Merge pull request #337 from Security-Onion-Solutions/dev

1.1.4
2025-12-06 17:22:49 +01:00 · 2020-02-12 09:55:34 -05:00
parent 72c84f7e25 e656e5af45
commit d3826bc605
363 changed files with 18839 additions and 3616 deletions
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -0,0 +1,205 @@
+{% set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
+{% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
+{% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
+{% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
+{% set FREQSERVER = salt['pillar.get']('master:freq', '0') %}
+{% set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') %}
+{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+
+
+eval:
+  containers:
+    - so-core
+    - so-telegraf
+    {% if  GRAFANA == '1' %}
+    - so-influxdb
+    - so-grafana
+    {% endif %}
+    - so-dockerregistry
+    - so-sensoroni
+    - so-idstools
+    - so-auth-api
+    - so-auth-ui
+    {% if OSQUERY != '0' %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-steno
+    - so-suricata
+    - so-zeek
+    - so-curator
+    - so-elastalert
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+heavy_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-redis
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-steno
+    - so-suricata
+    - so-wazuh
+    - so-filebeat
+    {% if BROVER != 'SURICATA' %}
+    - so-zeek
+    {% endif %}
+helix:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-idstools
+    - so-steno
+    - so-zeek
+    - so-redis
+    - so-logstash
+    - so-filebeat
+hot_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+master_search:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-sensoroni
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-auth-api
+    - so-auth-ui
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-kibana
+    - so-elastalert
+    - so-filebeat
+    - so-soctopus
+    {% if OSQUERY != '0' %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+master:
+  containers:
+    - so-dockerregistry
+    - so-core
+    - so-telegraf
+    {% if  GRAFANA == '1' %}
+    - so-influxdb
+    - so-grafana
+    {% endif %}
+    - so-sensoroni
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-auth-api
+    - so-auth-ui
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-elastalert
+    - so-filebeat
+    {% if OSQUERY != '0' %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+parser_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-logstash
+search_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-filebeat
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+sensor:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-steno
+    - so-suricata
+    {% if BROVER != 'SURICATA' %}
+    - so-zeek
+    {% endif %}
+    - so-wazuh
+    - so-filebeat
+warm_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-elasticsearch
+    
--- a/pillar/firewall/search_nodes.sls
+++ b/pillar/firewall/search_nodes.sls
@@ -0,0 +1,2 @@
+search_nodes:
+  - 127.0.0.1
--- a/pillar/firewall/storage_nodes.sls
+++ b/pillar/firewall/storage_nodes.sls
@@ -1,2 +0,0 @@
-storage_nodes:
-  - 127.0.0.1
--- a/pillar/logstash/eval.sls
+++ b/pillar/logstash/eval.sls
@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    eval:
+      config: "/usr/share/logstash/pipelines/eval/*.conf"
--- a/pillar/logstash/helix.sls
+++ b/pillar/logstash/helix.sls
@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    helix:
+      config: "/usr/share/logstash/pipelines/helix/*.conf"
--- a/pillar/logstash/master.sls
+++ b/pillar/logstash/master.sls
@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    master:
+      config: "/usr/share/logstash/pipelines/master/*.conf"
--- a/pillar/logstash/search.sls
+++ b/pillar/logstash/search.sls
@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    search:
+      config: "/usr/share/logstash/pipelines/search/*.conf"
--- a/pillar/thresholding/pillar.example
+++ b/pillar/thresholding/pillar.example
@@ -0,0 +1,44 @@
+thresholding:
+  sids:
+    8675309:
+      - threshold:
+          gen_id: 1
+          type: threshold
+          track: by_src
+          count: 10
+          seconds: 10
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 100
+          seconds: 30
+      - rate_filter:
+          gen_id: 1
+          track: by_rule
+          count: 50
+          seconds: 30
+          new_action: alert
+          timeout: 30
+      - suppress:
+          gen_id: 1
+          track: by_either
+          ip: 10.10.3.7
+    11223344:
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 10
+          seconds: 10
+      - rate_filter:
+          gen_id: 1
+          track: by_src
+          count: 50
+          seconds: 20
+          new_action: pass
+          timeout: 60
+      - suppress:
+          gen_id: 1
+          track: by_src
+          ip: 10.10.3.0/24
--- a/pillar/thresholding/pillar.usage
+++ b/pillar/thresholding/pillar.usage
@@ -0,0 +1,20 @@
+thresholding:
+  sids:
+    <signature id>:
+      - threshold:
+          gen_id: <generator id>
+          type: <threshold | limit | both>
+          track: <by_src | by_dst>
+          count: <count>
+          seconds: <seconds>
+      - rate_filter:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_rule | by_both>
+          count: <count>
+          seconds: <seconds>
+          new_action: <alert | pass>
+          timeout: <seconds>
+      - suppress:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_either>
+          ip: <ip | subnet>
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,38 +1,55 @@
 base:
  '*':
    - patch.needs_restarting
+    - docker.config
+
+  'G@role:so-mastersearch or G@role:so-heavynode':
+    - match: compound
+    - logstash.master
+    - logstash.search

