From 5b3ca98b807810c6db061d81382120338091f568 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Apr 2026 10:12:37 -0400 Subject: [PATCH 1/4] Fix JA4+ license link in soc_zeek.yaml Updated the license link in the JA4+ fingerprinting description. --- salt/zeek/soc_zeek.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index a14594635..3bf1d2768 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -5,7 +5,7 @@ zeek: helpLink: zeek ja4plus: enabled: - description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)." + description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE)." forcedType: bool helpLink: zeek advanced: False From 2166bb749af57ee41702dd477d5b66acdf85247d Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 8 Apr 2026 14:59:05 -0400 Subject: [PATCH 2/4] ensure max-files is 1 at minimum --- salt/suricata/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 944e0e34d..f7059b293 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -33,7 +33,7 @@ {% do SURICATAMERGED.config.outputs['pcap-log'].update({'conditional': SURICATAMERGED.pcap.conditional}) %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'dir': SURICATAMERGED.pcap.dir}) %} {# multiply maxsize by 1000 since it is saved in GB, i.e. 52 = 52000MB. filesize is also saved in MB and we strip the MB and convert to int #} -{% set maxfiles = (SURICATAMERGED.pcap.maxsize * 1000 / (SURICATAMERGED.pcap.filesize[:-2] | int) / SURICATAMERGED.config['af-packet'].threads | int) | round | int %} +{% set maxfiles = ([1, (SURICATAMERGED.pcap.maxsize * 1000 / (SURICATAMERGED.pcap.filesize[:-2] | int) / SURICATAMERGED.config['af-packet'].threads | int) | round(0, 'ceil') | int] | max) %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'max-files': maxfiles}) %} {% endif %} From 28d31f48409f0a358456cfdbc14d67325d54672d Mon Sep 17 00:00:00 2001 From: Matthew Wright Date: Wed, 8 Apr 2026 15:25:51 -0400 Subject: [PATCH 3/4] add charsPerTokenEstimate --- salt/soc/defaults.yaml | 1 + salt/soc/soc_soc.yaml | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 0bde8f20e..cc80758fc 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2687,4 +2687,5 @@ soc: lowBalanceColorAlert: 500000 enabled: true adapter: SOAI + charsPerTokenEstimate: 4 diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index c5f96894d..d4e908637 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -761,7 +761,7 @@ soc: required: True - field: origin label: Country of Origin for the Model Training - required: false + required: False - field: contextLimitSmall label: Context Limit (Small) forcedType: int @@ -779,6 +779,10 @@ soc: - field: enabled label: Enabled forcedType: bool + - field: charsPerTokenEstimate + label: Characters per Token Estimate + forcedType: float + required: False apiTimeoutMs: description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI. global: True From 9ec4a26f97dd68fb02ddd6d422270fdf9700ec25 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 9 Apr 2026 10:18:36 -0400 Subject: [PATCH 4/4] define options in annotation files --- salt/global/soc_global.yaml | 6 ------ salt/influxdb/soc_influxdb.yaml | 13 ++++++++++--- salt/kafka/soc_kafka.yaml | 18 ++++++++++++++---- salt/kratos/soc_kratos.yaml | 13 +++++++++---- salt/suricata/soc_suricata.yaml | 10 +++++++--- 5 files changed, 40 insertions(+), 20 deletions(-) diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index 33abbf690..c15f3eb98 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -11,18 +11,14 @@ global: regexFailureMessage: You must enter a valid IP address or CIDR. mdengine: description: Which engine to use for meta data generation. Options are ZEEK and SURICATA. - regex: ^(ZEEK|SURICATA)$ options: - ZEEK - SURICATA - regexFailureMessage: You must enter either ZEEK or SURICATA. global: True pcapengine: description: Which engine to use for generating pcap. Currently only SURICATA is supported. - regex: ^(SURICATA)$ options: - SURICATA - regexFailureMessage: You must enter either SURICATA. global: True ids: description: Which IDS engine to use. Currently only Suricata is supported. @@ -42,11 +38,9 @@ global: advanced: True pipeline: description: Sets which