index 840b4b373..93295364d 100644
--- a/salt/soc/files/soc/hunt.queries.json
+++ b/salt/soc/files/soc/hunt.queries.json
@@ -34,7 +34,7 @@
           { "name": "HTTP", "description": "HTTP grouped by status code and message", "query": "event.dataset:http | groupby http.status_code http.status_message"},
           { "name": "HTTP", "description": "HTTP grouped by method and user agent", "query": "event.dataset:http | groupby http.method http.useragent"},
           { "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"},
-          { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host"},
+          { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host"},
           { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"},
           { "name": "IRC", "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"},
           { "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"},