Merge remote-tracking branch 'origin/2.4/dev' into 2.4/defend-filters

pillar/top.sls

@@ -310,3 +310,5 @@ base:
   '*_desktop':
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
+    - stig.soc_stig
+    - soc.license

salt/allowed_states.map.jinja

@@ -202,7 +202,8 @@
       'so-desktop': [
           'ssl',
           'docker_clean',
-          'telegraf'
+          'telegraf',
+          'stig'
           ],
   }, grain='role') %}
 

salt/common/tools/sbin/so-image-common

@@ -114,7 +114,7 @@ update_docker_containers() {
 
   # all the images using ELASTICSEARCHDEFAULTS.elasticsearch.version
   # does not include so-elastic-fleet since that container uses so-elastic-agent image
-  local IMAGES_USING_ES_VERSION=("so-elastic-fleet-package-registry" "so-elastic-agent" "so-kibana" "so-logstash" "so-elasticsearch")
+  local IMAGES_USING_ES_VERSION=("so-elasticsearch")
 
   rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 
   mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 
@@ -159,9 +159,11 @@ update_docker_containers() {
       fi
       local highest_es_version=$(compare_es_versions "$v1" "$v2")
       local image=$i:$highest_es_version$IMAGE_TAG_SUFFIX
+      local sig_url=https://sigs.securityonion.net/es-$highest_es_version/$image.sig
     else
       # this is not an es container so use the so version for the version
       local image=$i:$VERSION$IMAGE_TAG_SUFFIX
+      local sig_url=https://sigs.securityonion.net/$VERSION/$image.sig
     fi
     # Pull down the trusted docker image
     run_check_net_err \
@@ -170,7 +172,7 @@ update_docker_containers() {
     
     # Get signature
     run_check_net_err \
-    "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$image.sig --output $SIGNPATH/$image.sig" \
+    "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' $sig_url --output $SIGNPATH/$image.sig" \
     "Could not pull signature file for $image, please ensure connectivity to https://sigs.securityonion.net " \
     noretry >> "$LOG_FILE" 2>&1
     # Dump our hash values

salt/docker/init.sls

@@ -20,41 +20,41 @@ dockergroup:
 dockerheldpackages:
   pkg.installed:
     - pkgs:
-      - containerd.io: 1.6.33-1
+      - containerd.io: 1.7.21-1
-      - docker-ce: 5:26.1.4-1~debian.12~bookworm
+      - docker-ce: 5:27.2.0-1~debian.12~bookworm
-      - docker-ce-cli: 5:26.1.4-1~debian.12~bookworm
+      - docker-ce-cli: 5:27.2.0-1~debian.12~bookworm
-      - docker-ce-rootless-extras: 5:26.1.4-1~debian.12~bookworm
+      - docker-ce-rootless-extras: 5:27.2.0-1~debian.12~bookworm
     - hold: True
     - update_holds: True
 {%    elif grains.oscodename == 'jammy' %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
-      - containerd.io: 1.6.33-1
+      - containerd.io: 1.7.21-1
-      - docker-ce: 5:26.1.4-1~ubuntu.22.04~jammy
+      - docker-ce: 5:27.2.0-1~ubuntu.22.04~jammy
-      - docker-ce-cli: 5:26.1.4-1~ubuntu.22.04~jammy
+      - docker-ce-cli: 5:27.2.0-1~ubuntu.22.04~jammy
-      - docker-ce-rootless-extras: 5:26.1.4-1~ubuntu.22.04~jammy
+      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.22.04~jammy
     - hold: True
     - update_holds: True
 {%    else %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
-      - containerd.io: 1.6.33-1
+      - containerd.io: 1.7.21-1
-      - docker-ce: 5:26.1.4-1~ubuntu.20.04~focal
+      - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
-      - docker-ce-cli: 5:26.1.4-1~ubuntu.20.04~focal
+      - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
-      - docker-ce-rootless-extras: 5:26.1.4-1~ubuntu.20.04~focal
+      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
     - hold: True
     - update_holds: True
-{% endif %}
+{%   endif %}
 {% else %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
-      - containerd.io: 1.6.33-3.1.el9
+      - containerd.io: 1.7.21-3.1.el9
-      - docker-ce: 3:26.1.4-1.el9
+      - docker-ce: 3:27.2.0-1.el9
-      - docker-ce-cli: 1:26.1.4-1.el9
+      - docker-ce-cli: 1:27.2.0-1.el9
-      - docker-ce-rootless-extras: 26.1.4-1.el9
+      - docker-ce-rootless-extras: 27.2.0-1.el9
     - hold: True
     - update_holds: True
 {% endif %}

salt/elastalert/soc_elastalert.yaml

@@ -1,6 +1,6 @@
 elastalert:
   enabled:
-    description: You can enable or disable Elastalert.
+    description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery.
     helpLink: elastalert.html
   alerter_parameters:
     title: Custom Configuration Parameters

salt/elastic-fleet-package-registry/enabled.sls

@@ -7,7 +7,6 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
-{%   import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
 
 include:
   - elastic-fleet-package-registry.config
@@ -15,7 +14,7 @@ include:
 
 so-elastic-fleet-package-registry:
   docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }}
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-fleet-package-registry:{{ GLOBALS.so_version }}
     - name: so-elastic-fleet-package-registry
     - hostname: Fleet-package-reg-{{ GLOBALS.hostname }}
     - detach: True

salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml

@@ -1,4 +1,4 @@
 elastic_fleet_package_registry:
   enabled:
-    description: You can enable or disable Elastic Fleet Package Registry.
+    description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated.
     advanced: True

salt/elasticagent/enabled.sls

@@ -7,7 +7,6 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
-{%   import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
 
 include:
   - elasticagent.config
@@ -15,7 +14,7 @@ include:
 
 so-elastic-agent:
   docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }}
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
     - name: so-elastic-agent
     - hostname: {{ GLOBALS.hostname }}
     - detach: True

salt/elasticagent/soc_elasticagent.yaml

@@ -0,0 +1,4 @@
+elasticagent:
+  enabled:
+    description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events.
+    advanced: True

salt/elasticfleet/defaults.yaml

@@ -38,6 +38,7 @@ elasticfleet:
     - aws
     - azure
     - barracuda
+    - barracuda_cloudgen_firewall
     - carbonblack_edr
     - cef
     - checkpoint
@@ -68,6 +69,7 @@ elasticfleet:
     - http_endpoint
     - httpjson
     - iis
+    - imperva_cloud_waf
     - journald
     - juniper
     - juniper_srx

salt/elasticfleet/enabled.sls

@@ -8,7 +8,6 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
-{%   import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
 
 {#   This value is generated during node install and stored in minion pillar #}
 {%   set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
@@ -72,7 +71,7 @@ elasticagent_syncartifacts:
 {%   if SERVICETOKEN != '' %}
 so-elastic-fleet:
   docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ ELASTICSEARCHDEFAULTS.elasticsearch.version }}
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
     - name: so-elastic-fleet
     - hostname: FleetServer-{{ GLOBALS.hostname }}
     - detach: True
@@ -143,6 +142,10 @@ so-elastic-agent-grid-upgrade:
   cmd.run:
     - name: /usr/sbin/so-elastic-agent-grid-upgrade
     - retry: True
+
+so-elastic-fleet-integration-upgrade:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-integration-upgrade
 {%  endif %}
 
 delete_so-elastic-fleet_so-status.disabled:

salt/elasticfleet/soc_elasticfleet.yaml

@@ -1,6 +1,6 @@
 elasticfleet:
   enabled:
-    description: You can enable or disable Elastic Fleet.
+    description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
     advanced: True
     helpLink: elastic-fleet.html
   enable_manager_output:

salt/elasticfleet/tools/sbin/so-elastic-fleet-common

@@ -102,6 +102,62 @@ elastic_fleet_package_is_installed() {
     curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.status'
 }
 
+elastic_fleet_agent_policy_names() {
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq -r .items[].name
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to retrieve agent policies."
+        exit 1
+    fi
+}
+
+elastic_fleet_integration_policy_names() {
+    AGENT_POLICY=$1
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$AGENT_POLICY" | jq -r .item.package_policies[].name
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to retrieve integrations for '$AGENT_POLICY'."
+        exit 1
+    fi
+}
+
+elastic_fleet_integration_policy_package_name() {
+    AGENT_POLICY=$1
+    INTEGRATION=$2
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$AGENT_POLICY" | jq -r --arg INTEGRATION "$INTEGRATION" '.item.package_policies[] | select(.name==$INTEGRATION)| .package.name'
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to retrieve package name for '$INTEGRATION' in '$AGENT_POLICY'."
+        exit 1
+    fi
+}
+
+elastic_fleet_integration_policy_package_version() {
+    AGENT_POLICY=$1
+    INTEGRATION=$2
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$AGENT_POLICY" | jq -r --arg INTEGRATION "$INTEGRATION" '.item.package_policies[] | select(.name==$INTEGRATION)| .package.version'
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to retrieve package version for '$INTEGRATION' in '$AGENT_POLICY'."
+        exit 1
+    fi
+}
+
+elastic_fleet_integration_id() {
+    AGENT_POLICY=$1
+    INTEGRATION=$2
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$AGENT_POLICY" | jq -r --arg INTEGRATION "$INTEGRATION" '.item.package_policies[] | select(.name==$INTEGRATION)| .id'
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to retrieve integration ID for '$INTEGRATION' in '$AGENT_POLICY'."
+        exit 1
+    fi
+}
+
+elastic_fleet_integration_policy_dryrun_upgrade() {
+    INTEGRATION_ID=$1
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -H "Content-Type: application/json" -H 'kbn-xsrf: true' -L -X POST "localhost:5601/api/fleet/package_policies/upgrade/dryrun" -d "{\"packagePolicyIds\":[\"$INTEGRATION_ID\"]}"
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to complete dry run for '$INTEGRATION_ID'."
+        exit 1
+    fi
+}
+
 elastic_fleet_policy_create() {
 
