From 8ef6c2f91df61bdfb7fc85fc9bcf68b441700302 Mon Sep 17 00:00:00 2001
From: DefensiveDepth <josh@defensivedepth.com>
Date: Wed, 10 Dec 2025 15:19:44 -0500
Subject: [PATCH] small fixes

---
 salt/manager/tools/sbin/soup |  3 ++-
 salt/soc/soc_soc.yaml        | 12 ++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index e7784fe4f..9fd9542c0 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -1113,7 +1113,7 @@ suricata_idstools_removal_pre() {
 install -d -o 939 -g 939 -m 755 /opt/so/conf/soc/fingerprints
 install -o 939 -g 939 -m 644 /dev/null /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
 cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
-Suricata ruleset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs
+Suricata ruleset sync is blocked until this file is removed. **CRITICAL** Make sure that you have manually added any custom Suricata rulesets via SOC config before removing this file - review the documentation for more details: https://docs.securityonion.net/en/2.4/nids.html#sync-block
 EOF
 
 # Remove possible symlink & create salt local rules dir
@@ -1131,6 +1131,7 @@ if [[ -f /opt/so/conf/soc/so-detections-backup.py ]]; then
     # Verify backup by comparing counts
     echo "Verifying detection overrides backup..."
     es_override_count=$(/sbin/so-elasticsearch-query 'so-detection/_count' \
+       --retry 5 --retry-delay 10 --retry-all-errors \
        -d '{"query": {"bool": {"must": [{"exists": {"field": "so_detection.overrides"}}]}}}' | jq -r '.count') || {
         echo "  Error: Failed to query Elasticsearch for override count"
         exit 1
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index ff13922fb..e4d2dc225 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -608,6 +608,18 @@ soc:
                 label: Delete Unreferenced (Deletes rules that are no longer referenced by ruleset source)
                 forcedType: bool
                 required: False
+              - field: proxyURL
+                label: HTTP/HTTPS proxy URL for downloading the ruleset.
+                required: False
+              - field: proxyUsername
+                label: Proxy authentication username.
+                required: False
+              - field: proxyPassword
+                label: Proxy authentication password.
+                required: False
+              - field: proxyCACert
+                label: Path to CA certificate file for MITM proxy verification.
+                required: False
             airgap: *serulesetSources
         navigator:
           intervalMinutes: