From ed60d48c81b09ba2dfcc59214683010e6354907d Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 29 Jun 2020 18:49:16 +0000
Subject: [PATCH 1/2] Add ES REST API option for so-allow

---
 files/firewall/hostgroups.local.yaml       | 3 +++
 salt/common/tools/sbin/so-allow            | 9 ++++++++-
 salt/firewall/assigned_hostgroups.map.yaml | 3 +++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml
index 27ad40f6e..edb08e195 100644
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -12,6 +12,9 @@ firewall:
       ips:
         delete:
         insert:
+    elasticsearch_rest:
+        delete:
+        insert:
     fleet:
       ips:
         delete:
diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index d273cfce5..e7c7f1e1a 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -38,7 +38,11 @@ do
             FULLROLE="beats_endpoint"
             SKIP=1
             ;;
-	f)
+	e)
+            FULLROLE="elasticsearch_rest"
+            SKIP=1
+            ;;
+        f)
 	    FULLROLE="strelka_frontend"
             SKIP=1
             ;;
@@ -77,6 +81,7 @@ if [ "$SKIP" -eq 0 ]; then
     echo ""
     echo "[a] - Analyst - ports 80/tcp and 443/tcp"
     echo "[b] - Logstash Beat - port 5044/tcp"
+    echo "[e] - Elasticsearch REST API - port 9200/tcp"
     echo "[f] - Strelka frontend - port 57314/tcp"
     echo "[o] - Osquery endpoint - port 8090/tcp"
     echo "[s] - Syslog device - 514/tcp/udp"
@@ -92,6 +97,8 @@ if [ "$SKIP" -eq 0 ]; then
         FULLROLE=analyst
     elif [ "$ROLE" == "b" ]; then
         FULLROLE=beats_endpoint
+    elif [ "$ROLE" == "e" ]; then
+        FULLROLE=elasticsearch_rest
     elif [ "$ROLE" == "f" ]; then
         FULLROLE=strelka_frontend
     elif [ "$ROLE" == "o" ]; then
diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml
index aa41322a3..c16a63c00 100644
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -48,6 +48,9 @@ role:
           beats_endpoint_ssl:
             portgroups:
               - {{ portgroups.beats_5644 }}
+          elasticsearch_rest:
+            portgroups:
+              - {{ portgroups.elasticsearch_rest }}
           osquery_endpoint:
             portgroups:
               - {{ portgroups.fleet_api }}

From abe063602b42f65d4b7521774aa13c38389fcff8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 29 Jun 2020 14:57:42 -0400
Subject: [PATCH 2/2] Update whiptail snort

Update the user to let them know Snort 3.x won't work.
---
 setup/so-whiptail | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/setup/so-whiptail b/setup/so-whiptail
index 43774cc00..2aa7bf10c 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -536,9 +536,10 @@ whiptail_nids() {
 	[ -n "$TESTING" ] && return
 
 	NIDS=$(whiptail --title "Security Onion Setup" --radiolist \
-	"Choose which IDS to run:" 20 75 4 \
+	"Choose which IDS to run. \n 
+	Snort 3.0 support will be added once it is out of beta:" 25 75 4 \
 	"Suricata" "Suricata 4.X" ON  \
-	"Snort" "Snort 3.0 Beta" OFF 3>&1 1>&2 2>&3 )
+	"Snort" "Placeholder for Snort 3.0  " OFF 3>&1 1>&2 2>&3 )
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus