Merge remote-tracking branch 'remotes/origin/dev' into issue/142

files/firewall/hostgroups.local.yaml

@@ -13,6 +13,7 @@ firewall:
         delete:
         insert:
     elasticsearch_rest:
+      ips:
         delete:
         insert:
     fleet:

salt/common/tools/sbin/so-allow

@@ -15,7 +15,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-source ./so-common
+. /usr/sbin/so-common
 
 local_salt_dir=/opt/so/saltstack/local
 

salt/common/tools/sbin/so-idstools-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart idstools $1

salt/common/tools/sbin/so-idstools-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start idstools $1

salt/common/tools/sbin/so-idstools-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop idstools $1

salt/common/tools/sbin/so-import-pcap

@@ -21,18 +21,9 @@
 
 function usage {
   cat << EOF
-Usage:
+Usage: $0 <pcap-file-1> [pcap-file-2] [pcap-file-N]
-Please supply at least one pcap file.
-
-For example, to import a single pcap named import.pcap:
-so-import-pcap import.pcap
-
-To import multiple pcaps:
-so-import-pcap import1.pcap import2.pcap
-
-** IMPORTANT **
-Security Onion installations contain processes that automatically discard old data. Therefore, imports of old network traffic might immediately be erased, unless those processes are first disabled. 
 
+Imports one or more PCAP files for analysis. If available, curator will be automatically stopped.
 EOF
 }
 
@@ -76,11 +67,13 @@ function zeek() {
 
   NSM_PATH=/nsm/import/${HASH}/zeek
   mkdir -p $NSM_PATH/logs
-  mkdir -p $NSM_PATH/spool
   mkdir -p $NSM_PATH/extracted
+  mkdir -p $NSM_PATH/spool
   chown -R zeek:socore $NSM_PATH
   docker run --rm \
-    -v $NSM_PATH:/nsm:rw \
+    -v $NSM_PATH/logs:/nsm/zeek/logs:rw \
+    -v $NSM_PATH/spool:/nsm/zeek/spool:rw \
+    -v $NSM_PATH/extracted:/nsm/zeek/extracted:rw \
     -v $PCAP:/input.pcap:ro \
     -v /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro \
     -v /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro \
@@ -99,13 +92,13 @@ function zeek() {
 # if no parameters supplied, display usage
 if [ $# -eq 0 ]; then
   usage
-  exit
+  exit 1
 fi
 
-# ensure this is a manager node
+# ensure this is a sensor node
-if [ ! -d /opt/so/conf/soc ]; then
+if [ ! -d /opt/so/conf/suricata ]; then
-  echo "This procedure must be run on a manager node."
+  echo "This command must be run on a sensor node."
-  exit
+  exit 3
 fi
 
 # verify that all parameters are files
@@ -113,10 +106,18 @@ for i in "$@"; do
   if ! [ -f "$i" ]; then
     usage
     echo "\"$i\" is not a valid file!"
-    exit
+    exit 2
   fi
 done
 
+if ! [ -d /opt/so/conf/curator ]; then
+  echo "Curator is not installed on this node and cannot be stopped automatically."
+else
+  echo -n "Stopping curator..."
+  so-curator-stop > /dev/null 2>&1
+  echo "Done"
+fi
+
 # track if we have any valid or invalid pcaps
 INVALID_PCAPS="no"
 VALID_PCAPS="no"
@@ -218,4 +219,4 @@ From: $START_OLDEST    To: $END_NEWEST
 
 Please note that it may take 30 seconds or more for events to appear in Kibana.
 EOF
-fi
+fi

salt/common/tools/sbin/so-influxdb-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart influxdb $1

salt/common/tools/sbin/so-influxdb-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start influxdb $1

salt/common/tools/sbin/so-influxdb-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop influxdb $1

salt/common/tools/sbin/so-nginx-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart nginx $1

salt/common/tools/sbin/so-nginx-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start nginx $1

salt/common/tools/sbin/so-nginx-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop nginx $1

salt/common/tools/sbin/so-soc-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart soc $1

salt/common/tools/sbin/so-soc-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start soc $1

salt/common/tools/sbin/so-soc-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop soc $1

salt/common/tools/sbin/so-telegraf-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart telegraf $1

