diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
new file mode 100644
index 000000000..28722fe01
--- /dev/null
+++ b/salt/elastalert/init.sls
@@ -0,0 +1,101 @@
+# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+{% if grains['role'] == 'so-master' %}
+
+{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
+{% set esip = salt['pillar.get']('master:mainip', '') %}
+{% set esport = salt['pillar.get']('master:es_port', '') %}
+
+
+{% elif grains['role'] == 'so-eval' %}
+
+{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
+{% set esip = salt['pillar.get']('master:mainip', '') %}
+{% set esport = salt['pillar.get']('master:es_port', '') %}
+
+
+{% elif grains['role'] == 'so-node' %}
+
+{% set esalert = salt['pillar.get']('node:elastalert', '0') %}
+
+{% endif %}
+
+# Elastalert
+{% if esalert == 1 %}
+
+# Create the group
+elastagroup:
+  group.present:
+    - name: elastalert
+    - gid: 933
+
+# Add user
+elastalert:
+  user.present:
+    - uid: 933
+    - gid: 933
+    - home: /opt/so/conf/elastalert
+    - createhome: False
+
+elastalogdir:
+  file.directory:
+    - name: /opt/so/log/elastalert
+    - user: 933
+    - group: 939
+    - makedirs: True
+
+elastarules:
+  file.directory:
+    - name: /opt/so/rules/elastalert
+    - user: 933
+    - group: 939
+    - makedirs: True
+
+#elastaconfdir:
+#  file.directory:
+#    - name: /opt/so/conf/elastalert
+#    - user: 933
+#    - group: 939
+#    - makedirs: True
+
+#elastaconf:
+#  file.managed:
+#    - name: /opt/so/conf/elastalert/config.yaml
+#    - source: salt://elastalert/files/config.yaml
+#    - user: 933
+#    - group: 939
+#    - template: jinja
+
+so-elastalert:
+  docker_container.running:
+    - image: soshybridhunter/so-elastalert:HH1.0.3
+    - hostname: elastalert
+    - name: so-elastalert
+    - user: elastalert
+    - detach: True
+    - binds:
+#      - /opt/so/conf/elastalert/config.yaml:/etc/elastalert/conf/elastalert_config.yaml:ro
+      - /opt/so/rules/elastalert:/etc/elastalert/rules/:ro
+      - /opt/so/log/elastalert:/var/log/elastalert:rw
+    - environment:
+      - ELASTICSEARCH_HOST: {{ esip }}
+      - ELASTICSEARCH_PORT: {{ esport }}
+      - ELASTALERT_CONFIG: /etc/elastalert/conf/elastalert_config.yaml
+      - ELASTALERT_SUPERVISOR_CONF: /etc/elastalert/conf/elastalert_supervisord.conf
+      - RULES_DIRECTORY: /etc/elastalert/rules/
+      - LOG_DIR: /var/log/elastalert
+
+{% endif %}
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 122e2f7eb..27bc883f4 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -18,7 +18,6 @@
 {% set esheap = salt['pillar.get']('master:esheap', '') %}
 {% set freq = salt['pillar.get']('master:freq', '0') %}
 {% set dstats = salt['pillar.get']('master:dstats', '0') %}
-{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
 
 {% elif grains['role'] == 'so-eval' %}
 
@@ -26,7 +25,6 @@
 {% set esheap = salt['pillar.get']('master:esheap', '') %}
 {% set freq = salt['pillar.get']('master:freq', '0') %}
 {% set dstats = salt['pillar.get']('master:dstats', '0') %}
-{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
 
 {% elif grains['role'] == 'so-node' %}
 
@@ -34,7 +32,6 @@
 {% set esheap = salt['pillar.get']('node:esheap', '') %}
 {% set freq = salt['pillar.get']('node:freq', '0') %}
 {% set dstats = salt['pillar.get']('node:dstats', '0') %}
-{% set esalert = salt['pillar.get']('node:elastalert', '1') %}
 
 {% endif %}
 
@@ -193,54 +190,3 @@ so-domainstats:
 
 
 {% endif %}
-
-# Elastalert
-{% if esalert == 1 %}
-
-# Create the group
-elastagroup:
-  group.present:
-    - name: elastalert
-    - gid: 933
-
-# Add user
-elastalert:
-  user.present:
-    - uid: 933
-    - gid: 933
-    - home: /opt/so/conf/elastalert
-    - createhome: False
-
-elastalogdir:
-  file.directory:
-    - name: /opt/so/log/elastalert
-    - user: 933
-    - group: 939
-    - makedirs: True
-
-elastarules:
-  file.directory:
-    - name: /opt/so/rules/elastalert
-    - user: 933
-    - group: 939
-    - makedirs: True
-
-elastaconf:
-  file.directory:
-    - name: /opt/so/conf/elastalert
-    - user: 933
-    - group: 939
-    - makedirs: True
-
-so-elastalert:
-  docker_container.running:
-    - image: soshybridhunter/so-elastalert:HH1.0.3
-    - hostname: elastalert
-    - name: so-elastalert
-    - user: elastalert
-    - detach: True
-    - binds:
-      - /etc/elastalert/rules/:/etc/elastalert/rules/:ro
-      - /opt/so/log/elastalert:/var/log/elastalert:rw
-
-{% endif %}
diff --git a/salt/logstash/conf/conf.enabled.txt.so-eval b/salt/logstash/conf/conf.enabled.txt.so-eval
index e5ce9c803..71e50525f 100644
--- a/salt/logstash/conf/conf.enabled.txt.so-eval
+++ b/salt/logstash/conf/conf.enabled.txt.so-eval
@@ -12,8 +12,8 @@
 /usr/share/logstash/pipeline.so/0002_input_windows_json.conf
 /usr/share/logstash/pipeline.so/0003_input_syslog.conf
 /usr/share/logstash/pipeline.so/0005_input_suricata.conf
+/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
-/usr/share/logstash/pipeline.so/0008_input_eval.conf
 /usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
 /usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
 /usr/share/logstash/pipeline.so/1002_preprocess_json.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.so-eval.old b/salt/logstash/conf/conf.enabled.txt.so-eval.old
new file mode 100644
index 000000000..e5ce9c803
--- /dev/null
+++ b/salt/logstash/conf/conf.enabled.txt.so-eval.old
@@ -0,0 +1,109 @@
+# This is where can specify which LogStash configs get loaded.
+#
+# The custom folder on the master gets automatically synced to each logstash
+# node.
+#
+# To enable a custom configuration see the following example and uncomment:
+# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
+##
+# All of the defaults are loaded.
+/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
+/usr/share/logstash/pipeline.so/0001_input_json.conf
+/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
+/usr/share/logstash/pipeline.so/0003_input_syslog.conf
+/usr/share/logstash/pipeline.so/0005_input_suricata.conf
+/usr/share/logstash/pipeline.so/0007_input_import.conf
+/usr/share/logstash/pipeline.so/0008_input_eval.conf
+/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
+/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
+/usr/share/logstash/pipeline.so/1002_preprocess_json.conf
+/usr/share/logstash/pipeline.so/1003_preprocess_bro.conf
+/usr/share/logstash/pipeline.so/1004_preprocess_syslog_types.conf
+/usr/share/logstash/pipeline.so/1026_preprocess_dhcp.conf
+/usr/share/logstash/pipeline.so/1029_preprocess_esxi.conf
+/usr/share/logstash/pipeline.so/1030_preprocess_greensql.conf
+/usr/share/logstash/pipeline.so/1031_preprocess_iis.conf
+/usr/share/logstash/pipeline.so/1032_preprocess_mcafee.conf
+/usr/share/logstash/pipeline.so/1033_preprocess_snort.conf
+/usr/share/logstash/pipeline.so/1034_preprocess_syslog.conf
+/usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf
+/usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf
+/usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf
+/usr/share/logstash/pipeline.so/1103_preprocess_bro_dpd.conf
+/usr/share/logstash/pipeline.so/1104_preprocess_bro_files.conf
+/usr/share/logstash/pipeline.so/1105_preprocess_bro_ftp.conf
+/usr/share/logstash/pipeline.so/1106_preprocess_bro_http.conf
+/usr/share/logstash/pipeline.so/1107_preprocess_bro_irc.conf
+/usr/share/logstash/pipeline.so/1108_preprocess_bro_kerberos.conf
+/usr/share/logstash/pipeline.so/1109_preprocess_bro_notice.conf
+/usr/share/logstash/pipeline.so/1110_preprocess_bro_rdp.conf