     NAME=$1

salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-upgrade

@@ -0,0 +1,62 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-elastic-fleet-common
+
+curl_output=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/)
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to connect to Kibana."
+    exit 1
+fi
+
+IFS=$'\n'
+agent_policies=$(elastic_fleet_agent_policy_names)
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to retrieve agent policies."
+    exit 1
+fi
+
+for AGENT_POLICY in $agent_policies; do
+    integrations=$(elastic_fleet_integration_policy_names "$AGENT_POLICY")
+    for INTEGRATION in $integrations; do
+        if ! [[ "$INTEGRATION" == "elastic-defend-endpoints" ]] && ! [[ "$INTEGRATION" == "fleet_server-"* ]]; then
+            # Get package name so we know what package to look for when checking the current and latest available version
+            PACKAGE_NAME=$(elastic_fleet_integration_policy_package_name "$AGENT_POLICY" "$INTEGRATION")
+
+            # Get currently installed version of package
+            PACKAGE_VERSION=$(elastic_fleet_integration_policy_package_version "$AGENT_POLICY" "$INTEGRATION")
+
+            # Get latest available version of package
+            AVAILABLE_VERSION=$(elastic_fleet_package_latest_version_check "$PACKAGE_NAME")
+
+            # Get integration ID
+            INTEGRATION_ID=$(elastic_fleet_integration_id "$AGENT_POLICY" "$INTEGRATION")
+
+            if [[ "$PACKAGE_VERSION" != "$AVAILABLE_VERSION" ]]; then
+                # Dry run of the upgrade
+                echo "Current $PACKAGE_NAME package version ($PACKAGE_VERSION) is not the same as the latest available package ($AVAILABLE_VERSION)..."
+                echo "Upgrading $INTEGRATION..."
+                echo "Starting dry run..."
+                DRYRUN_OUTPUT=$(elastic_fleet_integration_policy_dryrun_upgrade "$INTEGRATION_ID")
+                DRYRUN_ERRORS=$(echo "$DRYRUN_OUTPUT" | jq .[].hasErrors)
+                
+                # If no errors with dry run, proceed with actual upgrade
+                if [[ "$DRYRUN_ERRORS" == "false" ]]; then
+                    echo "No errors detected. Proceeding with upgrade..."
+                    elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"
+                    if [ $? -ne 0 ]; then
+                        echo "Error: Upgrade failed for integration ID '$INTEGRATION_ID'."
+                        exit 1
+                    fi
+                else
+                    echo "Errors detected during dry run. Stopping upgrade..."
+                    exit 1
+                fi
+            fi
+        fi
+    done
+done
+echo

salt/elasticsearch/defaults.yaml

@@ -2366,6 +2366,52 @@ elasticsearch:
               set_priority:
                 priority: 50
             min_age: 30d
+    so-logs-barracuda_cloudgen_firewall_x_log:
+      index_sorting: False
+      index_template:
+        ignore_missing_component_templates:
+          - logs-barracuda_cloudgen_firewall.log@custom
+        index_patterns:
+          - "logs-barracuda_cloudgen_firewall.log-*"
+        template:
+          settings:
+            index:
+              lifecycle:
+                name: so-logs-barracuda_cloudgen_firewall.log-logs
+              number_of_replicas: 0
+        composed_of:
+          - "logs-barracuda_cloudgen_firewall.log@package"
+          - "logs-barracuda_cloudgen_firewall.log@custom"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          cold:
+            actions:
+              set_priority:
+                priority: 0
+            min_age: 30d
+          delete:
+            actions:
+              delete: {}
+            min_age: 365d
+          hot:
+            actions:
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+              set_priority:
+                priority: 100
+            min_age: 0ms
+          warm:
+            actions:
+              set_priority:
+                priority: 50
+            min_age: 30d
     so-logs-carbonblack_edr_x_log:
       index_sorting: false
       index_template:
@@ -6556,6 +6602,52 @@ elasticsearch:
               set_priority:
                 priority: 50
             min_age: 30d
+    so-logs-imperva_cloud_waf_x_event:
+      index_sorting: False
+      index_template:
+        ignore_missing_component_templates:
+          - logs-imperva_cloud_waf.event@custom
+        index_patterns:
+          - "logs-imperva_cloud_waf.event-*"
+        template:
+          settings:
+            index:
+              lifecycle:
+                name: so-logs-imperva_cloud_waf.event-logs
+              number_of_replicas: 0
+        composed_of:
+          - "logs-imperva_cloud_waf.event@package"
+          - "logs-imperva_cloud_waf.event@custom"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          cold:
+            actions:
+              set_priority:
+                priority: 0
+            min_age: 30d
+          delete:
+            actions:
+              delete: {}
+            min_age: 365d
+          hot:
+            actions:
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+              set_priority:
+                priority: 100
+            min_age: 0ms
+          warm:
+            actions:
+              set_priority:
+                priority: 50
+            min_age: 30d
     so-logs-juniper_srx_x_log:
       index_sorting: false
       index_template:

salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0

@@ -1,5 +1,5 @@
 {
-  "description": "Pipeline for pfSense",
+  "description": "Pipeline for PFsense",
   "processors": [
     {
       "set": {

salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0-suricata

@@ -1,9 +1,14 @@
 {
   "description": "Pipeline for parsing pfSense Suricata logs.",
   "processors": [
+    { "set": {
+        "field": "event.module",
+        "value": "suricata"
+      }
+    },
     {
      "pipeline": {
-        "name": "suricata.common"
+        "name": "suricata.common_pfsense"
       }
     }
   ],

salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1

@@ -0,0 +1,414 @@
+{
+  "description": "Pipeline for PFsense",
+  "processors": [
+    {
+      "set": {
+        "field": "ecs.version",
+        "value": "8.11.0"
+      }
+    },
+    {
+      "set": {
+        "field": "observer.vendor",
+        "value": "netgate"
+      }
+    },
+    {
+      "set": {
+        "field": "observer.type",
+        "value": "firewall"
+      }
+    },
+    {
+      "rename": {
+        "field": "message",
+        "target_field": "event.original",
+        "ignore_missing": true,
+        "if": "ctx.event?.original == null"
+      }
+    },
+    {
+      "set": {
+        "field": "event.kind",
+        "value": "event"
+      }
+    },
+    {
+      "set": {
+        "field": "event.timezone",
+        "value": "{{_tmp.tz_offset}}",
+        "if": "ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local'"
+      }
+    },
+    {
+      "grok": {
+        "description": "Parse syslog header",
+        "field": "event.original",
+        "patterns": [
+          "^(%{ECS_SYSLOG_PRI})?%{TIMESTAMP} %{GREEDYDATA:message}"
+        ],
+        "pattern_definitions": {
+          "ECS_SYSLOG_PRI": "<%{NONNEGINT:log.syslog.priority:long}>(\\d )?",
+          "TIMESTAMP": "(?:%{BSD_TIMESTAMP_FORMAT}|%{SYSLOG_TIMESTAMP_FORMAT})",
+          "BSD_TIMESTAMP_FORMAT": "%{SYSLOGTIMESTAMP:_tmp.timestamp}(%{SPACE}%{BSD_PROCNAME}|%{SPACE}%{OBSERVER}%{SPACE}%{BSD_PROCNAME})(\\[%{POSINT:process.pid:long}\\])?:",
+          "BSD_PROCNAME": "(?:\\b%{NAME:process.name}|\\(%{NAME:process.name}\\))",
+          "NAME": "[[[:alnum:]]_-]+",
+          "SYSLOG_TIMESTAMP_FORMAT": "%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - (-|%{META})",
+          "TIMESTAMP_ISO8601": "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?",
+          "OBSERVER": "(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})",
+          "UNIXPATH": "(/([\\w_%!$@:.,+~-]+|\\\\.)*)*",
+          "PROCESS": "(\\(%{DATA:process.name}\\)|(?:%{UNIXPATH})%{BASEPATH:process.name})",
+          "BASEPATH": "[[[:alnum:]]_%!$@:.,+~-]+",
+          "META": "\\[[^\\]]*\\]"
+        }
+      }
+    },
+    {
+      "date": {
+        "if": "ctx._tmp.timestamp8601 != null",
+        "field": "_tmp.timestamp8601",
+        "target_field": "@timestamp",
+        "formats": [
+          "ISO8601"
+        ]
+      }
+    },
+    {
+      "date": {
+        "if": "ctx.event?.timezone != null && ctx._tmp?.timestamp != null",
+        "field": "_tmp.timestamp",
+        "target_field": "@timestamp",
+        "formats": [
+          "MMM  d HH:mm:ss",
+          "MMM d HH:mm:ss",
+          "MMM dd HH:mm:ss"
+        ],
+        "timezone": "{{ event.timezone }}"
+      }
+    },
+    {
+      "grok": {
+        "description": "Set Event Provider",
+        "field": "process.name",
+        "patterns": [
+          "^%{HYPHENATED_WORDS:event.provider}"
+        ],
+        "pattern_definitions": {
+          "HYPHENATED_WORDS": "\\b[A-Za-z0-9_]+(-[A-Za-z_]+)*\\b"
+        }
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.log-1.19.1-firewall",
+        "if": "ctx.event.provider == 'filterlog'"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.log-1.19.1-openvpn",
+        "if": "ctx.event.provider == 'openvpn'"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.log-1.19.1-ipsec",
+        "if": "ctx.event.provider == 'charon'"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.log-1.19.1-dhcp",
+        "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.log-1.19.1-unbound",
+        "if": "ctx.event.provider == 'unbound'"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.log-1.19.1-haproxy",
+        "if": "ctx.event.provider == 'haproxy'"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.log-1.19.1-php-fpm",
+        "if": "ctx.event.provider == 'php-fpm'"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.log-1.19.1-squid",
+        "if": "ctx.event.provider == 'squid'"
+      }
+    },
+    {
+     "pipeline": {
+        "name": "logs-pfsense.log-1.16.0-suricata",
+        "if": "ctx.event.provider == 'suricata'"
+      }
+    },
+    {
+      "drop": {
+        "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"suricata\"].contains(ctx.event?.provider)"
+      }
+    },
+    {
+      "append": {
+        "field": "event.category",
+        "value": "network",
+        "if": "ctx.network != null"
+      }
+    },
+    {
+      "convert": {
+        "field": "source.address",
+        "target_field": "source.ip",
+        "type": "ip",
+        "ignore_failure": true,
+        "ignore_missing": true
+      }
+    },
+    {
+      "convert": {
+        "field": "destination.address",
+        "target_field": "destination.ip",
+        "type": "ip",
+        "ignore_failure": true,
+        "ignore_missing": true
+      }
+    },
+    {
+      "set": {
+        "field": "network.type",
+        "value": "ipv6",
+        "if": "ctx.source?.ip != null && ctx.source.ip.contains(\":\")"
+      }
+    },
+    {
+      "set": {
+        "field": "network.type",
+        "value": "ipv4",
+        "if": "ctx.source?.ip != null && ctx.source.ip.contains(\".\")"
+      }
+    },
+    {
+      "geoip": {
+        "field": "source.ip",
+        "target_field": "source.geo",
+        "ignore_missing": true
+      }
+    },
+    {
+      "geoip": {
