From 21e374c82e2616e22620a51338f3594b8b20fe6f Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 30 Jan 2020 11:10:52 -0500
Subject: [PATCH 1/6] Fix SSL State

---
 salt/ssl/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 57579f6ca..83c7c92e4 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -2,7 +2,7 @@
 {% set master_minion_id = master.split(".")[0] %}
 {%- set masterip = salt['pillar.get']('static:masterip', '') -%}
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval'  or grains['role'] == 'so-heavynode' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
     {% set trusttheca_text =  salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
     {% set ca_server = grains.id %}
 {% else %}
@@ -41,7 +41,7 @@ m2cryptopkgs:
         bits: 4096
         backup: True
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' %}
 
 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:

From 5dec2b1c87454fd6c38895bda9b17b94f70b06e7 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 12:39:09 -0500
Subject: [PATCH 2/6] Move auth init.sls to docker registry

---
 salt/auth/init.sls | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index bed7d18d5..18850d534 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
 so-auth-api-dir:
   file.directory:
     - name: /opt/so/conf/auth/api
@@ -5,19 +8,9 @@ so-auth-api-dir:
     - group: 939
     - makedirs: True
 
-so-auth-api-image:
-    cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.4
-
-so-auth-ui-image:
-    cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.4
-
 so-auth-api:
     docker_container.running:
-        - require:
-            - so-auth-api-image
-        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.4
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
         - hostname: so-auth-api
         - name: so-auth-api
         - environment:
@@ -29,9 +22,7 @@ so-auth-api:
 
 so-auth-ui:
     docker_container.running:
-        - require:
-            - so-auth-ui-image
-        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.4
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
         - hostname: so-auth-ui
         - name: so-auth-ui
         - port_bindings:

From 048c77695d63dc05d5df10e481c0335897fdc0f1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 15:47:51 -0500
Subject: [PATCH 3/6] Fix Filebeat

---
 salt/filebeat/etc/filebeat.yml |  2 +-
 salt/filebeat/init.sls         | 15 +++++++--------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 45936c180..2eb2092f4 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -1,5 +1,5 @@
 {%- if grains.role == 'so-heavynode' %}
-{%- set MASTER = grains.host %}
+{%- set MASTER = salt['pillar.get']('sensor:mainip' '') %}
 {%- else %}
 {%- set MASTER = grains['master'] %}
 {%- endif %}
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 8528ecc38..b058f1408 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,4 +1,4 @@
-  # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
@@ -13,14 +13,13 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
-{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set FEATURES = salt['pillar.get']('elastic:features', False) %}		
-{% if FEATURES %}		
-  {% set FEATURES = "-features" %}		
-{% else %}		
-  {% set FEATURES = '' %}		
+{% set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
 {% endif %}
-# Filebeat Setup
 filebeatetcdir:
   file.directory:
     - name: /opt/so/conf/filebeat/etc

From 59d6b7cb8a42e01fbf48adc299e8588e0c5d30e5 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 16:00:57 -0500
Subject: [PATCH 4/6] Add log paths

---
 .../files/dynamic/0008_input_eval.conf        | 187 ++++++++++++++++++
 1 file changed, 187 insertions(+)
 create mode 100644 salt/logstash/files/dynamic/0008_input_eval.conf