salt/common/tools/sbin/so-telegraf-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start telegraf $1

salt/common/tools/sbin/so-telegraf-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop telegraf $1

salt/elastalert/files/rules/so/nids2hive.yaml

@@ -1,52 +0,0 @@
-{% set es = salt['pillar.get']('static:masterip', '') %}
-{% set hivehost = salt['pillar.get']('static:masterip', '') %}
-{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
-{% set MASTER = salt['pillar.get']('master:url_base', '') %}
-
-# hive.yaml
-# Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance.
-#
-es_host: {{es}}
-es_port: 9200
-name: NIDS-Alert
-type: frequency
-index: "so-ids-*"
-num_events: 1
-timeframe:
-    minutes: 10
-buffer_time:
-    minutes: 10
-allow_buffer_time_overlap: true
-query_key: ["rule.uuid"]
-realert:
-    days: 1
-filter:
-- query:
-   query_string:
-      query: "event.module: suricata"
-
-alert: hivealerter
-
-hive_connection:
-  hive_host: http://{{hivehost}}
-  hive_port: 9000/thehive
-  hive_apikey: {{hivekey}}
-  
-hive_proxies:
-  http: ''
-  https: ''
-
-hive_alert_config:
-  title: '{match[rule][name]}'
-  type: 'NIDS'
-  source: 'SecurityOnion'
-  description: "`Hunting Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=event.module%3A%20suricata%20AND%20rule.uuid%3A{match[rule][uuid]}%20%7C%20groupby%20source.ip%20destination.ip%20rule.name>  \n\n `Kibana Dashboard - Signature Drilldown:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))> \n\n `Kibana Dashboard - Community_ID:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
-  severity: 2
-  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
-  tlp: 3
-  status: 'New'
-  follow: True
-
-hive_observable_data_mapping:
-  - ip: '{match[source][ip]}'
-  - ip: '{match[destination][ip]}'

salt/elastalert/files/rules/so/suricata_thehive.yaml

@@ -0,0 +1,51 @@
+{% set es = salt['pillar.get']('static:masterip', '') %}
+{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+{% set MASTER = salt['pillar.get']('master:url_base', '') %}
+
+# Elastalert rule to forward Suricata alerts from Security Onion to a specified TheHive instance.
+#
+es_host: {{es}}
+es_port: 9200
+name: Suricata-Alert
+type: frequency
+index: "so-ids-*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+query_key: ["rule.uuid","source.ip","destination.ip"]
+realert:
+    days: 1
+filter:
+- query:
+   query_string:
+      query: "event.module: suricata AND rule.severity:(1 OR 2)"
+
+alert: hivealerter
+
+hive_connection:
+  hive_host: http://{{hivehost}}
+  hive_port: 9000/thehive
+  hive_apikey: {{hivekey}}
+  
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{match[rule][name]}'
+  type: 'NIDS'
+  source: 'SecurityOnion'
+  description: "`SOC Hunt Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=network.community_id%3A%20%20%22{match[network][community_id]}%22%20%7C%20groupby%20source.ip%20destination.ip,event.module,%20event.dataset>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
+  severity: 2
+  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
+  tlp: 3
+  status: 'New'
+  follow: True
+
+hive_observable_data_mapping:
+  - ip: '{match[source][ip]}'
+  - ip: '{match[destination][ip]}'

salt/elastalert/files/rules/so/wazuh_thehive.yaml

@@ -0,0 +1,49 @@
+{% set es = salt['pillar.get']('static:masterip', '') %}
+{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+{% set MASTER = salt['pillar.get']('master:url_base', '') %}
+
+# Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance.
+#
+es_host: {{es}}
+es_port: 9200
+name: Wazuh-Alert
+type: frequency
+index: "so-ossec-*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+realert:
+    days: 1
+filter:
+- query:
+   query_string:
+      query: "event.module: ossec AND rule.level>=8"
+
+alert: hivealerter
+
+hive_connection:
+  hive_host: http://{{hivehost}}
+  hive_port: 9000/thehive
+  hive_apikey: {{hivekey}}
+  
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{match[rule][name]}'
+  type: 'wazuh'
+  source: 'SecurityOnion'
+  description: "`SOC Hunt Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=event.module%3A%20ossec%20AND%20rule.id%3A{match[rule][id]}%20%7C%20groupby%20host.name%20rule.name>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))>"
+  severity: 2
+  tags: ['{match[rule][id]}','{match[host][name]}']
+  tlp: 3
+  status: 'New'
+  follow: True
+
+hive_observable_data_mapping:
+  - other: '{match[host][name]}'