+        "field": "destination.ip",
+        "target_field": "destination.geo",
+        "ignore_missing": true
+      }
+    },
+    {
+      "geoip": {
+        "ignore_missing": true,
+        "database_file": "GeoLite2-ASN.mmdb",
+        "field": "source.ip",
+        "target_field": "source.as",
+        "properties": [
+          "asn",
+          "organization_name"
+        ]
+      }
+    },
+    {
+      "geoip": {
+        "database_file": "GeoLite2-ASN.mmdb",
+        "field": "destination.ip",
+        "target_field": "destination.as",
+        "properties": [
+          "asn",
+          "organization_name"
+        ],
+        "ignore_missing": true
+      }
+    },
+    {
+      "rename": {
+        "field": "source.as.asn",
+        "target_field": "source.as.number",
+        "ignore_missing": true
+      }
+    },
+    {
+      "rename": {
+        "field": "source.as.organization_name",
+        "target_field": "source.as.organization.name",
+        "ignore_missing": true
+      }
+    },
+    {
+      "rename": {
+        "field": "destination.as.asn",
+        "target_field": "destination.as.number",
+        "ignore_missing": true
+      }
+    },
+    {
+      "rename": {
+        "field": "destination.as.organization_name",
+        "target_field": "destination.as.organization.name",
+        "ignore_missing": true
+      }
+    },
+    {
+      "community_id": {
+        "target_field": "network.community_id",
+        "ignore_failure": true
+      }
+    },
+    {
+      "grok": {
+        "field": "observer.ingress.interface.name",
+        "patterns": [
+          "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}"
+        ],
+        "ignore_missing": true,
+        "ignore_failure": true
+      }
+    },
+    {
+      "set": {
+        "field": "network.vlan.id",
+        "copy_from": "observer.ingress.vlan.id",
+        "ignore_empty_value": true
+      }
+    },
+    {
+      "append": {
+        "field": "related.ip",
+        "value": "{{destination.ip}}",
+        "allow_duplicates": false,
+        "if": "ctx.destination?.ip != null"
+      }
+    },
+    {
+      "append": {
+        "field": "related.ip",
+        "value": "{{source.ip}}",
+        "allow_duplicates": false,
+        "if": "ctx.source?.ip != null"
+      }
+    },
+    {
+      "append": {
+        "field": "related.ip",
+        "value": "{{source.nat.ip}}",
+        "allow_duplicates": false,
+        "if": "ctx.source?.nat?.ip != null"
+      }
+    },
+    {
+      "append": {
+        "field": "related.hosts",
+        "value": "{{destination.domain}}",
+        "if": "ctx.destination?.domain != null"
+      }
+    },
+    {
+      "append": {
+        "field": "related.user",
+        "value": "{{user.name}}",
+        "if": "ctx.user?.name != null"
+      }
+    },
+    {
+      "set": {
+        "field": "network.direction",
+        "value": "{{network.direction}}bound",
+        "if": "ctx.network?.direction != null && ctx.network?.direction =~ /^(in|out)$/"
+      }
+    },
+    {
+      "remove": {
+        "field": [
+          "_tmp"
+        ],
+        "ignore_failure": true
+      }
+    },
+    {
+      "script": {
+        "lang": "painless",
+        "description": "This script processor iterates over the whole document to remove fields with null values.",
+        "source": "void handleMap(Map map) {\n  for (def x : map.values()) {\n    if (x instanceof Map) {\n        handleMap(x);\n    } else if (x instanceof List) {\n        handleList(x);\n    }\n  }\n  map.values().removeIf(v -> v == null || (v instanceof String && v == \"-\"));\n}\nvoid handleList(List list) {\n  for (def x : list) {\n      if (x instanceof Map) {\n          handleMap(x);\n      } else if (x instanceof List) {\n          handleList(x);\n      }\n  }\n}\nhandleMap(ctx);\n"
+      }
+    },
+    {
+      "remove": {
+        "field": "event.original",
+        "if": "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))",
+        "ignore_failure": true,
+        "ignore_missing": true
+      }
+    },
+    {
+      "pipeline": {
+        "name": "global@custom",
+        "ignore_missing_pipeline": true,
+        "description": "[Fleet] Global pipeline for all data streams"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs@custom",
+        "ignore_missing_pipeline": true,
+        "description": "[Fleet] Pipeline for all data streams of type `logs`"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.integration@custom",
+        "ignore_missing_pipeline": true,
+        "description": "[Fleet] Pipeline for all data streams of type `logs` defined by the `pfsense` integration"
+      }
+    },
+    {
+      "pipeline": {
+        "name": "logs-pfsense.log@custom",
+        "ignore_missing_pipeline": true,
+        "description": "[Fleet] Pipeline for the `pfsense.log` dataset"
+      }
+    }
+  ],
+  "on_failure": [
+    {
+      "remove": {
+        "field": [
+          "_tmp"
+        ],
+        "ignore_failure": true
+      }
+    },
+    {
+      "set": {
+        "field": "event.kind",
+        "value": "pipeline_error"
+      }
+    },
+    {
+      "append": {
+        "field": "error.message",
+        "value": "{{{ _ingest.on_failure_message }}}"
+      }
+    }
+  ],
+  "_meta": {
+    "managed_by": "fleet",
+    "managed": true,
+    "package": {
+      "name": "pfsense"
+    }
+  }
+}

salt/elasticsearch/files/ingest/suricata.alert_pfsense

@@ -0,0 +1,16 @@
+{
+  "description" : "suricata.alert",
+  "processors" : [
+    { "set":   { "field": "data_stream.dataset", "value": "suricata" } },
+    { "set":   { "field": "data_stream.namespace", "value": "so" } },
+    { "set":   { "field": "_index", "value": "logs-suricata.alerts-so" } },
+    { "set":   { "field": "tags","value": "alert" }},
+    { "rename":{ "field": "message2.alert",	"target_field": "rule",	"ignore_failure": true 	} },
+    { "rename":{ "field": "rule.signature",     "target_field": "rule.name", "ignore_failure": true  } },
+    { "rename":{ "field": "rule.ref",     "target_field": "rule.version", "ignore_failure": true  } },
+    { "rename":{ "field": "rule.signature_id",     "target_field": "rule.uuid", "ignore_failure": true  } },
+    { "rename":{ "field": "rule.signature_id",     "target_field": "rule.signature", "ignore_failure": true  } },
+    { "rename":{ "field": "message2.payload_printable",     "target_field": "network.data.decoded", "ignore_failure": true  } },
+    { "pipeline": { "name": "common.nids" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.common_pfsense

@@ -0,0 +1,23 @@
+{
+  "description" : "suricata.common",
+  "processors" : [
+    { "json":   { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
+    { "rename": { "field": "message2.pkt_src",          "target_field": "network.packet_source","ignore_failure": true  } },
+    { "rename": { "field": "message2.proto",            "target_field": "network.transport",    "ignore_failure": true  } },
+    { "rename": { "field": "message2.in_iface",         "target_field": "observer.ingress.interface.name",    "ignore_failure": true  } },
+    { "rename": { "field": "message2.flow_id",          "target_field": "log.id.uid",           "ignore_failure": true  } },
+    { "rename": { "field": "message2.src_ip",           "target_field": "source.ip",            "ignore_failure": true  } },
+    { "rename": { "field": "message2.src_port",         "target_field": "source.port",          "ignore_failure": true  } },
+    { "rename": { "field": "message2.dest_ip",          "target_field": "destination.ip",       "ignore_failure": true  } },
+    { "rename": { "field": "message2.dest_port",        "target_field": "destination.port",     "ignore_failure": true  } },
+    { "rename": { "field": "message2.vlan",             "target_field": "network.vlan.id",      "ignore_failure": true  } },
+    { "rename": { "field": "message2.community_id",     "target_field": "network.community_id", "ignore_missing": true  } },
+    { "rename": { "field": "message2.xff",              "target_field": "xff.ip",               "ignore_missing": true  } },
+    { "set":    { "field": "event.dataset",             "value": "{{ message2.event_type }}"                            } },
+    { "set":    { "field": "observer.name",             "value": "{{agent.name}}"                                       } },
+    { "set":    { "field": "event.ingested",            "value": "{{@timestamp}}"                                       } },
+    { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } },
+    { "remove":{ "field": "agent",                                                              "ignore_failure": true  } },
+    { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}_pfsense" } }
+  ]
+}

salt/elasticsearch/soc_elasticsearch.yaml

@@ -1,6 +1,7 @@
 elasticsearch:
   enabled:
-    description: You can enable or disable Elasticsearch.
+    description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported.
+    advanced: True
     helpLink: elasticsearch.html
   version:
     description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure."
@@ -381,6 +382,7 @@ elasticsearch:
     so-logs-azure_x_signinlogs: *indexSettings
     so-logs-azure_x_springcloudlogs: *indexSettings
     so-logs-barracuda_x_waf: *indexSettings
+    so-logs-barracuda_cloudgen_firewall_x_log: *indexSettings
     so-logs-cef_x_log: *indexSettings
     so-logs-cisco_asa_x_log: *indexSettings
     so-logs-cisco_ftd_x_log: *indexSettings
@@ -435,6 +437,7 @@ elasticsearch:
     so-logs-httpjson_x_generic: *indexSettings
     so-logs-iis_x_access: *indexSettings
     so-logs-iis_x_error: *indexSettings
+    so-logs-imperva_cloud_waf_x_event: *indexSettings
     so-logs-juniper_x_junos: *indexSettings
     so-logs-juniper_x_netscreen: *indexSettings
     so-logs-juniper_x_srx: *indexSettings

salt/elasticsearch/templates/component/so/so-system-mappings.json

@@ -16,6 +16,13 @@
             }
           }
         },
+	"destination": {
+          "properties":{
+            "ip": {
+              "type": "ip"
+            }
+          }
+        },
 	"source": {
           "properties":{
             "ip": {

