diff --git a/README.md b/README.md
index f4c060623..3288bbb2f 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-## Security Onion 2.3.2
+## Security Onion 2.3.3
 
-Security Onion 2.3.2 is here!
+Security Onion 2.3.3 is here!
 
 ## Screenshots
 
diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md
index 281821214..256868b00 100644
--- a/VERIFY_ISO.md
+++ b/VERIFY_ISO.md
@@ -1,16 +1,16 @@
-### 2.3.2 ISO image built on 2020/10/25
+### 2.3.3 ISO image built on 2020/10/25
 
 ### Download and Verify
 
-2.3.2 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.2.iso
+2.3.3 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.3.iso
 
-MD5: EF2DEBCCBAE0B0BCCC906552B5FF918A  
-SHA1: 16AFCACB102BD217A038044D64E7A86DA351640E  
-SHA256: 7125F90B6323179D0D29F5745681BE995BD2615E64FA1E0046D94888A72C539E 
+MD5: 8010C32803CD62AA3F61487524E37049  
+SHA1: DCA300424C9DF81A4F332B8AA3945E18779C9D28  
+SHA256: 1099494AA3E476D682746AAD9C2BD7DED292589DFAAB7B517933336C07AA01D0 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.2.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.3.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -24,17 +24,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.2.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.3.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.2.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.3.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.2.iso.sig securityonion-2.3.2.iso
+gpg --verify securityonion-2.3.3.iso.sig securityonion-2.3.3.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
diff --git a/VERSION b/VERSION
index 9fa5f12ab..506c62f67 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3.10
+2.3.10
\ No newline at end of file
diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index 07848a31c..c75f89255 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -140,9 +140,8 @@ detect_os() {
 }
 
 highstate() {
-  # Run a highstate but first cancel a running one.
-  salt-call saltutil.kill_all_jobs
-  salt-call state.highstate -l info
+  # Run a highstate.
+  salt-call state.highstate -l info queue=True
 }
 
 masterlock() {
@@ -286,7 +285,7 @@ unmount_update() {
 update_centos_repo() {
   # Update the files in the repo
   echo "Syncing new updates to /nsm/repo"
-  rsync -a $AGDOCKER/repo /nsm/repo
+  rsync -av $AGREPO/* /nsm/repo/
   echo "Creating repo"
   createrepo /nsm/repo
 }
@@ -381,8 +380,6 @@ update_dockers() {
       docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION 
     done
   fi
-    # Cleanup on Aisle 4
-    clean_dockers
     echo "Add Registry back if airgap"
     if [ $is_airgap -eq 0 ]; then
       docker load -i $AGDOCKER/registry_image.tar
@@ -411,6 +408,10 @@ upgrade_check_salt() {
     if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then
       echo "You are already running the correct version of Salt for Security Onion."
     else
+      UPGRADESALT=1
+    fi
+}   
+upgrade_salt() {
       SALTUPGRADED=True
       echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
       echo ""
@@ -421,7 +422,11 @@ upgrade_check_salt() {
         yum versionlock delete "salt-*"
         echo "Updating Salt packages and restarting services."
         echo ""
-        sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+	if [ $is_airgap -eq 0 ]; then
+          sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION"
+	else 
+          sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+	fi
         echo "Applying yum versionlock for Salt."
         echo ""
         yum versionlock add "salt-*"
@@ -441,7 +446,6 @@ upgrade_check_salt() {
         apt-mark hold "salt-master"
         apt-mark hold "salt-minion"
       fi
-    fi 
 }
 
 verify_latest_update_script() {
@@ -502,29 +506,39 @@ echo "Let's see if we need to update Security Onion."
 upgrade_check
 space_check
 
+echo "Checking for Salt Master and Minion updates."
+upgrade_check_salt
+
 echo ""
 echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
 echo ""
+echo "Updating dockers to $NEWVERSION."
+update_dockers
+echo ""
 echo "Stopping Salt Minion service."
 systemctl stop salt-minion
 echo ""
 echo "Stopping Salt Master service."
 systemctl stop salt-master
 echo ""
-echo "Checking for Salt Master and Minion updates."
-upgrade_check_salt
 
+# Does salt need upgraded. If so update it.
+if [ "$UPGRADESALT" == "1" ]; then
+  echo "Upgrading Salt"
+  # Update the repo files so it can actually upgrade
+  if [ $is_airgap -eq 0 ]; then
+    update_centos_repo
+    yum clean all
+  fi
+  upgrade_salt
+fi
 
 echo "Making pillar changes."
 pillar_changes
 echo ""
 
-echo ""
-echo "Updating dockers to $NEWVERSION."
-update_dockers
-
 # Only update the repo if its airgap
-if [ $is_airgap -eq 0 ]; then
+if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then
 update_centos_repo
 fi
 