salt/elasticsearch/files/ingest/zeek.ftp

@@ -1,5 +1,5 @@
 {
-  "description" : "zeek.http",
+  "description" : "zeek.ftp",
   "processors" : [
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },

salt/elasticsearch/files/ingest/zeek.smb_mapping

@@ -1,5 +1,5 @@
 {
-  "description" : "zeek.smb_files",
+  "description" : "zeek.smb_mapping",
   "processors" : [
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },

salt/elasticsearch/files/ingest/zeek.ssh

@@ -1,5 +1,5 @@
 {
-  "description" : "zeek.conn",
+  "description" : "zeek.ssh",
   "processors" : [
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",				"target_field": "message2",			"ignore_failure": true	} },

salt/filebeat/etc/filebeat.yml

@@ -127,11 +127,11 @@ filebeat.inputs:
         category: network
         imported: true
     processors:
-      - dissect:
+    - dissect:
-          tokenizer: "/nsm/import/%{import_id}/zeek/logs/%{import_source}"
+        tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}"
-          field: "source"
+        field: "log.file.path"
-          target_prefix: ""
+        target_prefix: ""
-      - drop_fields:
+    - drop_fields:
         fields: ["source", "prospector", "input", "offset", "beat"]
  
     fields_under_root: true
@@ -166,8 +166,8 @@ filebeat.inputs:
       imported: true 
     processors:
     - dissect:
-        tokenizer: "/nsm/import/%{import_id}/suricata/%{import_source}"
+        tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}"
-        field: "source"
+        field: "log.file.path"
         target_prefix: ""
     - drop_fields:
         fields: ["source", "prospector", "input", "offset", "beat"]

salt/filebeat/init.sls

@@ -53,12 +53,11 @@ so-filebeat:
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}
     - binds:
+      - /nsm:/nsm:ro
       - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
-      - /nsm:/nsm:ro
       - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives:/wazuh/archives:ro
-      - /nsm/osquery/fleet/:/nsm/osquery/fleet:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro

salt/soctopus/files/SOCtopus.conf

@@ -60,7 +60,7 @@ slack_url = YOURSLACKWORKSPACE
 slack_webhook = YOURSLACKWEBHOOK
 
 [playbook]
-playbook_url = https://{{MASTER}}/playbook
+playbook_url = http://{{MASTER}}:3200/playbook
 playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f
 playbook_verifycert = no
 playbook_unit_test_index = playbook-testing

salt/soctopus/init.sls

@@ -10,7 +10,7 @@ soctopusdir:
     - group: 939
     - makedirs: True
 
-soctopussync:
+soctopus-sync:
   file.recurse:
     - name: /opt/so/conf/soctopus/templates
     - source: salt://soctopus/files/templates
@@ -24,7 +24,6 @@ soctopusconf:
     - source: salt://soctopus/files/SOCtopus.conf
     - user: 939
     - group: 939
-    - replace: False
     - mode: 600
     - template: jinja
 

setup/install_scripts/99-so-checksum-offload-disable

@@ -4,5 +4,5 @@ if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* ]]; then
 	for i in rx tx sg tso ufo gso gro lro; do
 		ethtool -K "$DEVICE_IFACE" "$i" off;
   	done
-	ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off
+	ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
 fi

setup/so-functions

@@ -388,8 +388,6 @@ configure_minion() {
 		printf '%s\n'  '----';
 		cat "$minion_config";
 	} >> "$setup_log" 2>&1
-	
-	
 }
 
 checkin_at_boot() {
@@ -399,27 +397,33 @@ checkin_at_boot() {
 	echo "startup_states: highstate" >> "$minion_config"
 }
 