  'G@role:so-sensor':
-    - sensors.{{ grains.id }}
    - static
    - firewall.*
    - brologs
+    - minions.{{ grains.id }}
+
+  'G@role:so-master or G@role:so-mastersearch':
+    - match: compound
+    - static
+    - firewall.*
+    - data.*
+    - auth
+    - minions.{{ grains.id }}

  'G@role:so-master':
-    - masters.{{ grains.id }}
-    - static
-    - firewall.*
-    - data.*
-    - auth
+    - logstash.master

  'G@role:so-eval':
-    - masters.{{ grains.id }}
    - static
    - firewall.*
    - data.*
    - brologs
    - auth
+    - logstash.eval
+    - minions.{{ grains.id }}

  'G@role:so-node':
-    - nodes.{{ grains.id }}
    - static
    - firewall.*
+    - minions.{{ grains.id }}
+
+  'G@role:so-heavynode':
+    - static
+    - firewall.*
+    - brologs
+    - minions.{{ grains.id }}

  'G@role:so-helix':
-    - masters.{{ grains.id }}
-    - sensors.{{ grains.id }}
    - static
    - firewall.*
    - fireeye
-    - static
    - brologs
+    - logstash.helix
+    - static
+    - minions.{{ grains.id }}
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -0,0 +1,30 @@
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
+so-auth-api-dir:
+  file.directory:
+    - name: /opt/so/conf/auth/api
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+so-auth-api:
+    docker_container.running:
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
+        - hostname: so-auth-api
+        - name: so-auth-api
+        - environment:
+            - BASE_PATH: "/so-auth/api"
+            - AUTH_TOKEN_TIMEOUT: 32400
+        - binds:
+            - /opt/so/conf/auth/api:/data
+        - port_bindings:
+            - 0.0.0.0:5656:5656
+
+so-auth-ui:
+    docker_container.running:
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
+        - hostname: so-auth-ui
+        - name: so-auth-ui
+        - port_bindings:
+            - 0.0.0.0:4242:80
--- a/salt/common/grafana/etc/dashboards/dashboard.yml
+++ b/salt/common/grafana/etc/dashboards/dashboard.yml
@@ -17,13 +17,13 @@ providers:
  editable: true
  options:
    path: /etc/grafana/grafana_dashboards/forward_nodes
- name: 'Storage Nodes'
-  folder: 'Storage Nodes'
+- name: 'Search Nodes'
+  folder: 'Search Nodes'
  type: file
  disableDeletion: false
  editable: true
  options:
-    path: /etc/grafana/grafana_dashboards/storage_nodes
+    path: /etc/grafana/grafana_dashboards/search_nodes
 {%- else %}
 - name: 'Security Onion'
  folder: 'Eval Mode'
--- a/salt/common/grafana/grafana_dashboards/eval/eval.json
+++ b/salt/common/grafana/grafana_dashboards/eval/eval.json
@@ -1395,7 +1395,7 @@
              "condition": "AND",
              "key": "container_name",
              "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
            }
          ]
        }
@@ -1913,7 +1913,7 @@
              "condition": "AND",
              "key": "container_name",
              "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
            }
          ]
        }
--- a/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
+++ b/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
@@ -1396,7 +1396,7 @@
              "condition": "AND",
              "key": "container_name",
              "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
            }
          ]
        }
@@ -1901,7 +1901,7 @@
              "condition": "AND",
              "key": "container_name",
              "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
            }
          ]
        }
--- a/salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json
+++ b/salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json
@@ -12,7 +12,7 @@
      }
    ]
  },
-  "description": "This Dashboard provides a general overview of a Storage Node",
+  "description": "This Dashboard provides a general overview of a Search Node",
  "editable": true,
  "gnetId": 2381,
  "graphTooltip": 0,
@@ -3433,7 +3433,7 @@
    ]
  },
  "timezone": "browser",
-  "title": "Storage Node - {{ SERVERNAME }} Overview",
+  "title": "Search Node - {{ SERVERNAME }} Overview",
  "uid": "{{ UID }}",
  "version": 3
 }
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,4 +1,6 @@
-{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
  group.present:
@@ -114,16 +116,9 @@ nginxtmp:
    - group: 939
    - makedirs: True

-# Start the core docker
-so-coreimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
-
 so-core:
  docker_container.running:
-    - require:
-      - so-coreimage
-    - image: docker.io/soshybridhunter/so-core:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
    - hostname: so-core
    - user: socore
    - binds:
@@ -175,15 +170,9 @@ tgrafconf:
    - template: jinja
    - source: salt://common/telegraf/etc/telegraf.conf

-so-telegrafimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-telegraf:HH1.1.0
-
 so-telegraf:
  docker_container.running:
-    - require:
-      - so-telegrafimage
-    - image: docker.io/soshybridhunter/so-telegraf:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
    - environment:
      - HOST_PROC=/host/proc
      - HOST_ETC=/host/etc
@@ -236,15 +225,9 @@ influxdbconf:
    - template: jinja
    - source: salt://common/influxdb/etc/influxdb.conf

-so-influximage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-influxdb:HH1.1.0
-
 so-influxdb:
  docker_container.running:
-    - require:
-      - so-influximage
-    - image: docker.io/soshybridhunter/so-influxdb:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
    - hostname: influxdb
    - environment:
      - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -303,7 +286,7 @@ grafanadashfndir:

 grafanadashsndir:
  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
    - user: 939
    - group: 939
    - makedirs: True
@@ -360,13 +343,13 @@ dashboard-{{ SN }}:

 {% if salt['pillar.get']('nodestab', False) %}
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-dashboard-{{ SN }}:
+dashboardsearch-{{ SN }}:
  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes/{{ SN }}-Node.json
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
    - user: 939
    - group: 939
    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/storage_nodes/storage.json
+    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
    - defaults:
      SERVERNAME: {{ SN }}
      MANINT: {{ SNDATA.manint }}
@@ -400,14 +383,9 @@ dashboard-{{ SN }}:
 {% endfor %}
 {% endif %}

-# Install the docker. This needs to be behind nginx at some point
-so-grafanaimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-grafana:HH1.1.0
-
 so-grafana:
  docker_container.running:
-    - image: docker.io/soshybridhunter/so-grafana:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
    - hostname: grafana
    - user: socore
    - binds:
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -100,8 +100,7 @@ http {
        }

        location /kibana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
          rewrite               /kibana/(.*) /$1 break;
          proxy_pass            http://{{ masterip }}:5601/;
          proxy_read_timeout    90;
@@ -126,8 +125,7 @@ http {


        location /navigator/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
          proxy_pass            http://{{ masterip }}:4200/navigator/;
          proxy_read_timeout    90;
          proxy_connect_timeout 90;
@@ -186,18 +184,6 @@ http {