diff --git a/salt/logstash/files/dynamic/0008_input_eval.conf b/salt/logstash/files/dynamic/0008_input_eval.conf
new file mode 100644
index 000000000..b2850a984
--- /dev/null
+++ b/salt/logstash/files/dynamic/0008_input_eval.conf
@@ -0,0 +1,187 @@
+# Updated by: Mike Reeves
+# Last Update: 11/1/2018
+
+input {
+  file {
+	  path => "/suricata/eve.json"
+		type => "ids"
+                add_field => { "engine" => "suricata" }
+	}
+	file {
+		path => "/nsm/bro/logs/current/conn*.log"
+		type => "bro_conn"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dce_rpc*.log"
+		type => "bro_dce_rpc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dhcp*.log"
+		type => "bro_dhcp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dnp3*.log"
+		type => "bro_dnp3"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dns*.log"
+		type => "bro_dns"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dpd*.log"
+		type => "bro_dpd"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/files*.log"
+		type => "bro_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ftp*.log"
+		type => "bro_ftp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/http*.log"
+		type => "bro_http"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/intel*.log"
+		type => "bro_intel"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/irc*.log"
+		type => "bro_irc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/kerberos*.log"
+		type => "bro_kerberos"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/modbus*.log"
+		type => "bro_modbus"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/mysql*.log"
+		type => "bro_mysql"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/notice*.log"
+		type => "bro_notice"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ntlm*.log"
+		type => "bro_ntlm"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/pe*.log"
+		type => "bro_pe"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/radius*.log"
+		type => "bro_radius"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/rdp*.log"
+		type => "bro_rdp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/rfb*.log"
+		type => "bro_rfb"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/signatures*.log"
+		type => "bro_signatures"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/sip*.log"
+		type => "bro_sip"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smb_files*.log"
+		type => "bro_smb_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smb_mapping*.log"
+		type => "bro_smb_mapping"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smtp*.log"
+		type => "bro_smtp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/snmp*.log"
+		type => "bro_snmp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/socks*.log"
+		type => "bro_socks"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/software*.log"
+		type => "bro_software"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ssh*.log"
+		type => "bro_ssh"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ssl*.log"
+		type => "bro_ssl"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/syslog*.log"
+		type => "bro_syslog"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/tunnel*.log"
+		type => "bro_tunnels"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/weird*.log"
+		type => "bro_weird"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/x509*.log"
+		type => "bro_x509"
+	    	tags => ["bro"]
+	}
+}
+filter {
+  if "import" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0007"]
+	}
+  }
+}

From c32b2726fa23586cac880650defd35094d134bed Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 16:10:59 -0500
Subject: [PATCH 5/6] Fix Eval Event Pickup

---
 salt/logstash/files/dynamic/0008_input_eval.conf | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/salt/logstash/files/dynamic/0008_input_eval.conf b/salt/logstash/files/dynamic/0008_input_eval.conf
index b2850a984..b02f9d516 100644
--- a/salt/logstash/files/dynamic/0008_input_eval.conf
+++ b/salt/logstash/files/dynamic/0008_input_eval.conf
@@ -177,6 +177,22 @@ input {
 		type => "bro_x509"
 	    	tags => ["bro"]
 	}
+  file {
+    path => "/wazuh/alerts/alerts.json"
+    type => "ossec"
+  }
+  file {
+    path => "/wazuh/archives/archive.json"
+    type => "ossec_archive"
+  }
+  file {
+    path => "/osquery/logs/result.log"
+    type => "osquery"
+  }
+  file {
+    path => "/strelka/strelka.log"
+    type => "strelka"
+  }
 }
 filter {
   if "import" in [tags] {

From 1e0d0d74e1b40e64869818e32e659362fd6b7635 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 16:16:21 -0500
Subject: [PATCH 6/6] Fix Eval Event Pickup x2

---
 salt/logstash/init.sls | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index f92f047fa..c61bee921 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -130,7 +130,7 @@ lspipelinesyml:
     - name: /opt/so/conf/logstash/etc/pipelines.yml
     - source: salt://logstash/etc/pipelines.yml.jinja
     - template: jinja
-    - defaults: 
+    - defaults:
         pipelines: {{ pipelines }}
 
 # Copy down all the configs including custom - TODO add watch restart
@@ -166,7 +166,7 @@ lsconfsync:
     - source: salt://logstash/conf/conf.enabled.txt.so-master
 {% else %}
     - source: salt://logstash/conf/conf.enabled.txt.{{ nodetype }}
-{% endif %} 
+{% endif %}
     - user: 931
     - group: 939
     - template: jinja
@@ -241,6 +241,10 @@ so-logstash:
       {%- if grains['role'] == 'so-eval' %}
       - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
+      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+      - /opt/so/log/fleet/:/osquery/logs:ro
+      - /opt/so/log/strelka:/strelka:ro
       {%- endif %}
     - watch:
       - file: /opt/so/conf/logstash/etc