-
 check_requirements() {
 	local eval_or_dist=$1
 	local node_type=$2 # optional
 	local req_mem
 	local req_cores
+	local req_storage
 	local nic_list
 	readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0"  | sed 's/ //g')"
 	local num_nics=${#nic_list[@]}
-
+	
 	if [[ "$eval_or_dist" == 'eval' ]]; then
 		req_mem=12
 		req_cores=4
 		req_nics=2
+		req_storage=100
 	elif [[ "$eval_or_dist" == 'dist' ]]; then
 		req_mem=8
 		req_cores=4
+		req_storage=40
 		if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
 		if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
 	fi
 
+	if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then
+		whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB"
+	fi
+
 	if [[ $num_nics -lt $req_nics ]]; then
 		whiptail_requirements_error "NICs" "$num_nics" "$req_nics"
 	fi
@@ -429,7 +433,7 @@ check_requirements() {
 	fi
 	
 	if [[ $total_mem_hr -lt $req_mem ]]; then
-		whiptail_requirements_error "memory" "${total_mem_hr}GB" "${req_mem}GB"
+		whiptail_requirements_error "memory" "${total_mem_hr} GB" "${req_mem} GB"
 	fi
 }
 
@@ -481,42 +485,59 @@ copy_ssh_key() {
 }
 
 create_local_directories() {
-        echo "Creating local pillar and salt directories"
+	echo "Creating local pillar and salt directories"
-        PILLARSALTDIR=${SCRIPTDIR::-5}
+	PILLARSALTDIR=${SCRIPTDIR::-5}
-        for i in "pillar" "salt"; do
+	for i in "pillar" "salt"; do
-                for d in `find $PILLARSALTDIR/$i -type d`; do
+		for d in $(find $PILLARSALTDIR/$i -type d); do
-						suffixdir=${d//$PILLARSALTDIR/}
+			suffixdir=${d//$PILLARSALTDIR/}
-                        if [ ! -d "$local_salt_dir/$suffixdir" ]; then
+			if [ ! -d "$local_salt_dir/$suffixdir" ]; then
-	                        mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1
+				mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1
-                        fi
+			fi
-                done
+		done
-                chown -R socore:socore "$local_salt_dir/$i"
+		chown -R socore:socore "$local_salt_dir/$i"
-        done
+	done
 
 }
 
-create_sensor_bond() {
+configure_network_sensor() {
-	echo "Setting up sensor bond" >> "$setup_log" 2>&1
+	echo "Setting up sensor interface" >> "$setup_log" 2>&1
-
 	local nic_error=0
 
-	check_network_manager_conf >> "$setup_log" 2>&1
-	
 	# Set the MTU
 	if [[ $NSMSETUP != 'ADVANCED' ]]; then
-		MTU=1500
+		if [[ $is_ec2 ]]; then MTU=1575; else MTU=1500; fi
+	fi
+
+	if [[ $is_ec2 ]]; then 
+		INTERFACE=${BNICS[0]}
+		local nmcli_con_arg="type ethernet"
+	else 
+		INTERFACE='bond0'
+		local nmcli_con_arg="type bond mode 0"
 	fi
 
 	# Create the bond interface only if it doesn't already exist
-	if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then
+	
-		nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
+	nmcli -f name,uuid -p con | grep -q "$INTERFACE"
+	local found_int=$?
+
+	if [[ $found_int != 0 ]]; then
+		nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \
+			ipv4.method disabled \
+			ipv6.method ignore \
+			ethernet.mtu $MTU \
+			connection.autoconnect "yes" >> "$setup_log" 2>&1
+	else
+		local int_uuid
+		int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/$INTERFACE //p" | tr -d ' ')
+
+		nmcli con mod "$int_uuid" \
 			ipv4.method disabled \
 			ipv6.method ignore \
 			ethernet.mtu $MTU \
 			connection.autoconnect "yes" >> "$setup_log" 2>&1
 	fi
 
-
 	for BNIC in "${BNICS[@]}"; do
 		# Check if specific offload features are able to be disabled
 		for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
@@ -532,15 +553,29 @@ create_sensor_bond() {
 			ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1
 		done
 		
-		# Check if the bond slave connection has already been created
+		if [[ $is_ec2 ]]; then
-		if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') ]]; then
+			nmcli con up "$BNIC" >> "$setup_log" 2>&1
-			# Create the slave interface and assign it to the bond
+		else
-			nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
+			# Check if the bond slave connection has already been created
-				ethernet.mtu $MTU \
+			nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC"
-				connection.autoconnect "yes" >> "$setup_log" 2>&1
+			local found_int=$?
-		fi
+			
+			if [[ $found_int != 0 ]]; then
+				# Create the slave interface and assign it to the bond
+				nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
+					ethernet.mtu $MTU \
+					connection.autoconnect "yes" >> "$setup_log" 2>&1
+			else
+				local int_uuid
+				int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ')
 