        }
        
-        location /cyberchef/ {
-          proxy_pass http://{{ masterip }}:9080/;
-          proxy_read_timeout    90;
-          proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
-          proxy_set_header      Host $host;
-          proxy_set_header      X-Real-IP $remote_addr;
-          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header      Proxy "";
-
-        }
-	
        location /soctopus/ {
          proxy_pass            http://{{ masterip }}:7000/;
          proxy_read_timeout    90;
@@ -210,8 +196,7 @@ http {
        }

        location /sensoroni/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
          proxy_pass            http://{{ masterip }}:9822/;
          proxy_read_timeout    90;
          proxy_connect_timeout 90;
@@ -244,8 +229,27 @@ http {
          proxy_set_header      X-Real-IP $remote_addr;
          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header      Proxy "";
-
        }
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
        error_page 404 /404.html;
            location = /40x.html {
        }
--- a/salt/common/nginx/nginx.conf.so-heavynode
+++ b/salt/common/nginx/nginx.conf.so-heavynode
@@ -0,0 +1,89 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2 default_server;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers HIGH:!aNULL:!MD5;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        location / {
+#        }
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -100,8 +100,7 @@ http {
        }

        location /kibana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
 	        rewrite /kibana/(.*) /$1 break;
          proxy_pass http://{{ masterip }}:5601/;
          proxy_read_timeout    90;
@@ -125,8 +124,7 @@ http {
        }

        location /navigator/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
          proxy_pass http://{{ masterip }}:4200/navigator/;
          proxy_read_timeout    90;
          proxy_connect_timeout 90;
@@ -152,8 +150,7 @@ http {

        location /fleet/ {
 	        rewrite /fleet/(.*) /$1 break;
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
          proxy_pass https://{{ masterip }}:8080/;
          proxy_read_timeout    90;
          proxy_connect_timeout 90;
@@ -188,18 +185,6 @@ http {

        }

-        location /cyberchef/ {
-          proxy_pass http://{{ masterip }}:9080/;
-          proxy_read_timeout    90;
-          proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
-          proxy_set_header      Host $host;
-          proxy_set_header      X-Real-IP $remote_addr;
-          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header      Proxy "";
-
-        }
-	
        location /soctopus/ {
          proxy_pass http://{{ masterip }}:7000/;
          proxy_read_timeout    90;
@@ -212,8 +197,7 @@ http {
        }

        location /sensoroni/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
          proxy_pass http://{{ masterip }}:9822/;
          proxy_read_timeout    90;
          proxy_connect_timeout 90;
@@ -250,6 +234,26 @@ http {

        }

+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
        error_page 404 /404.html;
            location = /40x.html {
        }
--- a/salt/common/nginx/nginx.conf.so-mastersearch
+++ b/salt/common/nginx/nginx.conf.so-mastersearch
@@ -0,0 +1,278 @@
+{%- set masterip = salt['pillar.get']('master:mainip', '') %}
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    #server {
+    #    listen       80 default_server;
+    #    listen       [::]:80 default_server;
+    #    server_name  _;
+    #    root         /opt/socore/html;
+    #    index        index.html;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+    #    location / {
+    #    }
+
+    #    error_page 404 /404.html;
+    #        location = /40x.html {
+    #    }
+
+    #    error_page 500 502 503 504 /50x.html;
+    #        location = /50x.html {
+    #    }
+    #}
+    server {
+	      listen 80 default_server;
+	      server_name _;
+	      return 301 https://$host$request_uri;
+    }
+
+
+# Settings for a TLS enabled server.
+
+    server {
+        listen       443 ssl http2 default_server;
+        #listen       [::]:443 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        index.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+        #location / {
+    #      try_files $uri $uri.html /index.html;
+    #    }
+
+        location /grafana/ {
+	        rewrite /grafana/(.*) /$1 break;
+          proxy_pass http://{{ masterip }}:3000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /kibana/ {
+          auth_request          /so-auth/api/auth/;
+	        rewrite /kibana/(.*) /$1 break;
+          proxy_pass http://{{ masterip }}:5601/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+       location /playbook/ {
+          proxy_pass http://{{ masterip }}:3200/playbook/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /navigator/ {
+          auth_request          /so-auth/api/auth/;
+          proxy_pass http://{{ masterip }}:4200/navigator/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /api/ {
+          proxy_pass https://{{ masterip }}:8080/api/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /fleet/ {
+	        rewrite /fleet/(.*) /$1 break;
+          auth_request          /so-auth/api/auth/;
+          proxy_pass https://{{ masterip }}:8080/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /thehive/ {
+          proxy_pass http://{{ masterip }}:9000/thehive/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /cortex/ {
+          proxy_pass http://{{ masterip }}:9001/cortex/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /cyberchef/ {
+          proxy_pass http://{{ masterip }}:9080/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+	
+        location /soctopus/ {
+          proxy_pass http://{{ masterip }}:7000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /sensoroni/ {
+          auth_request          /so-auth/api/auth/;
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+
+        }
+
+        location /kibana/app/sensoroni/ {
+          rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
+        }
+
+        location /kibana/app/fleet/ {
+          rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
+        }
+
+        location /kibana/app/soctopus/ {
+          rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
+        }
+
+
+        location /sensoroniagents/ {
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+}
--- a/salt/common/scripts/dockernet.sh
+++ b/salt/common/scripts/dockernet.sh
--- a/salt/common/telegraf/etc/telegraf.conf
+++ b/salt/common/telegraf/etc/telegraf.conf
@@ -15,6 +15,7 @@

