From 78c58e61ea3f5ee56db78bb8fcf972494a2309bb Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 12 Jul 2021 09:38:01 -0400
Subject: [PATCH 1/9] Resolves #4765

---
 salt/common/tools/sbin/so-firewall | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall
index 86387fc24..9772305fe 100755
--- a/salt/common/tools/sbin/so-firewall
+++ b/salt/common/tools/sbin/so-firewall
@@ -35,6 +35,7 @@ def showUsage(options, args):
   print('')
   print('  General commands:')
   print('    help           - Prints this usage information.')
+  print('    apply          - Apply the firewall state.')
   print('')
   print('  Host commands:')
   print('    listhostgroups - Lists the known host groups.')
@@ -66,7 +67,7 @@ def checkDefaultPortsOption(options):
 
 def checkApplyOption(options):
   if "--apply" in options:
-    return apply()
+    return apply(None, None)
 
 def loadYaml(filename):
   file = open(filename, "r")
@@ -328,7 +329,7 @@ def removehost(options, args):
     code = checkApplyOption(options)
   return code
 
-def apply():
+def apply(options, args):
   proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
   return proc.returncode
 
@@ -356,7 +357,8 @@ def main():
     "addport": addport,
     "removeport": removeport,
     "addhostgroup": addhostgroup,
-    "addportgroup": addportgroup
+    "addportgroup": addportgroup,
+    "apply": apply
   }
 
   code=1

From 7cdb9678103212056081867c367d8359c93342fb Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Tue, 13 Jul 2021 11:36:18 -0400
Subject: [PATCH 2/9] Only route to FB module pipeline if filebeat in metadata

---
 .../pipelines/config/so/9050_output_filebeatmodules.conf.jinja  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja
index 56c8a311b..f8a9b25af 100644
--- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja
@@ -6,7 +6,7 @@
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 output {
-  if [metadata][pipeline] {
+  if "filebeat" in [metadata][pipeline] {
     elasticsearch {
       id => "filebeat_modules_metadata_pipeline"
       pipeline => "%{[metadata][pipeline]}"

From e2c5967191b76830960af88458131a8cb6d0e6e5 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 13 Jul 2021 11:38:20 -0400
Subject: [PATCH 3/9] Update HOTFIX

---
 HOTFIX | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HOTFIX b/HOTFIX
index 6e1406eb7..af7d2d9ae 100644
--- a/HOTFIX
+++ b/HOTFIX
@@ -1 +1 @@
-ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES
+ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES FBPIPELINE

From 741e825ab9c6b67287563272393cfeb5a5666441 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 13 Jul 2021 15:44:26 -0400
Subject: [PATCH 4/9] Remove old airgap scripts

---
 salt/common/tools/sbin/so-airgap-hotfixapply  | 64 -------------------
 .../tools/sbin/so-airgap-hotfixdownload       | 33 ----------
 2 files changed, 97 deletions(-)
 delete mode 100755 salt/common/tools/sbin/so-airgap-hotfixapply
 delete mode 100755 salt/common/tools/sbin/so-airgap-hotfixdownload

diff --git a/salt/common/tools/sbin/so-airgap-hotfixapply b/salt/common/tools/sbin/so-airgap-hotfixapply
deleted file mode 100755
index 0149cdf61..000000000
--- a/salt/common/tools/sbin/so-airgap-hotfixapply
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-UPDATE_DIR=/tmp/sohotfixapply
-
-if [ -z "$1" ]; then
-  echo "No tarball given. Please provide the filename so I can run the hotfix"
-  echo "so-airgap-hotfixapply /path/to/sohotfix.tar" 
-  exit 1
-else
-  if [ ! -f "$1" ]; then
-    echo "Unable to find $1. Make sure your path is correct and retry."
-    exit 1
-  else
-    echo "Determining if we need to apply this hotfix"
-    rm -rf $UPDATE_DIR
-    mkdir -p $UPDATE_DIR
-    tar xvf $1 -C $UPDATE_DIR
-
-    # Compare some versions
-    NEWVERSION=$(cat $UPDATE_DIR/VERSION)
-    HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX)
-    CURRENTHOTFIX=$(cat /etc/sohotfix)
-    INSTALLEDVERSION=$(cat /etc/soversion)
-
-    if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
-      echo "Checking to see if there are hotfixes needed"
-      if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
-        echo "You are already running the latest version of Security Onion."
-        rm -rf $UPDATE_DIR
-        exit 1
-      else
-        echo "We need to apply a hotfix"
-        copy_new_files
-        echo $HOTFIXVERSION > /etc/sohotfix
-        salt-call state.highstate -l info queue=True
-        echo "The Hotfix $HOTFIXVERSION has been applied"
-        # Clean up 
-        rm -rf $UPDATE_DIR
-        exit 0
-      fi
-    else
-      echo "This hotfix is not compatible with your current version. Download the latest ISO and run soup"
-      rm -rf $UPDATE_DIR
-    fi
-
-  fi
-fi
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-airgap-hotfixdownload b/salt/common/tools/sbin/so-airgap-hotfixdownload
deleted file mode 100755
index 422fa5f1f..000000000
--- a/salt/common/tools/sbin/so-airgap-hotfixdownload
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Get the latest code
-rm -rf /tmp/sohotfix
-mkdir -p /tmp/sohotfix
-cd /tmp/sohotfix
-git clone https://github.com/Security-Onion-Solutions/securityonion
-if [ ! -d "/tmp/sohotfix/securityonion" ]; then
-  echo "I was unable to get the latest code. Check your internet and try again."
-  exit 1
-else
-  echo "Looks like we have the code lets create the tarball."
-  cd /tmp/sohotfix/securityonion
-  tar cvf /tmp/sohotfix/sohotfix.tar HOTFIX VERSION salt pillar
-  echo ""
-  echo "Copy /tmp/sohotfix/sohotfix.tar to portable media and then copy it to your airgap manager."
-  exit 0
-fi
\ No newline at end of file

From 441cd3fc5916640f651eb3f4489ea9a9db7b55a0 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 14 Jul 2021 13:42:51 +0000
Subject: [PATCH 5/9] Move Wazuh-specific data to wazuh.data

---
 salt/elasticsearch/files/ingest/ossec | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/elasticsearch/files/ingest/ossec b/salt/elasticsearch/files/ingest/ossec
index 868de2798..69bca3003 100644
--- a/salt/elasticsearch/files/ingest/ossec
+++ b/salt/elasticsearch/files/ingest/ossec
@@ -33,6 +33,7 @@
     { "rename":         { "field": "data.win.eventdata.user",                   "target_field": "user.name",            "ignore_missing": true  } },
     { "rename":         { "field": "data.win.system",                   "target_field": "winlog",           "ignore_missing": true  } },
     { "rename":         { "field": "data.win.eventdata",                   "target_field": "winlog.event_data",           "ignore_missing": true  } },
+    { "rename":         { "field": "data",                   "target_field": "wazuh.data",           "ignore_missing": true  } },
     { "rename":         { "field": "winlog.eventID",                   "target_field": "winlog.event_id",           "ignore_missing": true  } },
     { "rename":         { "field": "predecoder.program_name",                   "target_field": "process.name",         "ignore_missing": true  } },
     { "rename":         { "field": "decoder.name",                   "target_field": "event.dataset",         "ignore_missing": true  } },

From 323b5d6694d698412227557e1cf18c282bcd92f6 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 14 Jul 2021 13:43:34 +0000
Subject: [PATCH 6/9] Add dynamic mapping for wazuh

---
 salt/elasticsearch/templates/so/so-common-template.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json
index 26a5f2ec7..8ac94793b 100644
--- a/salt/elasticsearch/templates/so/so-common-template.json
+++ b/salt/elasticsearch/templates/so/so-common-template.json
@@ -680,6 +680,10 @@
 	"redis":{
           "type":"object",
           "dynamic": true
+        },
+	"wazuh":{
+          "type":"object",
+          "dynamic": true
         }
      }
   }

From 723172bc1fe31c1f262f8bf599d98735cf19ff15 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 14 Jul 2021 13:45:09 +0000
Subject: [PATCH 7/9] Add path_unmatch for data.port so it is not mapped as
 integer

---
 salt/elasticsearch/templates/so/so-common-template.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json
index 8ac94793b..8afac271c 100644
--- a/salt/elasticsearch/templates/so/so-common-template.json
+++ b/salt/elasticsearch/templates/so/so-common-template.json
@@ -65,7 +65,8 @@
        {
           "port": {
             "path_match": "*.port",
-            "mapping": {
+            "path_unmatch": "*.data.port",
+	    "mapping": {
               "type": "integer",
               "fields" : {
                 "keyword" : {

From 92a80f9a58646e3994c77eb5c2f1d5b948c7c4b7 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 14 Jul 2021 10:30:10 -0400
Subject: [PATCH 8/9] Update ISO info

---
 VERIFY_ISO.md                                |  22 +++++++++----------
 sigs/securityonion-2.3.60-FBPIPELINE.iso.sig | Bin 0 -> 543 bytes
 2 files changed, 11 insertions(+), 11 deletions(-)
 create mode 100644 sigs/securityonion-2.3.60-FBPIPELINE.iso.sig

diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md
index d64b20075..b79f81c72 100644
--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -1,18 +1,18 @@
-### 2.3.60-ECSFIX ISO image built on 2021/07/02
+### 2.3.60-FBPIPELINE ISO image built on 2021/07/13
 
 
 
 ### Download and Verify
 
-2.3.60-ECSFIX ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso
+2.3.60-FBPIPELINE ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.60-FBPIPELINE.iso
 
-MD5: BCD2C449BD3B65D96A0D1E479C0414F9  
-SHA1: 18FB8F33C19980992B291E5A7EC23D5E13853933  
-SHA256: AD3B750E7FC4CA0D58946D8FEB703AE9B01508E314967566B06CFE5D8A8086E9 
+MD5: 2EA2B337289D0CFF0C7488E8E88FE7BE  
+SHA1: 7C22F16AD395E079F4C5345093AF26C105E36D4C  
+SHA256: 3B685BBD19711229C5FCD5D254BA5024AF0C36A3E379790B5E83037CE2668724 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-FBPIPELINE.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.60-ECSFIX.iso.sig securityonion-2.3.60-ECSFIX.iso
+gpg --verify securityonion-2.3.60-FBPIPELINE.iso.sig securityonion-2.3.60-FBPIPELINE.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Fri 02 Jul 2021 10:15:04 AM EDT using RSA key ID FE507013
+gpg: Signature made Tue 13 Jul 2021 04:12:08 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
diff --git a/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig b/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig
new file mode 100644
index 0000000000000000000000000000000000000000..56418a152a0e92f0f49ecb19a5e5829208c02d07
GIT binary patch
literal 543
zcmV+)0^t3L0vrSY0RjL91p;90^Oyh%2@re`V7LBIa1(!}5B@xPR#8-;<r!OS53X$M
z-Ow6-=OQ$lz+Ev<R^4b<v81**pjYdkUMC~UetHwYzh8^?q9z*vSI~$}=*#*Z1bC`4
z?lhT)syar3J4*?W<BI9K$!`$)gW04SamGRL>uiHcl0@3*S}#^;B0m+2ie*Z{>Lm)x
zy!gLhT|?6%eOJbhKu%=&sA~Rb*1{>`o=S?7#9<9<1yXqNG%G%AQ0Vrlxa*;0aF{6m
za0X?1iM6Z0Htd{UMpDl5UlAJWHk(^aW1R?%7{lC@Z#_uuJ(JcDn%|z8WYshk4b2v?
zGJ`#Y-^m^?=iO|E!+C|0Wph?}OT^kib5jdg>*h>Ub{x2}DE@48$Q=!-EXJ#z))7C}
ziKxQc@30q*wl^QoCBi!@N`N?iFRZUeb7rJv!9og4bsI`#sPJrshrK(B);G>A8sP^Q
zea^e*Xs@#})uGVzrIJ3W9gO&Ph8Tb3LE4D-`{PEcyWm;@)w4DX14af#`LxwuuJCpe
zUs@qnC+qYzF+2N^@Y3F?U9ZR7fUq`2%#_D)S>D&668~Oou^5CVoaWNsV)*8v1i=u1
z;c7DF!Q76NwQ(_aSFZFBwRyjiYslKr<N2DZs)>-xS4UT8KyrYQMcN2VF9-2RT#%5}
h+6FRS4wBhD?XtfNC`;ny$o=-pb-6W>U0dsiZm&%O4_p8M

literal 0
HcmV?d00001


From 05aad07bfc1e0277a90e9e391d9a0f82a93385c7 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 14 Jul 2021 15:04:46 +0000
Subject: [PATCH 9/9] Replace staging path with processed path for analyzed
 files

---
 salt/elasticsearch/files/ingest/strelka.file | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file
index e5e8560f8..fbcf1252a 100644
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -8,6 +8,7 @@
     { "rename":         { "field": "scan.hash",        "target_field": "hash",          "ignore_missing": true  } },
     { "rename":         { "field": "scan.exiftool",        "target_field": "exiftool",          "ignore_missing": true  } },
     { "grok":           { "if": "ctx.request?.attributes?.filename != null",   "field": "request.attributes.filename",       "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } },
+    { "gsub":           { "if": "ctx.request?.attributes?.filename != null",   "field": "request.attributes.filename",       "pattern": "\/nsm\/strelka\/staging",      "replacement": "\/nsm\/strelka\/processed" } },
     { "foreach":
       {
         "if": "ctx.exiftool?.keys !=null",