+/usr/share/logstash/pipeline.so/1111_preprocess_bro_signatures.conf
+/usr/share/logstash/pipeline.so/1112_preprocess_bro_smtp.conf
+/usr/share/logstash/pipeline.so/1113_preprocess_bro_snmp.conf
+/usr/share/logstash/pipeline.so/1114_preprocess_bro_software.conf
+/usr/share/logstash/pipeline.so/1115_preprocess_bro_ssh.conf
+/usr/share/logstash/pipeline.so/1116_preprocess_bro_ssl.conf
+/usr/share/logstash/pipeline.so/1117_preprocess_bro_syslog.conf
+/usr/share/logstash/pipeline.so/1118_preprocess_bro_tunnel.conf
+/usr/share/logstash/pipeline.so/1119_preprocess_bro_weird.conf
+/usr/share/logstash/pipeline.so/1121_preprocess_bro_mysql.conf
+/usr/share/logstash/pipeline.so/1122_preprocess_bro_socks.conf
+/usr/share/logstash/pipeline.so/1123_preprocess_bro_x509.conf
+/usr/share/logstash/pipeline.so/1124_preprocess_bro_intel.conf
+/usr/share/logstash/pipeline.so/1125_preprocess_bro_modbus.conf
+/usr/share/logstash/pipeline.so/1126_preprocess_bro_sip.conf
+/usr/share/logstash/pipeline.so/1127_preprocess_bro_radius.conf
+/usr/share/logstash/pipeline.so/1128_preprocess_bro_pe.conf
+/usr/share/logstash/pipeline.so/1129_preprocess_bro_rfb.conf
+/usr/share/logstash/pipeline.so/1130_preprocess_bro_dnp3.conf
+/usr/share/logstash/pipeline.so/1131_preprocess_bro_smb_files.conf
+/usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf
+/usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf
+/usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf
+/usr/share/logstash/pipeline.so/1998_test_data.conf
+/usr/share/logstash/pipeline.so/2000_network_flow.conf
+/usr/share/logstash/pipeline.so/6000_bro.conf
+/usr/share/logstash/pipeline.so/6001_bro_import.conf
+/usr/share/logstash/pipeline.so/6002_syslog.conf
+/usr/share/logstash/pipeline.so/6101_switch_brocade.conf
+/usr/share/logstash/pipeline.so/6200_firewall_fortinet.conf
+/usr/share/logstash/pipeline.so/6201_firewall_pfsense.conf
+/usr/share/logstash/pipeline.so/6300_windows.conf
+/usr/share/logstash/pipeline.so/6301_dns_windows.conf
+/usr/share/logstash/pipeline.so/6400_suricata.conf
+/usr/share/logstash/pipeline.so/6500_ossec.conf
+/usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf
+/usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf
+/usr/share/logstash/pipeline.so/6600_winlogbeat_sysmon.conf
+/usr/share/logstash/pipeline.so/6700_winlogbeat.conf
+/usr/share/logstash/pipeline.so/8000_postprocess_bro_cleanup.conf
+/usr/share/logstash/pipeline.so/8001_postprocess_common_ip_augmentation.conf
+#/usr/share/logstash/pipeline.so/8006_postprocess_dns.conf
+#/usr/share/logstash/pipeline.so/8007_postprocess_dns_top1m_tagging.conf
+/usr/share/logstash/pipeline.so/8007_postprocess_http.conf
+#/usr/share/logstash/pipeline.so/8008_postprocess_dns_whois_age.conf
+/usr/share/logstash/pipeline.so/8200_postprocess_tagging.conf
+#/usr/share/logstash/pipeline.so/8502_postprocess_freq_analysis_bro_dns.conf
+#/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
+#/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
+#/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
+/usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf
+/usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf
+/usr/share/logstash/pipeline.dynamic/9000_output_bro.conf
+/usr/share/logstash/pipeline.dynamic/9001_output_switch.conf
+/usr/share/logstash/pipeline.dynamic/9002_output_import.conf
+/usr/share/logstash/pipeline.dynamic/9004_output_flow.conf
+/usr/share/logstash/pipeline.dynamic/9026_output_dhcp.conf
+/usr/share/logstash/pipeline.dynamic/9029_output_esxi.conf
+/usr/share/logstash/pipeline.dynamic/9030_output_greensql.conf
+/usr/share/logstash/pipeline.dynamic/9031_output_iis.conf
+/usr/share/logstash/pipeline.dynamic/9032_output_mcafee.conf
+/usr/share/logstash/pipeline.dynamic/9033_output_snort.conf