 {%- set MASTER = grains['master'] %}
 {% set NODEIP = salt['pillar.get']('node:mainip', '') %}
+{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}


 # Global tags can be specified here in key="value" format.
@@ -86,6 +87,7 @@
 ###############################################################################

 # Configuration for sending metrics to InfluxDB
+{% if grains['role'] != 'so-helix' %}
 [[outputs.influxdb]]
  ## The full HTTP or UDP URL for your InfluxDB instance.
  ##
@@ -148,7 +150,52 @@
  ## integer values.  Enabling this option will result in field type errors if
  ## existing data has been written.
  # influx_uint_support = false
+{% else %}
+# A plugin that can transmit metrics over HTTP
+[[outputs.http]]
+  ## URL is the address to send metrics to
+  url = "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"

+  ## Timeout for HTTP message
+  # timeout = "5s"
+
+  ## HTTP method, one of: "POST" or "PUT"
+   method = "POST"
+
+  ## HTTP Basic Auth credentials
+  # username = "username"
+  # password = "pa$$word"
+
+  ## OAuth2 Client Credentials Grant
+  # client_id = "clientid"
+  # client_secret = "secret"
+  # token_url = "https://indentityprovider/oauth2/v1/token"
+  # scopes = ["urn:opc:idm:__myscopes__"]
+
+  ## Optional TLS Config
+  # tls_ca = "/etc/telegraf/ca.pem"
+  # tls_cert = "/etc/telegraf/cert.pem"
+  # tls_key = "/etc/telegraf/key.pem"
+  ## Use TLS but skip chain & host verification
+  # insecure_skip_verify = false
+
+  ## Data format to output.
+  ## Each data format has it's own unique set of configuration options, read
+  ## more about them here:
+  ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md
+   data_format = "json"
+
+  ## HTTP Content-Encoding for write request body, can be set to "gzip" to
+  ## compress body or "identity" to apply no encoding.
+   content_encoding = "gzip"
+
+  ## Additional HTTP headers
+   [outputs.http.headers]
+  #   # Should be set manually to "application/json" for json data_format
+     Content-Type = "application/json; charset=utf-8"
+     Authorization = "{{ HELIX_API_KEY }}"
+
+{% endif %}
 ###############################################################################
 #                            PROCESSOR PLUGINS                                #
 ###############################################################################
@@ -647,6 +694,17 @@
     "/scripts/influxdbsize.sh"
   ]
   data_format = "influx"
+{% elif grains['role'] == 'so-helix' %}
+[[inputs.exec]]
+  commands = [
+    "/scripts/stenoloss.sh",
+    "/scripts/suriloss.sh",
+    "/scripts/checkfiles.sh",
+    "/scripts/broloss.sh",
+    "/scripts/oldpcap.sh",
+    "/scripts/helixeps.sh"
+  ]
+  data_format = "influx"
 {% endif %}

 #
--- a/salt/common/telegraf/scripts/broloss.sh
+++ b/salt/common/telegraf/scripts/broloss.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

-BROLOG=$(tac /host/nsm/bro/logs/packetloss.log | head -2)
-declare RESULT=($BROLOG)
+ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
+declare RESULT=($ZEEKLOG)
 CURRENTDROP=${RESULT[3]}
 PASTDROP=${RESULT[9]}
 DROPPED=$(($CURRENTDROP - $PASTDROP))
--- a/salt/common/telegraf/scripts/helixeps.sh
+++ b/salt/common/telegraf/scripts/helixeps.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+PREVCOUNTFILE='/tmp/helixevents.txt'
+EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"
+
+if [ ! -z "$EVENTCOUNTCURRENT" ]; then
+
+  if [ -f "$PREVCOUNTFILE" ]; then
+    EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE`
+  else
+    echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+    exit 0
+  fi
+
+  echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+  EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30))
+  if [ "$EVENTS" -lt 0 ]; then
+    EVENTS=0
+  fi
+
+  echo "helixeps eps=${EVENTS%%.*}"
+
+fi
+
+exit 0
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -1,15 +1,54 @@
 #!/bin/bash
-got_root() {

-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

-}
+. /usr/sbin/so-common

-got_root
+SKIP=0
+
+while getopts "abowi:" OPTION
+do
+    case $OPTION in
+
+        h)
+            usage
+            exit 0
+            ;;
+        a)
+            FULLROLE="analyst"
+            SKIP=1
+            ;;
+        b)
+            FULLROLE="beats_endpoint"
+            SKIP=1
+            ;;
+        i)  IP=$OPTARG
+            ;;
+        o)
+            FULLROLE="osquery_endpoint"
+            SKIP=1
+            ;;
+        w)
+            FULLROLE="wazuh_endpoint"
+            SKIP=1
+            ;;
+    esac
+done
+
+if [ "$SKIP" -eq 0 ]; then

    echo "This program allows you to add a firewall rule to allow connections from a new IP address."
    echo ""
@@ -38,5 +77,25 @@ else
        exit 1
    fi

