From 99aa383e01d8602bf7b84b1e49bd359e98e15936 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 26 Mar 2025 12:11:53 -0400
Subject: [PATCH 1/8] soup and version updates

---
 VERSION                      |  2 +-
 salt/manager/tools/sbin/soup | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index bbcd1a024..7b4caac73 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.4.140
+2.4.141
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index a0dd5916f..c0b7f6e1c 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -408,6 +408,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120
     [[ "$INSTALLEDVERSION" == 2.4.120 ]] && up_to_2.4.130
     [[ "$INSTALLEDVERSION" == 2.4.130 ]] && up_to_2.4.140
+    [[ "$INSTALLEDVERSION" == 2.4.140 ]] && up_to_2.4.141
     true
 }
 
@@ -433,6 +434,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION"  == 2.4.111 ]] && post_to_2.4.120
     [[ "$POSTVERSION"  == 2.4.120 ]] && post_to_2.4.130
     [[ "$POSTVERSION"  == 2.4.130 ]] && post_to_2.4.140
+    [[ "$POSTVERSION"  == 2.4.140 ]] && post_to_2.4.141
     true
 }
 
@@ -560,6 +562,11 @@ post_to_2.4.140() {
   POSTVERSION=2.4.140
 }
 
+post_to_2.4.141() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.141
+}
+
 repo_sync() {
   echo "Sync the local repo."
   su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -786,6 +793,12 @@ up_to_2.4.140() {
   INSTALLEDVERSION=2.4.140
 }
 
+up_to_2.4.141() {
+  echo "Nothing to do for 2.4.141"
+
+  INSTALLEDVERSION=2.4.141
+}
+
 add_hydra_pillars() {
   mkdir -p /opt/so/saltstack/local/pillar/hydra
   touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls

From 3850558be332b6b6e8ffa92c7d2da2f408af18c8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 31 Mar 2025 10:37:04 -0400
Subject: [PATCH 2/8] 2.4.141

---
 DOWNLOAD_AND_VERIFY_ISO.md                  |  22 ++++++++++----------
 sigs/securityonion-2.4.141-20250331.iso.sig | Bin 0 -> 566 bytes
 2 files changed, 11 insertions(+), 11 deletions(-)
 create mode 100644 sigs/securityonion-2.4.141-20250331.iso.sig

diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md
index 812d4c2a7..6b50d3190 100644
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.4.140-20250324 ISO image released on 2025/03/24
+### 2.4.141-20250331 ISO image released on 2025/03/31
 
 
 ### Download and Verify
 
-2.4.140-20250324 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.140-20250324.iso
+2.4.141-20250331 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso
  
-MD5: 36393200A5CEEC5B58277691DDAFF247  
-SHA1: 48655378C732CF47A6B3290F6F07F4F3162BE054  
-SHA256: 470E00245EBAD83C045743CFB27885CEC3E1F057D91081906B240A38B6D3759A  
+MD5: CAE347BC0437A93DC8F4089973ED0EA7  
+SHA1: 3A6F0C2F3B6E3625E06F67EB251372D7E592CB0E  
+SHA256: D0426D8E55E01A0FBA15AFE0BB7887CCB724C07FE82DA706CD1592E6001CD12B  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.140-20250324.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.140-20250324.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.140-20250324.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.140-20250324.iso.sig securityonion-2.4.140-20250324.iso
+gpg --verify securityonion-2.4.141-20250331.iso.sig securityonion-2.4.141-20250331.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Sun 23 Mar 2025 08:37:47 PM EDT using RSA key ID FE507013
+gpg: Signature made Fri 28 Mar 2025 06:28:11 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
diff --git a/sigs/securityonion-2.4.141-20250331.iso.sig b/sigs/securityonion-2.4.141-20250331.iso.sig
new file mode 100644
index 0000000000000000000000000000000000000000..7ced499157a1e88ba23941e14785e78794bb9f81
GIT binary patch
literal 566
zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%zwUdjJXv5PT3|
zxBgIY6G40r{0qWX4>X1)tU%2el5&MfEH54b<%0K72A^)X2H*X6SaSM!_4H%Fo)R{r
zk)$t?UEWm8pnT7Wk<Ghv4m~zQZw7wjtf)5{7<ENeVCJnuTaPhh!mFBg`H!-nl$l^8
z#stVzP!{3-rq)asA(l`dobQ%+RGzT1&=KXQ`oXh3;;?)$((kS&vCMD$M>l#Em*p@o
zsxBui)rhJ5ZA71utOQChY)t`Xr608{*{lfZTmw@b`)W@lqHG#-=%%grsiBrc`nZXq
zZ2YP_HFBl<#;{g<Fca%DW3NnkhZdz2pLFL`r}|OU-Hse-3As3<U(No&G;7bIWBV1u
z#JlyF%;lyocxee)T*s9}CdWCp0U1S$%xXnVS`YoOr&UK<Uoo;C4$f^OFirQLBt4A6
zqUYO1G2|FCtoDWBOOuCej3x4u-DEZ!`lauQy=)bL@sn9<j-XRLro%X*;Zr=3!dP9R
z&o4og`U|jByL%3oUGA>tJ3<m{<_v;Rot?2+QN2VSr9E|8zU$Ta6m4o_Wdm*2HYETZ
zP%x$#_jlzi_1p#>l+po_6yaY2H_g9ww~X$$$5~^l4`kl6<cL*cODNhS-3^Nk=)!`j
zP`pL#B};LmBmOD7ndV^lC~%dYH=GxdTU~BEDk0l&$sPO}NAXB~C#2AU40(42uCoY0
Eg#DunivR!s