+/usr/share/logstash/pipeline.dynamic/9034_output_syslog.conf
+/usr/share/logstash/pipeline.dynamic/9200_output_firewall.conf
+/usr/share/logstash/pipeline.dynamic/9300_output_windows.conf
+/usr/share/logstash/pipeline.dynamic/9301_output_dns_windows.conf
+/usr/share/logstash/pipeline.dynamic/9400_output_suricata.conf
+/usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
+/usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
+/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
diff --git a/salt/pulledpork/etc/disablesid.conf b/salt/pulledpork/etc/disablesid.conf
deleted file mode 100644
index 7e2381aa3..000000000
--- a/salt/pulledpork/etc/disablesid.conf
+++ /dev/null
@@ -1,38 +0,0 @@
-# example disablesid.conf V3.1
-
-# Example of modifying state for individual rules
-# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
-
-# Example of modifying state for rule ranges
-# 1:220-1:3264,3:13010-3:13013
-
-# Comments are allowed in this file, and can also be on the same line
-# As the modify state syntax, as long as it is a trailing comment
-# 1:1011 # I Disabled this rule because I could!
-
-# Example of modifying state for MS and cve rules, note the use of the : 
-# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
-# and all MS00 and all cve 2000 related sids!  These support regular expression
-# matching only after you have specified what you are looking for, i.e. 
-# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
-# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
-# for this.
-# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
-
-# Example of using the pcre: keyword to modify rulestate.  the pcre keyword 
-# allows for full use of regular expression syntax, you do not need to designate
-# with / and all pcre searches are treated as case insensitive. For more information 
-# about regular expression syntax: http://www.regular-expressions.info/
-# The following example modifies state for all MS07 through MS10 
-# pcre:MS(0[7-9]|10)-\d+
-
-# Example of modifying state for specific categories entirely (see README.CATEGORIES)
-# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
-
-# Any of the above values can be on a single line or multiple lines, when 
-# on a single line they simply need to be separated by a ,
-# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
-
-# The modifications in this file are for sample/example purposes only and
-# should not actively be used, you need to modify this file to fit your 
-# environment.
diff --git a/salt/pulledpork/etc/dropsid.conf b/salt/pulledpork/etc/dropsid.conf
deleted file mode 100644
index 27a41e57e..000000000
--- a/salt/pulledpork/etc/dropsid.conf
+++ /dev/null
@@ -1,42 +0,0 @@
-# example dropsid.conf V3.1
-#
-# Note: This file is used to specify what rules you wish to be set to have
-# an action of drop rather than alert.  This means that you are running
-# snort inline (more info about inline deployments at snort.org).
-
-# Example of modifying state for individual rules
-# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
-
-# Example of modifying state for rule ranges
-# 1:220-1:3264,3:13010-3:13013
-
-# Comments are allowed in this file, and can also be on the same line
-# As the modify state syntax, as long as it is a trailing comment
-# 1:1011 # I Disabled this rule because I could!
-
-# Example of modifying state for MS and cve rules, note the use of the : 
-# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
-# and all MS00 and all cve 2000 related sids!  These support regular expression
-# matching only after you have specified what you are looking for, i.e. 
-# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
-# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
-# for this.
-# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
-
-# Example of using the pcre: keyword to modify rulestate.  the pcre keyword 
-# allows for full use of regular expression syntax, you do not need to designate
-# with / and all pcre searches are treated as case insensitive. For more information 
-# about regular expression syntax: http://www.regular-expressions.info/
-# The following example modifies state for all MS07 through MS10 
-# pcre:MS(0[7-9]|10)-\d+
-
-# Example of modifying state for specific categories entirely (see README.CATEGORIES)
-# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
-
-# Any of the above values can be on a single line or multiple lines, when 
-# on a single line they simply need to be separated by a ,
-# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
-
-# The modifications in this file are for sample/example purposes only and
-# should not actively be used, you need to modify this file to fit your 
-# environment.
diff --git a/salt/pulledpork/etc/enablesid.conf b/salt/pulledpork/etc/enablesid.conf
deleted file mode 100644
index 261f605e4..000000000
--- a/salt/pulledpork/etc/enablesid.conf
+++ /dev/null
@@ -1,48 +0,0 @@
-# example enablesid.conf v3.1
-
-# SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file 
-# will be set back to their ORIGINAL state as it was read when they were 
-# originally extracted from the source tarball!
-
-# Example of modifying state for individual rules
-# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
-
-# Example of modifying state for rule ranges
-# 1:220-1:3264,3:13010-3:13013
-
-# Comments are allowed in this file, and can also be on the same line
-# As the modify state syntax, as long as it is a trailing comment
-# 1:1011 # I Disabled this rule because I could!
-
-# Example of modifying state for MS and cve rules, note the use of the : 
-# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
-# and all MS00 and all cve 2000 related sids!  These support regular expression
-# matching only after you have specified what you are looking for, i.e. 
-# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
-# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
-# for this.
-# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
-
-# Example of using the pcre: keyword to modify rulestate.  the pcre keyword 
-# allows for full use of regular expression syntax, you do not need to designate
-# with / and all pcre searches are treated as case insensitive. For more information 
-# about regular expression syntax: http://www.regular-expressions.info/
-# The following example modifies state for all MS07 through MS10 
-# pcre:MS(0[7-9]|10)-\d+
-
-# FOR TESTING ONLY:
-# The following will enable ALL signatures for which Pulledpork has been configured
-# to download
-# pcre:.
-
-# Example of modifying state for specific categories entirely (see README.CATEGORIES)
-# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp
-
-# Any of the above values can be on a single line or multiple lines, when 
-# on a single line they simply need to be separated by a ,
-# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
-
-# The modifications in this file are for sample/example purposes only and
-# should not actively be used, you need to modify this file to fit your 
-# environment.
-
diff --git a/salt/pulledpork/etc/modifysid.conf b/salt/pulledpork/etc/modifysid.conf
deleted file mode 100644
index 50ee97601..000000000
--- a/salt/pulledpork/etc/modifysid.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-# example modifysid.conf v1.1 2/18/2011 Alan Ptak
-#
-# Change history:
-# -----------------------------------------------
-# v1.1 2/18/2011  Alan Ptak
-# - Inserted comments around example elements that would otherwise modify rules
-#
-# v1.0 7/25/2010 JJC
-# - original release
-# -----------------------------------------------
-#
-# formatting is simple
-# <sid or sid list> "what I'm replacing" "what I'm replacing it with"
-#
-# Note that this will only work with GID:1 rules, simply because modifying
-# GID:3 stub rules would not actually affect the rule, thusly it will remain
-# non modifyable!
-#
-# If you are attempting to change rulestate (enable,drop,disable) from here
-# then you are doing it wrong, it is much more efficient to do so from within 
-# the respective rulestate modification configuration files, please see doc/
-# and the README file!
-
-# the following applies to sid 10010 only and represents what would normally
-# be s/to_client/from_server/
-# 10010 "to_client" "from_server"
-
-# the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1
-# rules
-# "HTTP_PORTS" "HTTPS_PORTS"
-
-# multiple sids can be specified as noted below:
-# 302,429,1821 "\$EXTERNAL_NET" "$HOME_NET"
-
-# example of modification of a rule to make snortsam BLOCK the rule:
-# note that one rule changes from alert to BLOCK and that the other 
-# modifies the msg:" field value so that when the alert occurs it is noted
-# that it is a SNORTSAM block rule!