-		nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up
+				nmcli con mod "$int_uuid" \
+					ethernet.mtu $MTU \
+					connection.autoconnect "yes" >> "$setup_log" 2>&1
+			fi
+			
+			nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up
+		fi
 	done
 
 	if [ $nic_error != 0 ]; then
@@ -548,6 +583,11 @@ create_sensor_bond() {
 	fi
 }
 
+detect_ec2() {
+  echo "Testing if setup is running on an EC2 instance"
+  if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ); then export is_ec2="true"; fi
+}
+
 detect_os() {
 
 	# Detect Base OS
@@ -565,11 +605,19 @@ detect_os() {
 			exit 1
 		fi
 
+		echo "Installing required packages to run installer"
 		# Install bind-utils so the host command exists
 		if ! command -v host > /dev/null 2>&1; then
-			echo "Installing required packages to run installer"
+			yum -y install bind-utils >> "$setup_log" 2>&1
-			yum -y install bind-utils yum-plugin-versionlock >> "$setup_log" 2>&1
 		fi
+		if ! command -v nmcli > /dev/null 2>&1; then
+			{
+				yum -y install NetworkManager;
+				systemctl enable NetworkManager;
+				systemctl start NetworkManager;
+			} >> "$setup_log" 2<&1
+		fi
+		yum -y install yum-plugin-versionlock bc >> "$setup_log" 2>&1
 
 
 	elif [ -f /etc/os-release ]; then
@@ -582,15 +630,17 @@ detect_os() {
 			echo "We do not support your current version of Ubuntu."
 			exit 1
 		fi
+
+		echo "Installing required packages to run installer"
 		# Install network manager so we can do interface stuff
 		if ! command -v nmcli > /dev/null 2>&1; then
-			echo "Installing required packages to run installer"
 			{
 				apt-get install -y network-manager;
 				systemctl enable NetworkManager;
 				systemctl start NetworkManager;
 			} >> "$setup_log" 2<&1
 		fi
+		apt-get install -y bc >> "$setup_log" 2>&1
 
 	else
 		echo "We were unable to determine if you are using a supported OS."
@@ -1275,6 +1325,11 @@ set_base_heapsizes() {
 	ls_heapsize
 }
 
+set_network_dev_status_list() {
+	readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)"
+	export nmcli_dev_status_list
+}
+
 set_main_ip() {
 	MAINIP=$(ip route get 1 | awk '{print $7;exit}')
 }
@@ -1324,7 +1379,7 @@ sensor_pillar() {
 	# Create the sensor pillar
 	printf '%s\n'\
 		"sensor:"\
-		"  interface: bond0"\
+		"  interface: $INTERFACE"\
 		"  mainip: $MAINIP"\
 		"  mainint: $MNIC" >> "$pillar_file"
 	
@@ -1435,13 +1490,13 @@ set_initial_firewall_policy() {
             $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
 			case "$install_type" in 
 				'EVAL')
-					$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True
+					$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE True
 					;;
 				'MASTERSEARCH')
 					$default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 					;;
 				'STANDALONE')
-					$default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
+					$default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE
 					;;
 			esac
 			;;
@@ -1455,7 +1510,7 @@ set_initial_firewall_policy() {
 			case "$install_type" in
 				'SENSOR')
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE
 					;;
 				'SEARCHNODE')
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
@@ -1464,7 +1519,7 @@ set_initial_firewall_policy() {
 				'HEAVYNODE')
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 					;;
 				'FLEET')

setup/so-setup

@@ -51,10 +51,20 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1
 
 automated=no
 function progress() {
-	if [ $automated == no ]; then
+	if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then
-		whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0
+		if [[ -s /var/spool/mail/root ]]; then 
+			echo '[ ERROR ]  /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1
+		fi
+
+		if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi
+
+		if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit 1; fi
 	else
-		cat >> $setup_log 2>&1
+		if [ $automated == no ]; then
+			whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0
+		else
+			cat >> $setup_log 2>&1
+		fi
 	fi
 }
 
@@ -98,7 +108,8 @@ export PATH=$PATH:../salt/common/tools/sbin
 
 got_root
 
-detect_os
+detect_os && detect_ec2
+set_network_dev_status_list
 
 if [ "$OS" == ubuntu ]; then
 	update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1
@@ -225,7 +236,7 @@ fi
 
 # Start user prompts
 if [[ $is_helix || $is_sensor ]]; then
-	whiptail_bond_nics
+	whiptail_sensor_nics
 	calculate_useable_cores
 fi
 
@@ -334,14 +345,19 @@ if [[ "$setup_type" == 'iso' ]]; then
 	disable_onion_user
 fi
 
-set_hostname >> $setup_log 2>&1
+{
-set_version >> $setup_log 2>&1
+	set_hostname;
-clear_master >> $setup_log 2>&1
+	set_version;
+	clear_master;
+} >> $setup_log 2>&1
+
 
 if [[ $is_master ]]; then
-	generate_passwords >> $setup_log 2>&1
+	{
-	secrets_pillar >> $setup_log 2>&1
+		generate_passwords;
-	add_socore_user_master >> $setup_log 2>&1
+		secrets_pillar;
+		add_socore_user_master;
+	} >> $setup_log 2>&1	
 fi
 
 if [[ $is_master && ! $is_eval ]]; then
@@ -364,18 +380,17 @@ fi
 	# Set initial percentage to 0
 	export percentage=0
 
-        if [[ $is_minion ]]; then
+	if [[ $is_minion ]]; then
-                set_progress_str 1 'Configuring firewall'
+		set_progress_str 1 'Configuring firewall'
-                set_initial_firewall_policy >> $setup_log 2>&1
+		set_initial_firewall_policy >> $setup_log 2>&1
-        fi
+	fi
 
 	set_progress_str 2 'Updating packages'
 	update_packages >> $setup_log 2>&1
 
 	if [[ $is_sensor || $is_helix ]]; then
-		set_progress_str 3 'Creating bond interface'
+		set_progress_str 3 'Configuring sensor interface'
-		create_sensor_bond >> $setup_log 2>&1
+		configure_network_sensor >> $setup_log 2>&1
-		
 		set_progress_str 4 'Generating sensor pillar'
 		sensor_pillar >> $setup_log 2>&1
 	fi
@@ -392,14 +407,15 @@ fi
 	set_progress_str 9 'Initializing Salt minion'
 	configure_minion "$minion_type" >> $setup_log 2>&1
 
-
 	if [[ $is_master || $is_helix ]]; then
 		set_progress_str 10 'Configuring Salt master'
-		create_local_directories >> $setup_log 2>&1
+		{
-		addtotab_generate_templates >> $setup_log 2>&1
+			create_local_directories;
-		copy_master_config >> $setup_log 2>&1
+			addtotab_generate_templates;
-		setup_salt_master_dirs >> $setup_log 2>&1
+			copy_master_config;
-		firewall_generate_templates >> $setup_log 2>&1
+			setup_salt_master_dirs;
+			firewall_generate_templates;
+		} >> $setup_log 2>&1
 		
 		set_progress_str 11 'Updating sudoers file for soremote user'
 		update_sudoers >> $setup_log 2>&1
@@ -516,51 +532,57 @@ fi
 		set_progress_str 72 "$(print_salt_state_apply 'soctopus')"
 		salt-call state.apply -l info soctopus >> $setup_log 2>&1
 	fi
-	
+
-	if [[ "$OSQUERY" = 1 ]]; then
+	if [[ "$PLAYBOOK" = 1 ]]; then
 		set_progress_str 73 "$(print_salt_state_apply 'mysql')"
 		salt-call state.apply -l info mysql >> $setup_log 2>&1
+		
+		set_progress_str 73 "$(print_salt_state_apply 'playbook')"
+		salt-call state.apply -l info playbook >> $setup_log 2>&1
+		so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 &
+	fi
+	
+	if [[ "$OSQUERY" = 1 ]]; then
+		if [[ "$PLAYBOOK" != 1 ]]; then
+		set_progress_str 74 "$(print_salt_state_apply 'mysql')"
+		salt-call state.apply -l info mysql >> $setup_log 2>&1
+		fi
 
-		set_progress_str 73 "$(print_salt_state_apply 'fleet')"
+		set_progress_str 75 "$(print_salt_state_apply 'fleet')"
 		salt-call state.apply -l info fleet >> $setup_log 2>&1
 
-		set_progress_str 73 "$(print_salt_state_apply 'redis')"
+		set_progress_str 76 "$(print_salt_state_apply 'redis')"
 		salt-call state.apply -l info redis >> $setup_log 2>&1
 
 		if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then
-			set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')"
+			set_progress_str 77 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')"
 			pillar_override="{\"static\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}"
 			salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
 		fi
 	
 		set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"	
-		so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1
+		so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1
 
 	fi
 
 	if [[ "$WAZUH" = 1 ]]; then
-		set_progress_str 75 "$(print_salt_state_apply 'wazuh')"
+		set_progress_str 78 "$(print_salt_state_apply 'wazuh')"
 		salt-call state.apply -l info wazuh >> $setup_log 2>&1
 	fi
 
 	if [[ "$THEHIVE" = 1 ]]; then
-		set_progress_str 76 "$(print_salt_state_apply 'thehive')"
+		set_progress_str 79 "$(print_salt_state_apply 'thehive')"
 		salt-call state.apply -l info thehive >> $setup_log 2>&1
 	fi
 
 	if [[ "$STRELKA" = 1 ]]; then
-		set_progress_str 77 "$(print_salt_state_apply 'strelka')"
+		set_progress_str 80 "$(print_salt_state_apply 'strelka')"
 		salt-call state.apply -l info strelka >> $setup_log 2>&1
 		if [[ $STRELKARULES == 1 ]]; then
 			/usr/sbin/so-yara-update >> $setup_log 2>&1	
 		fi
 	fi
 
-	if [[ "$PLAYBOOK" = 1 ]]; then
-		set_progress_str 78 "$(print_salt_state_apply 'playbook')"
-		salt-call state.apply -l info playbook >> $setup_log 2>&1
-	fi
-
 	if [[ $is_master || $is_helix ]]; then		
 		set_progress_str 81 "$(print_salt_state_apply 'utility')"
 		salt-call state.apply -l info utility >> $setup_log 2>&1
@@ -594,10 +616,12 @@ fi
 success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}')
 if [[ "$success" = 0 ]]; then
 	whiptail_setup_complete
+
 	if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then 
 		export IP=$ALLOW_CIDR
 		so-allow -$ALLOW_ROLE >> $setup_log 2>&1
 	fi
+
 	if [[ $THEHIVE == 1 ]]; then
 		check_hive_init
 	fi

setup/so-variables

@@ -28,6 +28,9 @@ mkdir -p /nsm
 filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
 export filesystem_nsm
 
+free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }')
+export free_space_root
+
 mkdir -p /root/installtmp/pillar/minions
 export temp_install_dir=/root/installtmp
 
@@ -36,6 +39,8 @@ export percentage_str='Getting started'
 export DEBIAN_FRONTEND=noninteractive
 
 export default_salt_dir=/opt/so/saltstack/default
+
 export local_salt_dir=/opt/so/saltstack/local
 
-export SCRIPTDIR=$(cd `dirname $0` && pwd)
+SCRIPTDIR=$(cd "$(dirname "$0")" && pwd)
+export SCRIPTDIR

setup/so-whiptail

@@ -72,19 +72,27 @@ whiptail_bro_version() {
 
 }
 
-whiptail_bond_nics() {
+whiptail_sensor_nics() {
 
 	[ -n "$TESTING" ] && return
 
 	filter_unused_nics
 
-	BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3)
+	if [[ $is_ec2 ]]; then
+		local menu_text="Please select NIC for the Monitor Interface"
+		local list_type="radiolist"
+	else
+		local menu_text="Please add NICs to the Monitor Interface"
+		local list_type="checklist"
+	fi
+
+	BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 
 	while [ -z "$BNICS" ]
 	do
-		BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 )
+		BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 )
 		local exitstatus=$?
 		whiptail_check_exitstatus $exitstatus
 	done
@@ -92,6 +100,16 @@ whiptail_bond_nics() {
 	BNICS=$(echo "$BNICS" | tr -d '"')
 