salt/firewall/defaults.yaml

@@ -10,6 +10,7 @@ firewall:
     elasticsearch_rest: []
     endgame: []
     eval: []
+    external_suricata: []
     fleet: []
     heavynode: []
     idh: []
@@ -86,6 +87,10 @@ firewall:
       tcp:
         - 3765
       udp: []
+    external_suricata:
+      tcp: 
+        - 7789
+      udp: []
     influxdb:
       tcp:
         - 8086
@@ -216,6 +221,9 @@ firewall:
             analyst:
               portgroups:
                 - nginx
+            external_suricata:
+              portgroups:
+                - external_suricata
             customhostgroup0:
               portgroups: []
             customhostgroup1:
@@ -462,6 +470,9 @@ firewall:
             endgame:
               portgroups:
                 - endgame
+            external_suricata:
+              portgroups:
+                - external_suricata
             desktop:
               portgroups:
                 - docker_registry
@@ -654,6 +665,9 @@ firewall:
             endgame:
               portgroups:
                 - endgame
+            external_suricata:
+              portgroups:
+                - external_suricata
             desktop:
               portgroups:
                 - docker_registry
@@ -850,6 +864,9 @@ firewall:
             endgame:
               portgroups:
                 - endgame
+            external_suricata:
+              portgroups:
+                - external_suricata
             strelka_frontend:
               portgroups:
                 - strelka_frontend
@@ -1216,6 +1233,9 @@ firewall:
                 - elastic_agent_control
                 - elastic_agent_data
                 - elastic_agent_update
+            external_suricata:
+              portgroups:
+                - external_suricata
             analyst:
               portgroups:
                 - nginx

salt/firewall/soc_firewall.yaml

@@ -32,6 +32,7 @@ firewall:
     elasticsearch_rest: *hostgroupsettingsadv
     endgame: *hostgroupsettingsadv
     eval: *hostgroupsettings
+    external_suricata: *hostgroupsettings
     fleet: *hostgroupsettings
     heavynode: *hostgroupsettings
     idh: *hostgroupsettings
@@ -117,6 +118,9 @@ firewall:
     endgame:
       tcp: *tcpsettings
       udp: *udpsettings
+    external_suricata:
+      tcp: *tcpsettings
+      udp: *udpsettings
     influxdb:
       tcp: *tcpsettings
       udp: *udpsettings
@@ -215,6 +219,8 @@ firewall:
               portgroups: *portgroupsdocker
             elastic_agent_endpoint:
               portgroups: *portgroupsdocker
+            external_suricata: 
+              portgroups: *portgroupsdocker
             strelka_frontend:
               portgroups: *portgroupsdocker
             syslog:
@@ -370,6 +376,8 @@ firewall:
               portgroups: *portgroupsdocker
             endgame:
               portgroups: *portgroupsdocker
+            external_suricata: 
+              portgroups: *portgroupsdocker
             analyst:
               portgroups: *portgroupsdocker
             desktop:
@@ -463,6 +471,8 @@ firewall:
               portgroups: *portgroupsdocker
             analyst:
               portgroups: *portgroupsdocker
+            external_suricata: 
+              portgroups: *portgroupsdocker
             desktop:
               portgroups: *portgroupsdocker
             customhostgroup0:
@@ -554,6 +564,8 @@ firewall:
               portgroups: *portgroupsdocker
             endgame:
               portgroups: *portgroupsdocker
+            external_suricata: 
+              portgroups: *portgroupsdocker
             strelka_frontend:
               portgroups: *portgroupsdocker
             syslog:
@@ -828,6 +840,8 @@ firewall:
               portgroups: *portgroupsdocker
             analyst:
               portgroups: *portgroupsdocker
+            external_suricata: 
+              portgroups: *portgroupsdocker
             desktop:
               portgroups: *portgroupsdocker
             customhostgroup0:

salt/idh/config.sls

@@ -43,6 +43,29 @@ idhconfdir:
     - group: 939
     - makedirs: True
 
+idhhttpskinsdir:
+  file.directory:
+    - name: /opt/so/conf/idh/http-skins
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+# Copy over default http skins
+idhhttpskins:
+  file.recurse:
+    - name: /opt/so/conf/idh/http-skins
+    - user: 939
+    - group: 939
+    - source: salt://idh/skins/http/opencanary
+
+# Copy over custom http skins
+idhcustomhttpskins:
+  file.recurse:
+    - name: /opt/so/conf/idh/http-skins
+    - user: 939
+    - group: 939
+    - source: salt://idh/skins/http/custom
+
 # Create a log directory
 idhlogdir:
   file.directory:

salt/idh/enabled.sls

@@ -20,6 +20,7 @@ so-idh:
     - network_mode: host
     - binds:
       - /nsm/idh:/var/tmp:rw
+      - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
       - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
       {% if DOCKER.containers['so-idh'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}

salt/idh/skins/http/custom/basicCustomLogin/403.html

@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>403 Forbidden</title>
+</head><body>
+<h1>Forbidden</h1>
+<p>You don't have permission to access [[URL]]
+on this server.</p>
+<hr>
+<address>[[BANNER]] Server</address>
+</body></html>

salt/idh/skins/http/custom/basicCustomLogin/404.html

@@ -0,0 +1,9 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>404 Not Found</title>
+</head><body>
+<h1>Not Found</h1>
+<p>The requested URL [[URL]] was not found on this server.</p>
+<hr>
+<address>[[BANNER]] Server</address>
+</body></html>

salt/idh/skins/http/custom/basicCustomLogin/index.html

@@ -0,0 +1,41 @@
+<html>
+    <head>
+        <title>Login</title>
+        <style>
+            body {
+              width: 100%;
+            }
+            .outer {
+               margin-left: auto;
+               margin-right: auto;
+               width: 25em;
+               height: 100%;
+            }
+            .inner{
+               display: table-cell;
+               vertical-align: middle;
+               height: 30em;
+            }
+        </style>
+    </head>
+    <body>
+        <div class='outer'>
+            <div class='inner'>
+                <h1>Network Storage v5.13</h1>
+		<!--STARTERR-->
+		<h2>Login failed</h2>
+		<!--ENDERR-->
+                <form method="POST">
+                    <dl>
+                        <dt>CustomUsername:</dt>
+                        <dd><input type="text" name="username" /></dd>
+                        <dt>Password:</dt>
+                        <dd><input type="password" name="password" /></dd>
+                        <dt></dt>
+                        <dd><input type="submit" value="Login" name="btnLogin" /></dd>
+                    </dl>
+                </form>
+            </div>
+        </div>
+    </body>
+</html>

salt/idh/skins/http/opencanary/basicLogin/403.html

@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>403 Forbidden</title>
+</head><body>
+<h1>Forbidden</h1>
+<p>You don't have permission to access [[URL]]
+on this server.</p>
+<hr>
+<address>[[BANNER]] Server</address>
+</body></html>

salt/idh/skins/http/opencanary/basicLogin/404.html

@@ -0,0 +1,9 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>404 Not Found</title>
+</head><body>
+<h1>Not Found</h1>
+<p>The requested URL [[URL]] was not found on this server.</p>
+<hr>
+<address>[[BANNER]] Server</address>
+</body></html>

salt/idh/skins/http/opencanary/basicLogin/index.html

@@ -0,0 +1,41 @@
+<html>
+    <head>
+        <title>Login</title>
+        <style>
+            body {
+              width: 100%;
+            }
+            .outer {
+               margin-left: auto;
+               margin-right: auto;
+               width: 25em;
+               height: 100%;
+            }
+            .inner{
+               display: table-cell;
+               vertical-align: middle;
+               height: 30em;
+            }
+        </style>
+    </head>
+    <body>
+        <div class='outer'>
+            <div class='inner'>
+                <h1>Network Storage v5.13</h1>
+		<!--STARTERR-->
+		<h2>Login failed</h2>
+		<!--ENDERR-->
+                <form method="POST">
+                    <dl>
+                        <dt>Username:</dt>
+                        <dd><input type="text" name="username" /></dd>
+                        <dt>Password:</dt>
+                        <dd><input type="password" name="password" /></dd>
+                        <dt></dt>
+                        <dd><input type="submit" value="Login" name="btnLogin" /></dd>
+                    </dl>
+                </form>
+            </div>
+        </div>
+    </body>
+</html>

salt/idh/skins/http/opencanary/nasLogin/403.html

@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>403 Forbidden</title>
+</head><body>
+<h1>Forbidden</h1>
+<p>You don't have permission to access [[URL]]
+on this server.</p>
+<hr>
+<address>[[BANNER]] Server</address>
+</body></html>

salt/idh/skins/http/opencanary/nasLogin/404.html

@@ -0,0 +1,9 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>404 Not Found</title>
+</head><body>
+<h1>Not Found</h1>
+<p>The requested URL [[URL]] was not found on this server.</p>
+<hr>
+<address>[[BANNER]] Server</address>
+</body></html>

salt/idh/skins/http/opencanary/nasLogin/static/css/style.css

@@ -0,0 +1 @@
+.syno-backup-repo-cloud-azure_blob{background-image:url("/webman/3rdparty/addon-azure_blob/images/icon.png") !important}@media (-webkit-min-device-pixel-ratio: 1.5), (-o-min-device-pixel-ratio: 3 / 2), (min-resolution: 144dpi){.synohdpack .syno-backup-repo-cloud-azure_blob{background-image:url("/webman/3rdparty/addon-azure_blob/images/icon@2x.png") !important;background-size:32px 32px !important}}@media (-webkit-min-device-pixel-ratio: 1.5), (-o-min-device-pixel-ratio: 3 / 2), (min-resolution: 144dpi){.synohdpackdebug .syno-backup-repo-cloud-azure_blob{background-image:url("/webman/3rdparty/addon-azure_blob/images/icon@2x.png") !important;background-size:32px 32px !important;outline:1px red dashed}}.syno-backup-task-cloud-azure_blob{background-image:url("/webman/3rdparty/addon-azure_blob/images/icon.png") !important}@media (-webkit-min-device-pixel-ratio: 1.5), (-o-min-device-pixel-ratio: 3 / 2), (min-resolution: 144dpi){.synohdpack .syno-backup-task-cloud-azure_blob{background-image:url("/webman/3rdparty/addon-azure_blob/images/icon@2x.png") !important;background-size:32px 32px !important}}@media (-webkit-min-device-pixel-ratio: 1.5), (-o-min-device-pixel-ratio: 3 / 2), (min-resolution: 144dpi){.synohdpackdebug .syno-backup-task-cloud-azure_blob{background-image:url("/webman/3rdparty/addon-azure_blob/images/icon@2x.png") !important;background-size:32px 32px !important;outline:1px red dashed}}