-# 17803 "\(msg:"" "\(msg:"SNORTSAM ";
-# 17803 "^\s*alert" "BLOCK";
diff --git a/salt/pulledpork/etc/pulledpork.conf b/salt/pulledpork/etc/pulledpork.conf
deleted file mode 100644
index daa5fcb17..000000000
--- a/salt/pulledpork/etc/pulledpork.conf
+++ /dev/null
@@ -1,214 +0,0 @@
-# Config file for pulledpork
-# Be sure to read through the entire configuration file
-# If you specify any of these items on the command line, it WILL take
-# precedence over any value that you specify in this file!
-
-#######
-#######  The below section defines what your oinkcode is (required for
-#######  VRT rules), defines a temp path (must be writable) and also
-#######  defines what version of rules that you are getting (for your
-#######  snort version and subscription etc...)
-#######
-
-# You can specify one or as many rule_urls as you like, they
-# must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You can specify
-# each on an individual line, or you can specify them in a , separated list
-# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
-# note that the url, rule file, and oinkcode itself are separated by a pipe |
-# i.e. url|tarball|123456789,
-#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
-# NEW Community ruleset:
-#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
-# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
-# This format MUST be followed to let pulledpork know that this is a blacklist
-#rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
-# URL for rule documentation! (slow to process)
-#rule_url=https://snort.org/downloads/community/|opensource.tar.gz|Opensource
-# THE FOLLOWING URL is for emergingthreats downloads, note the tarball name change!
-# and open-nogpl, to avoid conflicts.
-rule_url=https://rules.emergingthreats.net/open/suricata-4.0/|emerging.rules.tar.gz|open
-# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
-# and the et oinkcode requirement!
-#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
-# NOTE above that the VRT snortrules-snapshot does not contain the version
-# portion of the tarball name, this is because PP now automatically populates
-# this value for you, if, however you put the version information in, PP will
-# NOT populate this value but will use your value!
-
-# Specify rule categories to ignore from the tarball in a comma separated list
-# with no spaces.  There are four ways to do this:
-# 1) Specify the category name with no suffix at all to ignore the category
-#    regardless of what rule-type it is, ie: netbios
-# 2) Specify the category name with a '.rules' suffix to ignore only gid 1
-#    rulefiles located in the /rules directory of the tarball, ie: policy.rules
-# 3) Specify the category name with a '.preproc' suffix to ignore only
-#    preprocessor rules located in the /preproc_rules directory of the tarball,
-#    ie: sensitive-data.preproc
-# 4) Specify the category name with a '.so' suffix to ignore only shared-object
-#    rules located in the /so_rules directory of the tarball, ie: netbios.so
-# The example below ignores dos rules wherever they may appear, sensitive-
-# data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
-# and netbios gid-1 rules (while including netbios so-rules):
-# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
-# These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
-ignore=deleted.rules,experimental.rules,local.rules
-# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
-# previous ignore line and uncomment the following!
-# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
-
-# What is our temp path, be sure this path has a bit of space for rule
-# extraction and manipulation, no trailing slash
-temp_path=/tmp
-
-#######
-#######  The below section is for rule processing.  This section is
-#######  required if you are not specifying the configuration using
-#######  runtime switches.  Note that runtime switches do SUPERSEED
-#######  any values that you have specified here!
-#######
-
-# What path you want the .rules file containing all of the processed
-# rules? (this value has changed as of 0.4.0, previously we copied
-# all of the rules, now we are creating a single large rules file
-# but still keeping a separate file for your so_rules!
-rule_path=/opt/so/rules/nids/downloaded.rules
-
-# What path you want the .rules files to be written to, this is UNIQUE
-# from the rule_path and cannot be used in conjunction, this is to be used with the
-# -k runtime flag, this can be set at runtime using the -K flag or specified
-# here.  If specified here, the -k option must also be passed at runtime, however
-# specifying -K <path> at runtime forces the -k option to also be set
-# out_path=/usr/local/etc/snort/rules/
-
-# If you are running any rules in your local.rules file, we need to
-# know about them to properly build a sid-msg.map that will contain your
-# local.rules metadata (msg) information.  You can specify other rules
-# files that are local to your system here by adding a comma and more paths...