 	IFS=' ' read -ra BNICS <<< "$BNICS"
+
+	for bond_nic in "${BNICS[@]}"; do
+		if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then
+			whiptail \
+				--title "Security Onion Setup" \
+				--msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \
+				8 75
+			exit
+		fi
+	done
 }
 
 whiptail_bond_nics_mtu() {
@@ -281,8 +299,6 @@ whiptail_fleet_custom_hostname() {
 	whiptail_check_exitstatus $exitstatus
 }
 
-
-
 whiptail_requirements_error() {
 
 	local requirement_needed=$1
@@ -292,7 +308,7 @@ whiptail_requirements_error() {
 	[ -n "$TESTING" ] && return
 
 	whiptail --title "Security Onion Setup" \
-	--yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel."  8 75
+	--yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel."  10 75
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -430,27 +446,37 @@ whiptail_install_type() {
 
 	# What kind of install are we doing?
 	install_type=$(whiptail --title "Security Onion Setup" --radiolist \
-	"Choose Install Type:" 20 75 13 \
+	"Choose install type:" 10 65 3 \
-	"SENSOR" "Create a forward only sensor" ON \
+		"EVAL" "Evaluation mode (not for production) " ON \
-	"SEARCHNODE" "Add a Search Node with parsing" OFF \
+		"STANDALONE" "Standalone production install " OFF \
-	"MASTER" "Start a new grid" OFF \
+		"DISTRIBUTED" "Distributed install submenu " OFF \
-	"EVAL" "Evaluate all the things" OFF \
+		3>&1 1>&2 2>&3
-	"STANDALONE" "Standalone full install of everything" OFF \
+	)
-	"MASTERSEARCH" "Master + Search Node" OFF \
+
-	"HEAVYNODE" "Sensor + Search Node" OFF \
+	local exitstatus=$?
-	"HELIXSENSOR" "Connect this sensor to FireEye Helix" OFF \
+	whiptail_check_exitstatus $exitstatus
-	"FLEET" "Dedicated Fleet Osquery Node" OFF \
+
-	"HOTNODE" "TODO Add Hot Node (Uses Elastic Clustering)" OFF \
+	if [[ $install_type == "DISTRIBUTED" ]]; then
-	"WARMNODE" "TODO Add Warm Node to existing Hot or Search node" OFF \
+		install_type=$(whiptail --title "Security Onion Setup" --radiolist \
-	"WAZUH" "TODO Stand Alone Wazuh Server" OFF \
+		"Choose distributed node type:" 13 60 6 \
-	"STRELKA" "TODO Stand Alone Strelka Node" OFF 3>&1 1>&2 2>&3 )
+			"MASTER" "Start a new grid " ON \
+			"SENSOR" "Create a forward only sensor " OFF \
+			"SEARCHNODE" "Add a search node with parsing " OFF \
+			"MASTERSEARCH" "Master + search node " OFF \
+			"FLEET" "Dedicated Fleet Osquery Node " OFF \
+			"HEAVYNODE" "Sensor + Search Node " OFF \
+			3>&1 1>&2 2>&3
+			# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO
+			# "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO
+			# "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO
+			# "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO
+		)
+	fi
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 
 	export install_type
-
-
 }
 
 whiptail_log_size_limit() {
@@ -1128,7 +1154,20 @@ whiptail_you_sure() {
 
 	[ -n "$TESTING" ] && return
 
-	whiptail --title "Security Onion Setup" --yesno "Are you sure you want to continue a network install of Security Onion?" 8 75
+	read -r -d '' you_sure_text <<- EOM
+		Welcome to Security Onion Setup!
+
+		You can use Setup for lots of different use cases from a small standalone installation to a large distributed deployment for your enterprise.
+		
+		Setup uses keyboard navigation and you can use arrow keys to move around.  Certain screens may provide a list and ask you to select one or more items from that list.  You can use [SPACE] to select items and [ENTER] to proceed to the next screen.
+		
+		Would you like to continue?
+	EOM
+
+	whiptail \
+		--title "Security Onion Setup" \
+		--yesno "$you_sure_text" \
+		20 75
 
 	local exitstatus=$?
 	return $exitstatus