@@ -561,10 +575,12 @@ highstate
 playbook
 unmount_update
 
-SALTUPGRADED="True"
-if [[ "$SALTUPGRADED" == "True" ]]; then
+if [ "$UPGRADESALT" == "1" ]; then
   echo ""
   echo "Upgrading Salt on the remaining Security Onion nodes from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
+  if [ $is_airgap -eq 0 ]; then
+    salt -C 'not *_eval and not *_helix and not *_manager and not *_managersearch and not *_standalone' cmd.run "yum clean all"
+  fi
   salt -C 'not *_eval and not *_helix and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion 
   echo ""
 fi
diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja
index 89ceadd5b..9c7d0ac39 100644
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -1,5 +1,6 @@
-{% import_yaml 'salt/minion.defaults.yaml' as salt %}
-{% set SALTVERSION = salt.salt.minion.version %}
+{% import_yaml 'salt/minion.defaults.yaml' as saltminion %}
+{% set SALTVERSION = saltminion.salt.minion.version %}
+{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 
 {% if grains.os|lower == 'ubuntu' %}
   {% set COMMON = 'salt-common' %}
@@ -9,10 +10,14 @@
 
 {% if grains.saltversion|string != SALTVERSION|string %}
   {% if grains.os|lower in ['centos', 'redhat'] %}
-    {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && sh /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION %}
+    {% if ISAIRGAP is sameas true %}
+      {% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && sh /usr/sbin/bootstrap-salt.sh -r -F -x python3 stable ' ~ SALTVERSION %}
+    {% else %}
+      {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && sh /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION %}
+    {% endif %}
   {% elif grains.os|lower == 'ubuntu' %}
     {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && sh /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION  %}
   {% endif %}
 {% else %}
   {% set UPGRADECOMMAND = 'echo Already running Salt Minon version ' ~ SALTVERSION %}
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml
index 8694ffbc7..02742737a 100644
--- a/salt/salt/master.defaults.yaml
+++ b/salt/salt/master.defaults.yaml
@@ -2,4 +2,4 @@
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
 salt:
   master:
-    version: 3001.1
\ No newline at end of file
+    version: 3002.1
\ No newline at end of file
diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml
index 31c313df6..26384e55e 100644
--- a/salt/salt/minion.defaults.yaml
+++ b/salt/salt/minion.defaults.yaml
@@ -2,4 +2,4 @@
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
 salt:
   minion:
-    version: 3001.1
\ No newline at end of file
+    version: 3002.1
\ No newline at end of file
diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json
index 680dbd54d..e9556aee6 100644
--- a/salt/soc/files/soc/changes.json
+++ b/salt/soc/files/soc/changes.json
@@ -1,8 +1,7 @@
 {
-  "title": "Security Onion 2.3.2 is here!",
+  "title": "Security Onion 2.3.3 is here!",
   "changes": [
-    { "summary": "Elastic components have been upgraded to 7.9.3." },
-    { "summary": "Fixed an issue where curator was unable to delete a closed index." },
+    { "summary": "Updated salt to 3002.1 to address CVE-2020-16846, CVE-2020-17490, CVE-2020-25592." },
     { "summary": "Cheat sheet is now available for airgap installs." },
     { "summary": "Known Issues <ul><li>It is still possible to update your grid from any release candidate to 2.3. However, if you have a true production deployment, then we recommend a fresh image and install for best results.</li><li>In 2.3.0 we made some changes to data types in the elastic index templates. This will cause some errors in Kibana around field conflicts. You can address this in 2 ways:<ol><li>Delete all the data on the ES nodes preserving all of your other settings suchs as BPFs by running sudo so-elastic-clear on all the search nodes</li><li>Re-Index the data. This is not a quick process but you can find more information at <a href='https://docs.securityonion.net/en/2.3/elasticsearch.html#re-indexing' target='so-help'>https://docs.securityonion.net/en/2.3/elasticsearch.html#re-indexing</a></li></ol><li>Please be patient as we update our documentation. We have made a concerted effort to update as much as possible but some things still may be incorrect or ommited. If you have questions or feedback, please start a discussion at <a href='https://securityonion.net/discuss' target='so-discuss'>https://securityonion.net/discuss</a>.</li><li>Once you update your grid to 2.3.0, any new nodes that join the grid must be 2.3.0. For example, if you try to join a new RC1 node it will fail. For best results, use the latest ISO (or 2.3.0 installer from github) when joining to an 2.3.0 grid.</li><li>Shipping Windows Eventlogs with Osquery will fail intermittently with utf8 errors logged in the Application log. This is scheduled to be fixed in Osquery 4.5.</li><li>When running soup to upgrade from RC1/RC2/RC3 to 2.3.0, there is a Salt error that occurs during the final highstate. This error is related to the patch_os_schedule and can be ignored as it will not occur again in subsequent highstates.</li><li>When Search Nodes are upgraded from RC1 to 2.3.0, there is a chance of a race condition where certificates are missing. This will show errors in the manager log to the remote node. To fix this run the following on the search node that is having the issue:<ol><li>Stop elasticsearch - <i>sudo so-elasticsearch-stop</i></li><li>Run the SSL state - <i>sudo salt-call state.apply ssl</i></li><li>Restart elasticsearch - <i>sudo so-elasticsearch-restart</i></li></ol></li><li>If you are upgrading from RC1 you might see errors around registry:2 missing. This error does not break the actual upgrade. To fix, run the following on the manager:</li><ol><li>Stop the Docker registry - sudo docker stop so-dockerregistry</li><li>Remove the container - sudo docker rm so-dockerregistry</li><li>Run the registry state - sudo salt-call state.apply registry</li></ol></ul>" }
   ]
diff --git a/setup/so-functions b/setup/so-functions
index a0ac5bac6..0ac1d0446 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1471,13 +1471,19 @@ remove_package() {
 }
 