-# remember that the FULL path must be specified for EACH value.
-# local_rules=/path/to/these.rules,/path/to/those.rules
-local_rules=/opt/so/rules/nids/local.rules,/opt/so/rules/nids/decoder-events.rules,/opt/so/rules/nids/stream-events.rules,/opt/so/rules/nids/http-events.rules,/opt/so/rules/nids/smtp-events.rules
-
-# Where should I put the sid-msg.map file?
-sid_msg=/opt/so/rules/nids/sid-msg.map
-
-# New for by2 and more advanced msg mapping.  Valid options are 1 or 2
-# specify version 2 if you are running barnyard2.2+.  Otherwise use 1
-sid_msg_version=1
-
-# Where do you want me to put the sid changelog?  This is a changelog
-# that pulledpork maintains of all new sids that are imported
-sid_changelog=/var/log/nsm/sid_changes.log
-# this value is optional
-
-#######
-#######  The below section is for so_rule processing only.  If you don't
-#######  need to use them.. then comment this section out!
-#######  Alternately, if you are not using pulledpork to process
-#######  so_rules, you can specify -T at runtime to bypass this altogether
-#######
-
-# What path you want the .so files to actually go to *i.e. where is it
-# defined in your snort.conf, needs a trailing slash
-sorule_path=/usr/local/lib/snort_dynamicrules/
-
-# Path to the snort binary, we need this to generate the stub files
-snort_path=/usr/bin/snort
-
-# We need to know where your snort.conf file lives so that we can
-# generate the stub files
-config_path=/etc/nsm/templates/snort/snort.conf
-
-##### Deprecated - The stubs are now  categorically written to the  single rule file!
-# sostub_path=/usr/local/etc/snort/rules/so_rules.rules
-
-# Define your distro, this is for the precompiled shared object libs!
-# Valid Distro Types:
-# Debian-6-0, Ubuntu-10-4
-# Ubuntu-12-04, Centos-5-4
-# FC-12, FC-14, RHEL-5-5, RHEL-6-0
-# FreeBSD-8-1, FreeBSD-9-0, FreeBSD-10-0
-# OpenBSD-5-2, OpenBSD-5-3
-# OpenSUSE-11-4, OpenSUSE-12-1
-# Slackware-13-1
-distro=Centos-5-4
-
-#######  This next section is optional, but probably pretty useful to you.
-#######  Please read thoroughly!
-
-# If you are using IP Reputation and getting some public lists, you will probably
-# want to tell pulledpork where your blacklist file lives, PP automagically will
-# de-dupe any duplicate IPs from different sources.
-black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
-
-# IP Reputation does NOT require a full snort HUP, it introduces a concept whereby
-# the IP list can be reloaded while snort is running through the use of a control
-# socket.  Please be sure that you built snort with the following optins:
-# -enable-shared-rep and --enable-control-socket.  Be sure to read about how to
-# configure these!  The following option tells pulledpork where to place the version
-# file for use with control socket ip list reloads!
-# This should be the same path where your black_list lives!
-IPRVersion=/usr/local/etc/snort/rules/iplists
-
-# The following option tells snort where the snort_control tool is located.
-snort_control=/usr/local/bin/snort_control
-
-# What do you want to backup and archive?  This is a comma separated list
-# of file or directory values.  If a directory is specified, PP will recurse
-# through said directory and all subdirectories to archive all files.
-# The following example backs up all snort config files, rules, pulledpork
-# config files, and snort shared object binary rules.
-# backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/
-
-# what path and filename should we use for the backup tarball?
-# note that an epoch time value and the .tgz extension is automatically added
-# to the backup_file name on completeion i.e. the written file is:
-# pp_backup.1295886020.tgz
-# backup_file=/tmp/pp_backup
-
-# Where do you want the signature docs to be copied, if this is commented
-# out then they will not be copied / extracted.  Note that extracting them
-# will add considerable runtime to pulledpork.
