Merge remote-tracking branch 'origin/2.4/dev' into vlb2

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -26,6 +26,7 @@ body:
         - 2.4.120
         - 2.4.130
         - 2.4.140
+        - 2.4.141
         - 2.4.150
         - Other (please provide detail below)
     validations:

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,17 +1,17 @@
-### 2.4.140-20250324 ISO image released on 2025/03/24
+### 2.4.141-20250331 ISO image released on 2025/03/31
 
 
 ### Download and Verify
 
-2.4.140-20250324 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.140-20250324.iso
+2.4.141-20250331 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso
  
-MD5: 36393200A5CEEC5B58277691DDAFF247  
-SHA1: 48655378C732CF47A6B3290F6F07F4F3162BE054  
-SHA256: 470E00245EBAD83C045743CFB27885CEC3E1F057D91081906B240A38B6D3759A  
+MD5: CAE347BC0437A93DC8F4089973ED0EA7  
+SHA1: 3A6F0C2F3B6E3625E06F67EB251372D7E592CB0E  
+SHA256: D0426D8E55E01A0FBA15AFE0BB7887CCB724C07FE82DA706CD1592E6001CD12B  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.140-20250324.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.140-20250324.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.140-20250324.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.140-20250324.iso.sig securityonion-2.4.140-20250324.iso
+gpg --verify securityonion-2.4.141-20250331.iso.sig securityonion-2.4.141-20250331.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Sun 23 Mar 2025 08:37:47 PM EDT using RSA key ID FE507013
+gpg: Signature made Fri 28 Mar 2025 06:28:11 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

salt/manager/tools/sbin/soup

@@ -408,7 +408,8 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120
     [[ "$INSTALLEDVERSION" == 2.4.120 ]] && up_to_2.4.130
     [[ "$INSTALLEDVERSION" == 2.4.130 ]] && up_to_2.4.140
-    [[ "$INSTALLEDVERSION" == 2.4.140 ]] && up_to_2.4.150
+    [[ "$INSTALLEDVERSION" == 2.4.140 ]] && up_to_2.4.141
+    [[ "$INSTALLEDVERSION" == 2.4.141 ]] && up_to_2.4.150
     true
 }
 
@@ -434,7 +435,8 @@ postupgrade_changes() {
     [[ "$POSTVERSION"  == 2.4.111 ]] && post_to_2.4.120
     [[ "$POSTVERSION"  == 2.4.120 ]] && post_to_2.4.130
     [[ "$POSTVERSION"  == 2.4.130 ]] && post_to_2.4.140
-    [[ "$POSTVERSION"  == 2.4.140 ]] && post_to_2.4.150
+    [[ "$POSTVERSION"  == 2.4.140 ]] && post_to_2.4.141
+    [[ "$POSTVERSION"  == 2.4.141 ]] && post_to_2.4.150
     true
 }
 
@@ -562,6 +564,11 @@ post_to_2.4.140() {
   POSTVERSION=2.4.140
 }
 
+post_to_2.4.141() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.141
+}
+
 post_to_2.4.150() {
   echo "Nothing to apply"
   POSTVERSION=2.4.150
@@ -793,6 +800,12 @@ up_to_2.4.140() {
   INSTALLEDVERSION=2.4.140
 }
 
+up_to_2.4.141() {
+  echo "Nothing to do for 2.4.141"
+
+  INSTALLEDVERSION=2.4.141
+}
+
 up_to_2.4.150() {
   echo "Nothing to do for 2.4.150"
 

salt/strelka/backend/enabled.sls

@@ -44,6 +44,10 @@ strelka_backend:
     - restart_policy: on-failure
     - watch:
       - file: strelkasensorcompiledrules
+      - file: backend_backend_config
+      - file: backend_logging_config
+      - file: backend_passwords
+      - file: backend_taste
 
 delete_so-strelka-backend_so-status.disabled:
   file.uncomment:

salt/strelka/filestream/enabled.sls

@@ -41,6 +41,8 @@ strelka_filestream:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    - watch:
+      - file: filestream_config
 
 delete_so-strelka-filestream_so-status.disabled:
   file.uncomment:

salt/strelka/frontend/enabled.sls

@@ -46,6 +46,8 @@ strelka_frontend:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    - watch:
+      - file: frontend_config
 
 delete_so-strelka-frontend_so-status.disabled:
   file.uncomment:

salt/strelka/manager/enabled.sls

@@ -40,6 +40,8 @@ strelka_manager:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    - watch:
+      - file: manager_config
 
 delete_so-strelka-manager_so-status.disabled:
   file.uncomment:

salt/strelka/soc_strelka.yaml

@@ -64,46 +64,62 @@ strelka:
             helpLink: strelka.html
             advanced: True
         scanners:
-          'ScanBase64': &scannerOptions
+          'ScanBase64PE': &scannerOptions
             description: Configuration options for this scanner.
             readonly: False
             global: False
             helpLink: strelka.html
             advanced: True
-            type: json
-            multiline: True
+            forcedType: "[]{}"
+            syntax: json
           'ScanBatch': *scannerOptions
+          'ScanBmpEof': *scannerOptions
           'ScanBzip2': *scannerOptions
+          'ScanDmg': *scannerOptions
           'ScanDocx': *scannerOptions
+          'ScanDonut': *scannerOptions
           'ScanElf': *scannerOptions
           'ScanEmail': *scannerOptions
+          'ScanEncryptedDoc': *scannerOptions
+          'ScanEncryptedZip': *scannerOptions
           'ScanEntropy': *scannerOptions
           'ScanExiftool': *scannerOptions
+          'ScanFooter': *scannerOptions
           'ScanGif': *scannerOptions
           'ScanGzip': *scannerOptions
           'ScanHash': *scannerOptions
           'ScanHeader': *scannerOptions
           'ScanHtml': *scannerOptions
           'ScanIni': *scannerOptions
+          'ScanIqy': *scannerOptions
+          'ScanIso': *scannerOptions
           'ScanJarManifest': *scannerOptions
           'ScanJavascript': *scannerOptions
           'ScanJpeg': *scannerOptions
           'ScanJson': *scannerOptions
           'ScanLibarchive': *scannerOptions
+          'ScanLNK': *scannerOptions
+          'ScanLsb': *scannerOptions
           'ScanLzma': *scannerOptions
           'ScanMacho': *scannerOptions
+          'ScanManifest': *scannerOptions
+          'ScanMsi': *scannerOptions
           'ScanOcr': *scannerOptions
           'ScanOle': *scannerOptions
+          'ScanOnenote': *scannerOptions
           'ScanPdf': *scannerOptions
           'ScanPe': *scannerOptions
           'ScanPgp': *scannerOptions
           'ScanPhp': *scannerOptions
           'ScanPkcs7': *scannerOptions
           'ScanPlist': *scannerOptions
+          'ScanPngEof': *scannerOptions
+          'ScanQr': *scannerOptions
           'ScanRar': *scannerOptions
           'ScanRpm': *scannerOptions
           'ScanRtf': *scannerOptions
           'ScanRuby': *scannerOptions
+          'ScanSevenZip': *scannerOptions
           'ScanSwf': *scannerOptions
           'ScanTar': *scannerOptions
           'ScanTnef': *scannerOptions
@@ -111,6 +127,8 @@ strelka:
           'ScanUrl': *scannerOptions
           'ScanVb': *scannerOptions
           'ScanVba': *scannerOptions
+          'ScanVhd': *scannerOptions
+          'ScanVsto': *scannerOptions
           'ScanX509': *scannerOptions
           'ScanXml': *scannerOptions
           'ScanYara': *scannerOptions