literal 0
HcmV?d00001


From 02ad08035e9c290ff9327fcb3a6e4eef9e91d44b Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Mon, 31 Mar 2025 11:36:55 -0400
Subject: [PATCH 3/8] Resolve Conflicts

---
 salt/manager/tools/sbin/soup | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index e8f66168b..07ae96a99 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -564,15 +564,14 @@ post_to_2.4.140() {
   POSTVERSION=2.4.140
 }
 
-<<<<<<< HEAD
-post_to_2.4.150() {
-  echo "Nothing to apply"
-  POSTVERSION=2.4.150
-=======
 post_to_2.4.141() {
   echo "Nothing to apply"
   POSTVERSION=2.4.141
->>>>>>> 2.4/main
+}
+
+post_to_2.4.150() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.150
 }
 
 repo_sync() {
@@ -801,17 +800,15 @@ up_to_2.4.140() {
   INSTALLEDVERSION=2.4.140
 }
 
-<<<<<<< HEAD
-up_to_2.4.150() {
-  echo "Nothing to do for 2.4.150"
-
-  INSTALLEDVERSION=2.4.150
-=======
 up_to_2.4.141() {
   echo "Nothing to do for 2.4.141"
 
   INSTALLEDVERSION=2.4.141
->>>>>>> 2.4/main
+
+up_to_2.4.150() {
+  echo "Nothing to do for 2.4.150"
+
+  INSTALLEDVERSION=2.4.150
 }
 
 add_hydra_pillars() {

From eef4b82afbc869c6ecec7ffd5cf341cfca757de1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 31 Mar 2025 11:46:03 -0400
Subject: [PATCH 4/8] Update 2-4.yml

---
 .github/DISCUSSION_TEMPLATE/2-4.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml
index e6aec285d..fbd4d2c22 100644
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -26,6 +26,7 @@ body:
         - 2.4.120
         - 2.4.130
         - 2.4.140
+        - 2.4.141
         - 2.4.150
         - Other (please provide detail below)
     validations:

From 71f146d1d979c4f405bc301bd6cc31a41f738eba Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 1 Apr 2025 09:36:22 -0400
Subject: [PATCH 5/8] Update soup

---
 salt/manager/tools/sbin/soup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 07ae96a99..263b04734 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -804,7 +804,7 @@ up_to_2.4.141() {
   echo "Nothing to do for 2.4.141"
 
   INSTALLEDVERSION=2.4.141
-
+}
 up_to_2.4.150() {
   echo "Nothing to do for 2.4.150"
 

From ba10228fefbbfe80d9167ce35e876b22dc5c17a8 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jertel@users.noreply.github.com>
Date: Tue, 1 Apr 2025 09:42:10 -0400
Subject: [PATCH 6/8] Update soup

---
 salt/manager/tools/sbin/soup | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 263b04734..2325bc161 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -805,6 +805,7 @@ up_to_2.4.141() {
 
   INSTALLEDVERSION=2.4.141
 }
+
 up_to_2.4.150() {
   echo "Nothing to do for 2.4.150"
 

From 0b8a7f5b67566b6230cf51fd9132630e6dbe06de Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Apr 2025 10:10:34 -0400
Subject: [PATCH 7/8] fix strelka annotations. restart strelka containers on
 config change

---
 salt/strelka/backend/enabled.sls    | 4 ++++
 salt/strelka/filestream/enabled.sls | 2 ++
 salt/strelka/frontend/enabled.sls   | 2 ++
 salt/strelka/manager/enabled.sls    | 2 ++
 salt/strelka/soc_strelka.yaml       | 4 ++--
 5 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls
index a26905e1f..3a830c9b0 100644
--- a/salt/strelka/backend/enabled.sls
+++ b/salt/strelka/backend/enabled.sls
@@ -44,6 +44,10 @@ strelka_backend:
     - restart_policy: on-failure
     - watch:
       - file: strelkasensorcompiledrules
+      - file: backend_backend_config
+      - file: backend_logging_config
+      - file: backend_passwords
+      - file: backend_taste
 
 delete_so-strelka-backend_so-status.disabled:
   file.uncomment:
diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls
index f04631eca..c90b1e83f 100644
--- a/salt/strelka/filestream/enabled.sls
+++ b/salt/strelka/filestream/enabled.sls
@@ -41,6 +41,8 @@ strelka_filestream:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    - watch:
+      - file: filestream_config
 