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml
+# CAUTION! SALT VERSION UDDATES - READ BELOW
+# When updating the salt version, also update the version in:
+# - securityonion-builds/iso-resources/build.sh
+# - securityonion-builds/iso-resources/packages.lst
+# - securityonion/salt/salt/master.defaults.yaml
+# - securityonion/salt/salt/minion.defaults.yaml
 saltify() {
 
 	# Install updates and Salt
 	if [ $OS = 'centos' ]; then
 		set_progress_str 5 'Installing Salt repo'
 		{
-			sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3001.1/SALTSTACK-GPG-KEY.pub;
+			sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.1/SALTSTACK-GPG-KEY.pub;
 			cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo;
 		} >> "$setup_log" 2>&1
 		set_progress_str 6 'Installing various dependencies'
@@ -1494,14 +1500,14 @@ saltify() {
 				# Download Ubuntu Keys in case manager updates = 1
 				mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
 				if [[ ! $is_airgap ]]; then
-				  logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub"
+				  logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.1/SALTSTACK-GPG-KEY.pub"
 				  logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg"
 				  logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH"
 				  logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo"
 				fi
 				set_progress_str 7 'Installing salt-master'
 				if [[ ! $is_iso ]]; then
-				  logCmd "yum -y install salt-master-3001.1"
+				  logCmd "yum -y install salt-master-3002.1"
 				fi
 				systemctl enable salt-master >> "$setup_log" 2>&1
 				;;
@@ -1529,7 +1535,7 @@ saltify() {
 		{
 			if [[ ! $is_iso ]]; then
 			  yum -y install epel-release
-			  yum -y install salt-minion-3001.1\
+			  yum -y install salt-minion-3002.1\
 			   	python3\
 				python36-docker\
 				python36-dateutil\
@@ -1573,8 +1579,8 @@ saltify() {
 			'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # TODO: should this also be HELIXSENSOR?
 
 				# Add saltstack repo(s)
-				wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
-				echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3001.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
+				wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
+				echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
 
 				# Add Docker repo
 				curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1
@@ -1582,7 +1588,7 @@ saltify() {
 
 				# Get gpg keys
 				mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
-				wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
+				wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
 				wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1
 				wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1
 
@@ -1595,7 +1601,7 @@ saltify() {
 				set_progress_str 6 'Installing various dependencies'
 				apt-get -y install sqlite3 argon2 libssl-dev >> "$setup_log" 2>&1
 				set_progress_str 7 'Installing salt-master'
-				apt-get -y install salt-master=3001.1+ds-1 >> "$setup_log" 2>&1
+				apt-get -y install salt-master=3002.1+ds-1 >> "$setup_log" 2>&1
 				apt-mark hold salt-master >> "$setup_log" 2>&1
 				;;
 			*)
@@ -1606,14 +1612,14 @@ saltify() {
 				echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1
 				apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
 				apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1
-				echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3001.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
+				echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
 				echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log"
                 ;;
 		esac
 		apt-get update >> "$setup_log" 2>&1
 		set_progress_str 8 'Installing salt-minion & python modules'
-		apt-get -y install salt-minion=3001.1+ds-1\
-					salt-common=3001.1+ds-1 >> "$setup_log" 2>&1
+		apt-get -y install salt-minion=3002.1+ds-1\
+					salt-common=3002.1+ds-1 >> "$setup_log" 2>&1
 		apt-mark hold salt-minion salt-common >> "$setup_log" 2>&1
 		if [ "$OSVER" != 'xenial' ]; then 
 			apt-get -y install python3-dateutil python3-m2crypto python3-mysqldb >> "$setup_log" 2>&1
diff --git a/setup/yum_repos/saltstack.repo b/setup/yum_repos/saltstack.repo
index 2e1b425fb..d104e252c 100644
--- a/setup/yum_repos/saltstack.repo
+++ b/setup/yum_repos/saltstack.repo
@@ -1,6 +1,6 @@
 [saltstack]
 name=SaltStack repo for RHEL/CentOS $releasever PY3
-baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3001.1/
+baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.1/
 enabled=1
 gpgcheck=1
-gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3001.1/SALTSTACK-GPG-KEY.pub
\ No newline at end of file
+gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.1/SALTSTACK-GPG-KEY.pub
\ No newline at end of file