pipeline technology for events to use. The use of Kafka requires a Security Onion Pro license. - regex: ^(REDIS|KAFKA)$ options: - REDIS - KAFKA - regexFailureMessage: You must enter either REDIS or KAFKA. global: True advanced: True repo_host: diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 3dbf0875b..2b6bffe49 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -85,7 +85,10 @@ influxdb: description: The log level to use for outputting log statements. Allowed values are debug, info, or error. global: True advanced: false - regex: ^(info|debug|error)$ + options: + - info + - debug + - error helpLink: influxdb metrics-disabled: description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible. @@ -140,7 +143,9 @@ influxdb: description: Determines the type of storage used for secrets. Allowed values are bolt or vault. global: True advanced: True - regex: ^(bolt|vault)$ + options: + - bolt + - vault helpLink: influxdb session-length: description: Number of minutes that a user login session can remain authenticated. @@ -260,7 +265,9 @@ influxdb: description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations. global: True advanced: True - regex: ^(disk|memory)$ + options: + - disk + - memory helpLink: influxdb tls-cert: description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses. diff --git a/salt/kafka/soc_kafka.yaml b/salt/kafka/soc_kafka.yaml index b8d0c7c32..85469b8a4 100644 --- a/salt/kafka/soc_kafka.yaml +++ b/salt/kafka/soc_kafka.yaml @@ -128,10 +128,13 @@ kafka: title: ssl.keystore.password sensitive: True helpLink: kafka - ssl_x_keystore_x_type: + ssl_x_keystore_x_type: description: The key store file format. title: ssl.keystore.type - regex: ^(JKS|PKCS12|PEM)$ + options: + - JKS + - PKCS12 + - PEM helpLink: kafka ssl_x_truststore_x_location: description: The trust store file location within the Docker container. @@ -160,7 +163,11 @@ kafka: security_x_protocol: description: 'Broker communication protocol. Options are: SASL_SSL, PLAINTEXT, SSL, SASL_PLAINTEXT' title: security.protocol - regex: ^(SASL_SSL|PLAINTEXT|SSL|SASL_PLAINTEXT) + options: + - SASL_SSL + - PLAINTEXT + - SSL + - SASL_PLAINTEXT helpLink: kafka ssl_x_keystore_x_location: description: The key store file location within the Docker container. @@ -174,7 +181,10 @@ kafka: ssl_x_keystore_x_type: description: The key store file format. title: ssl.keystore.type - regex: ^(JKS|PKCS12|PEM)$ + options: + - JKS + - PKCS12 + - PEM helpLink: kafka ssl_x_truststore_x_location: description: The trust store file location within the Docker container. diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index 1cd2728c8..07359bcab 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -21,8 +21,12 @@ kratos: description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft" global: True forcedType: string - regex: "auth0|generic|github|google|microsoft" - regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft" + options: + - auth0 + - generic + - github + - google + - microsoft helpLink: oidc client_id: description: Specify the client ID, also referenced as the application ID. Required. @@ -43,8 +47,9 @@ kratos: description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'. global: True forcedType: string - regex: me|userinfo - regexFailureMessage: "Valid values are: me, userinfo" + options: + - me + - userinfo helpLink: oidc auth_url: description: Provider's auth URL. Required when provider is 'generic'. diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index c85b876a9..ce6b7d008 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -64,8 +64,10 @@ suricata: helpLink: suricata conditional: description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules. - regex: ^(all|alerts|tag)$ - regexFailureMessage: You must enter either all, alert or tag. + options: + - all + - alerts + - tag helpLink: suricata dir: description: Parent directory to store PCAP. @@ -83,7 +85,9 @@ suricata: advanced: True cluster-type: advanced: True - regex: ^(cluster_flow|cluster_qm)$ + options: + - cluster_flow + - cluster_qm defrag: description: Enable defragmentation of IP packets before processing. forcedType: bool