 delete_so-strelka-filestream_so-status.disabled:
   file.uncomment:
diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls
index e4ecc7ca5..f95a31a7e 100644
--- a/salt/strelka/frontend/enabled.sls
+++ b/salt/strelka/frontend/enabled.sls
@@ -46,6 +46,8 @@ strelka_frontend:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    - watch:
+      - file: frontend_config
 
 delete_so-strelka-frontend_so-status.disabled:
   file.uncomment:
diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls
index aec44b4b0..6158a5c28 100644
--- a/salt/strelka/manager/enabled.sls
+++ b/salt/strelka/manager/enabled.sls
@@ -40,6 +40,8 @@ strelka_manager:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
+    - watch:
+      - file: manager_config
 
 delete_so-strelka-manager_so-status.disabled:
   file.uncomment:
diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml
index 1dc4fa455..609223db6 100644
--- a/salt/strelka/soc_strelka.yaml
+++ b/salt/strelka/soc_strelka.yaml
@@ -70,8 +70,8 @@ strelka:
             global: False
             helpLink: strelka.html
             advanced: True
-            type: json
-            multiline: True
+            forcedType: "[]{}"
+            syntax: json
           'ScanBatch': *scannerOptions
           'ScanBzip2': *scannerOptions
           'ScanDocx': *scannerOptions

From cd6deae0a78a84fec44d42c6d15716817de11dfe Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Wed, 2 Apr 2025 11:20:12 -0400
Subject: [PATCH 8/8] add missing strelka backend scanners to SOC UI annotation
 file

---
 salt/strelka/soc_strelka.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml
index 609223db6..1a5db261b 100644
--- a/salt/strelka/soc_strelka.yaml
+++ b/salt/strelka/soc_strelka.yaml
@@ -64,7 +64,7 @@ strelka:
             helpLink: strelka.html
             advanced: True
         scanners:
-          'ScanBase64': &scannerOptions
+          'ScanBase64PE': &scannerOptions
             description: Configuration options for this scanner.
             readonly: False
             global: False
@@ -73,37 +73,53 @@ strelka:
             forcedType: "[]{}"
             syntax: json
           'ScanBatch': *scannerOptions
+          'ScanBmpEof': *scannerOptions
           'ScanBzip2': *scannerOptions
+          'ScanDmg': *scannerOptions
           'ScanDocx': *scannerOptions
+          'ScanDonut': *scannerOptions
           'ScanElf': *scannerOptions
           'ScanEmail': *scannerOptions
+          'ScanEncryptedDoc': *scannerOptions
+          'ScanEncryptedZip': *scannerOptions
           'ScanEntropy': *scannerOptions
           'ScanExiftool': *scannerOptions
+          'ScanFooter': *scannerOptions
           'ScanGif': *scannerOptions
           'ScanGzip': *scannerOptions
           'ScanHash': *scannerOptions
           'ScanHeader': *scannerOptions
           'ScanHtml': *scannerOptions
           'ScanIni': *scannerOptions
+          'ScanIqy': *scannerOptions
+          'ScanIso': *scannerOptions
           'ScanJarManifest': *scannerOptions
           'ScanJavascript': *scannerOptions
           'ScanJpeg': *scannerOptions
           'ScanJson': *scannerOptions
           'ScanLibarchive': *scannerOptions
+          'ScanLNK': *scannerOptions
+          'ScanLsb': *scannerOptions
           'ScanLzma': *scannerOptions
           'ScanMacho': *scannerOptions
+          'ScanManifest': *scannerOptions
+          'ScanMsi': *scannerOptions
           'ScanOcr': *scannerOptions
           'ScanOle': *scannerOptions
+          'ScanOnenote': *scannerOptions
           'ScanPdf': *scannerOptions
           'ScanPe': *scannerOptions
           'ScanPgp': *scannerOptions
           'ScanPhp': *scannerOptions
           'ScanPkcs7': *scannerOptions
           'ScanPlist': *scannerOptions
+          'ScanPngEof': *scannerOptions
+          'ScanQr': *scannerOptions
           'ScanRar': *scannerOptions
           'ScanRpm': *scannerOptions
           'ScanRtf': *scannerOptions
           'ScanRuby': *scannerOptions
+          'ScanSevenZip': *scannerOptions
           'ScanSwf': *scannerOptions
           'ScanTar': *scannerOptions
           'ScanTnef': *scannerOptions
@@ -111,6 +127,8 @@ strelka:
           'ScanUrl': *scannerOptions
           'ScanVb': *scannerOptions
           'ScanVba': *scannerOptions
+          'ScanVhd': *scannerOptions
+          'ScanVsto': *scannerOptions
           'ScanX509': *scannerOptions
           'ScanXml': *scannerOptions
           'ScanYara': *scannerOptions