From d3ee5ed7b8c40efa15c3eb2cb06d30262f0f40f4 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Wed, 28 May 2025 09:20:41 -0500 Subject: [PATCH 1/3] use zeek network.community_id when available --- salt/elasticsearch/files/ingest/zeek.common | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.common b/salt/elasticsearch/files/ingest/zeek.common index 8cf4df9be..ff62a9d5d 100644 --- a/salt/elasticsearch/files/ingest/zeek.common +++ b/salt/elasticsearch/files/ingest/zeek.common @@ -12,7 +12,8 @@ { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "community_id": {} }, + { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, + { "community_id": { "if": "ctx.network?.community_id == null" } }, { "set": { "if": "ctx.source?.ip != null", "field": "client.ip", "value": "{{source.ip}}" } }, { "set": { "if": "ctx.source?.port != null", "field": "client.port", "value": "{{source.port}}" } }, { "set": { "if": "ctx.destination?.ip != null", "field": "server.ip", "value": "{{destination.ip}}" } }, From 58936b31d54fd69e4aaae03bee43639a43cbba78 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 29 May 2025 15:19:21 -0400 Subject: [PATCH 2/3] FIX: Improve annotation for Elasticsearch index deletion #14682 --- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 8420611f2..c268cc493 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -12,7 +12,7 @@ elasticsearch: description: Specify the memory heap size in (m)egabytes for Elasticsearch. helpLink: elasticsearch.html index_clean: - description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. + description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings. forcedType: bool helpLink: elasticsearch.html retention: From 27358137f2c788ed5232df094fd34f75598bd2a8 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 30 May 2025 09:24:41 -0400 Subject: [PATCH 3/3] FIX: so-suricata-testrule should disable pcap logging #14685 --- salt/suricata/tools/sbin_jinja/so-suricata-testrule | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/suricata/tools/sbin_jinja/so-suricata-testrule b/salt/suricata/tools/sbin_jinja/so-suricata-testrule index e1f355508..d65b630b0 100755 --- a/salt/suricata/tools/sbin_jinja/so-suricata-testrule +++ b/salt/suricata/tools/sbin_jinja/so-suricata-testrule @@ -26,7 +26,6 @@ echo "Running all.rules and $TESTRULE against the following pcap: $TESTPCAP" echo "" sleep 3 - rm -rf /tmp/nids-testing/output mkdir -p /tmp/nids-testing/output chown suricata:socore /tmp/nids-testing/output @@ -45,7 +44,7 @@ echo "==== Begin Suricata Output ===" -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \ -v /tmp/nids-testing/output/:/nsm/:rw \ {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} \ - --runmode single -v -k none -r /input.pcap -l /tmp --init-errors-fatal + --runmode single -v -k none -r /input.pcap -l /tmp --init-errors-fatal --set outputs.6.pcap-log.enabled=no echo "==== End Suricata Output ===" echo ""