diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 1685e386a..ff5a8c893 100644
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -1,4 +1,23 @@
#!/bin/bash
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+SKIP=0
+
got_root() {
# Make sure you are root
@@ -11,32 +30,83 @@ got_root() {
got_root
-echo "This program allows you to add a firewall rule to allow connections from a new IP address."
-echo ""
-echo "Choose the role for the IP or Range you would like to add"
-echo ""
-echo "[a] - Analyst - ports 80/tcp and 443/tcp"
-echo "[b] - Logstash Beat - port 5044/tcp"
-echo "[o] - Osquery endpoint - port 8080/tcp"
-echo "[w] - Wazuh endpoint - port 1514"
-echo ""
-echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
-read ROLE
-echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
-read IP
+while getopts "abowi:" OPTION
+do
+ case $OPTION in
+
+ h)
+ usage
+ exit 0
+ ;;
+ a)
+ FULLROLE="analyst"
+ SKIP=1
+ ;;
+ b)
+ FULLROLE=beats_endpoint
+ SKIP=1
+ ;;
+ i) IP=$OPTARG
+ ;;
+ o)
+ FULLROLE=osquery_endpoint
+ SKIP=1
+ ;;
+ w)
+ FULLROLE=wazuh_endpoint
+ SKIP=1
+ ;;
+ esac
+done
+
+if [ "$SKIP" -eq 0 ]; then
+
+ echo "This program allows you to add a firewall rule to allow connections from a new IP address."
+ echo ""
+ echo "Choose the role for the IP or Range you would like to add"
+ echo ""
+ echo "[a] - Analyst - ports 80/tcp and 443/tcp"
+ echo "[b] - Logstash Beat - port 5044/tcp"
+ echo "[o] - Osquery endpoint - port 8080/tcp"
+ echo "[w] - Wazuh endpoint - port 1514"
+ echo ""
+ echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
+ read ROLE
+ echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
+ read IP
+
+ if [ "$ROLE" == "a" ]; then
+ FULLROLE=analyst
+ elif [ "$ROLE" == "b" ]; then
+ FULLROLE=beats_endpoint
+ elif [ "$ROLE" == "o" ]; then
+ FULLROLE=osquery_endpoint
+ elif [ "$ROLE" == "w" ]; then
+ FULLROLE=wazuh_endpoint
+ else
+ echo "I don't recognize that role"
+ exit 1
+ fi
-if [ "$ROLE" == "a" ]; then
- FULLROLE=analyst
-elif [ "$ROLE" == "b" ]; then
- FULLROLE=beats_endpoint
-elif [ "$ROLE" == "o" ]; then
- FULLROLE=osquery_endpoint
-elif [ "$ROLE" == "w" ]; then
- FULLROLE=wazuh_endpoint
-else
- echo "I don't recognize that role"
- exit 1
fi
echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+
+# Check if Wazuh enabled
+if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+ # If analyst, add to Wazuh AR whitelist
+ if [ "$FULLROLE" == "analyst" ]; then
+ WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+ if ! grep -q "$IP" $WAZUH_MGR_CFG ; then
+ DATE=`date`
+ sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+ sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+ echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG
+ echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+ echo
+ echo "Restarting OSSEC Server..."
+ /usr/sbin/so-wazuh-restart
+ fi
+ fi
+fi