-# docs=/path/to/base/www
-
-# The following option, state_order, allows you to more finely control the order
-# that pulledpork performs the modify operations, specifically the enablesid
-# disablesid and dropsid functions.  An example use case here would be to
-# disable an entire category and later enable only a rule or two out of it.
-# the valid values are disable, drop, and enable.
-# state_order=disable,drop,enable
-
-
-# Define the path to the pid files of any running process that you want to
-# HUP after PP has completed its run.
-# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
-# and so on...
-# pid_path=/var/run/snort_eth0.pid
-
-# This defines the version of snort that you are using, for use ONLY if the
-# proper snort binary is not on the system that you are fetching the rules with
-# This value MUST contain all 4 minor version
-# numbers. ET rules are now also dependant on this, verify supported ET versions
-# prior to simply throwing rubbish in this variable kthx!
-#
-# Suricata users - set this to 'suricata-3.x.x' to process rule files
-# for suricata, this mimics the -S flag on the command line.
-# snort_version=2.9.0.0
-
-# Here you can specify what rule modification files to run automatically.
-# simply uncomment and specify the apt path.
-enablesid=/opt/so/pulledpork/etc/enablesid.conf
-dropsid=/opt/so/pulledpork/dropsid.conf
-disablesid=/opt/so/pulledpork/disablesid.conf
-modifysid=/opt/so/pulledpork/modifysid.conf
-
-# What is the base ruleset that you want to use, please uncomment to use
-# and see the README.RULESETS for a description of the options.
-# Note that setting this value will disable all ET rulesets if you are
-# Running such rulesets
-# ips_policy=security
-
-####### Remember, a number of these values are optional.. if you don't
-####### need to process so_rules, simply comment out the so_rule section
-####### you can also specify -T at runtime to process only GID 1 rules.
-
-version=0.7.3
diff --git a/salt/pulledpork/init.sls b/salt/pulledpork/init.sls
deleted file mode 100644
index e1ae2728f..000000000
--- a/salt/pulledpork/init.sls
+++ /dev/null
@@ -1,55 +0,0 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# PulledProk Setup
-ppdir:
-  file.directory:
-    - name: /opt/so/pulledpork/etc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-ppetcsync:
-  file.recurse:
-    - name: /opt/so/pulledpork/etc
-    - source: salt://pulledpork/etc
-    - user: 939
-    - group: 939
-    - template: jinja
-
-rulesdir:
-  file.directory:
-    - name: /opt/so/rules/nids
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-ruleslink:
-  file.symlink:
-    - name: /opt/so/saltstack/salt/pulledpork/rules
-    - target: /opt/so/rules/nids
-
-toosmooth/so-pulledpork:test2:
-  docker_image.present
-
-so-pulledpork:
-  docker_container.running:
-    - image: toosmooth/so-pulledpork:test2
-    - hostname: so-pulledpork
-    - user: socore
-    - binds:
-      - /opt/so/pulledpork/etc:/opt/pulledpork/etc:ro
-      - /opt/so/rules/nids:/opt/so/rules/nids:rw
-    - network_mode: so-elastic-net
diff --git a/salt/somaster/init.sls b/salt/somaster/init.sls
deleted file mode 100644
index 3545ef846..000000000
--- a/salt/somaster/init.sls
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Add Redis docker if REDIS is enabled
-# Add REDIS user
-
-# Sync updated logstash config for REDIS
-
-# Add ES user
-
-
-# Add ES Docker
diff --git a/salt/top.sls b/salt/top.sls
index 7db5d45b8..fcd9ba98d 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -20,8 +20,11 @@ base:
     - firewall
     - master
     - idstools
+<<<<<<< HEAD
     - redis
     - mysql
+=======
+>>>>>>> 7816c6e18e21870b0249cc05a161ef1644a94066
     - elasticsearch
     - logstash
     - kibana
@@ -29,6 +32,8 @@ base:
     - suricata
     - bro
     - curator
+    - elastalert
+    - filebeat
     - utility
     - schedule
     - fleet 
@@ -46,6 +51,7 @@ base:
     - elasticsearch
     - logstash
     - kibana
+    - elastalert
     - utility
     - schedule
     - fleet