Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into dev

salt/common/maps/sensor.map.jinja

@@ -1,6 +1,5 @@
 {% set docker = {
   'containers': [
-    'so-nginx',
     'so-telegraf',
     'so-steno',
     'so-suricata',

salt/common/maps/so-status.map.jinja

@@ -28,6 +28,10 @@
   {{ append_containers('master', 'domainstats', 0) }}
 {% endif %}
 
+{% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
+  {{ append_containers('static', 'strelka', 0) }}
+{% endif %}
+
 {% if role in ['heavynode', 'standalone'] %}
   {{ append_containers('static', 'broversion', 'SURICATA') }}
 {% endif %}

salt/common/maps/strelka.map.jinja

@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-strelka-coordinator',
+    'so-strelka-gatekeeper',
+    'so-strelka-manager',
+    'so-strelka-frontend',
+    'so-strelka-filestream'
+  ]
+} %}

salt/firewall/init.sls

@@ -683,7 +683,14 @@ enable_cluster_ES_9300_{{ip}}:
 
 # Rules if you are a Sensor
 {% if grains['role'] == 'so-sensor' %}
-
+iptables_allow_sensor_docker:
+  iptables.insert:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - source: 172.17.0.0/24
+    - position: 1
+    - save: True
 {% endif %}
 
 # Rules if you are a Hot Node

salt/soc/files/soc/changes.json

@@ -25,6 +25,7 @@
     { "summary": "Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards." },
     { "summary": "KNOWN ISSUE: The Hunt feature is currently considered \"Preview\" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!" },
     { "summary": "KNOWN ISSUE: You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt." },
+    { "summary": "KNOWN ISSUE: Navigator is currently not working when using hostname to access SOC. IP mode works correctly." },
     { "summary": "KNOWN ISSUE: Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them." },
     { "summary": "KNOWN ISSUE: Due to the move to ECS, the current Playbook plays may not alert correctly at this time." },
     { "summary": "KNOWN ISSUE: The osquery MacOS package does not install correctly." }

salt/soc/files/soc/soc.json

@@ -100,7 +100,7 @@
           { "name": "Connections", "description": "Connections grouped by source country", "query": "event.module:zeek AND event.dataset:conn | groupby source.geo.country_name"},
           { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module:zeek AND event.dataset:dce_rpc | groupby operation"},
           { "name": "DHCP", "description": "DHCP leases", "query": "event.module:zeek AND event.dataset:dhcp | groupby host.hostname host.domain dhcp.requested_address"},
-          { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.module:zeek AND event.dataset:dhcp | groupby message_types"},
+          { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.module:zeek AND event.dataset:dhcp | groupby dhcp.message_types"},
           { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.module:zeek AND event.dataset:dnp3 | groupby dnp3.fc_reply"},
           { "name": "DNS", "description": "DNS queries grouped by port ", "query": "event.module:zeek AND event.dataset:dns | groupby dns.query.name destination.port"},
           { "name": "DNS", "description": "DNS queries grouped by type", "query": "event.module:zeek AND event.dataset:dns | groupby dns.query.type_name destination.port"},