+fi
+
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
 /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+
+# Check if Wazuh enabled
+if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+    # If analyst, add to Wazuh AR whitelist
+    if [ "$FULLROLE" == "analyst" ]; then
+          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+          if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
+                  DATE=`date`
+                  sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+                  sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+                  echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+                  echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+		  echo
+                  echo "Restarting OSSEC Server..."
+                  /usr/sbin/so-wazuh-restart
+          fi
+     fi
+fi
--- a/salt/common/tools/sbin/so-auth-restart
+++ b/salt/common/tools/sbin/so-auth-restart
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart auth $1
+
--- a/salt/common/tools/sbin/so-auth-start
+++ b/salt/common/tools/sbin/so-auth-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start auth $1
--- a/salt/common/tools/sbin/so-auth-stop
+++ b/salt/common/tools/sbin/so-auth-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop auth $1
--- a/salt/common/tools/sbin/so-bpf-compile
+++ b/salt/common/tools/sbin/so-bpf-compile
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ "$#" -lt 2 ]; then
+  cat 1>&2 <<EOF
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
+Its first argument is the interface (link type is required) and all other arguments
+are passed to TCPDump.
+
+Examples:
+ $0 eth0 dst port 80
+ $0 eth0 udp port 53
+EOF
+  exit 1
+fi
+
+interface="$1"
+shift
+sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
+while read line; do
+  cols=( $line )
+  printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
+done
+echo ""
--- a/salt/common/tools/sbin/so-bro-logs
+++ b/salt/common/tools/sbin/so-bro-logs
--- a/salt/common/tools/sbin/so-checkin
+++ b/salt/common/tools/sbin/so-checkin
@@ -1 +1,20 @@
-sudo salt-call state.highstate
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+salt-call state.highstate
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Check for prerequisites
+if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+fi
+
+# Define a banner to separate sections
+banner="========================================================================="
+
+header() {
+        echo
+        printf '%s\n' "$banner" "$*" "$banner"
+}
--- a/salt/common/tools/sbin/so-cortex-restart
+++ b/salt/common/tools/sbin/so-cortex-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart cortex $1
--- a/salt/common/tools/sbin/so-cortex-start
+++ b/salt/common/tools/sbin/so-cortex-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start cortex $1
--- a/salt/common/tools/sbin/so-cortex-stop
+++ b/salt/common/tools/sbin/so-cortex-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop cortex $1
--- a/salt/common/tools/sbin/so-curator-restart
+++ b/salt/common/tools/sbin/so-curator-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart curator $1
--- a/salt/common/tools/sbin/so-curator-start
+++ b/salt/common/tools/sbin/so-curator-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start curator $1
--- a/salt/common/tools/sbin/so-curator-stop
+++ b/salt/common/tools/sbin/so-curator-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop curator $1
--- a/salt/common/tools/sbin/so-elastalert-create
+++ b/salt/common/tools/sbin/so-elastalert-create
--- a/salt/common/tools/sbin/so-elastalert-restart
+++ b/salt/common/tools/sbin/so-elastalert-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elastalert $1
--- a/salt/common/tools/sbin/so-elastalert-start
+++ b/salt/common/tools/sbin/so-elastalert-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elastalert $1
--- a/salt/common/tools/sbin/so-elastalert-stop
+++ b/salt/common/tools/sbin/so-elastalert-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elastalert $1
--- a/salt/common/tools/sbin/so-elastalert-test
+++ b/salt/common/tools/sbin/so-elastalert-test
@@ -0,0 +1,142 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# Originally written by Bryant Treacle
+# https://raw.githubusercontent.com/bryant-treacle/so-elastalert-test-rule/master/so-elastalert-test
+# Modified by Doug Burks and Wes Lambert
+#
+# Purpose:  This script will allow you to test your elastalert rule without entering the Docker container.
+
+. /usr/sbin/so-elastic-common
+
+OPTIONS=""
+SKIP=0
+RESULTS_TO_LOG="n"
+RULE_NAME=""
+FILE_SAVE_LOCATION=""
+
+usage()
+{
+cat <<EOF
+
+Test Elastalert Rule
+  Options:
+  -h         		This message
+  -a         		Trigger real alerts instead of the debug alert
+  -l <path_to_file>     Write results to specified log file
+  -o '<options>'	Specify Elastalert options ( Ex. --schema-only , --count-only, --days N ) 
+  -r <rule_name>        Specify path/name of rule to test
+
+EOF
+}
+
+while getopts "hal:o:r:" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                a)
+                        OPTIONS="--alert"
+                        ;;
+                l)
+                        RESULTS_TO_LOG="y"
+                        FILE_SAVE_LOCATION=$OPTARG
+                        ;;
+                
+                o)
+			OPTIONS=$OPTARG
+                        ;;  
+                
+                r)
+                        RULE_NAME=$OPTARG
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+
+docker_exec(){
+	if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
+	else
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
+	fi	
+}
+
+rule_prompt(){
+	CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
+        echo
+        echo "This script will allow you to test an Elastalert rule."
+        echo
+        echo "Below is a list of active Elastalert rules:"
+        echo
+	echo "-----------------------------------"
+        echo
+        echo "$CURRENT_RULES"
+        echo
+	echo "-----------------------------------"
+	echo 
+        echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
+        echo
+        echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
+        echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
+        echo
+        while [ -z $RULE_NAME ]; do
+		echo "Please enter the file path and rule name you want to test."
+		read -e RULE_NAME
+	done
+}
+
+log_save_prompt(){
+	RESULTS_TO_LOG=""
+        while [ -z $RESULTS_TO_LOG ]; do
+		echo "The results can be rather long.  Would you like to write the results to a file? (Y/N)"
+		read RESULTS_TO_LOG
+	done
+}
+
+log_path_prompt(){
+        while [ -z $FILE_SAVE_LOCATION ]; do
+		echo "Please enter the file path and file name."
+		read -e FILE_SAVE_LOCATION
+        done
+		echo "Depending on the rule this may take a while."
+}
+
+if [ $SKIP -eq 0 ]; then
+	rule_prompt
+	log_save_prompt
+        if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	log_path_prompt
+        fi
+fi
+
+docker_exec
+
+if [ $? -eq 0 ]; then
+	echo "Test completed successfully!"
+else
+	echo "Something went wrong..."
+fi
+
+echo
+
+
+
--- a/salt/common/tools/sbin/so-elastic-clear
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -0,0 +1,80 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion Elastic Clear
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # List indices
+        echo 
+        curl {{ MASTERIP }}:9200/_cat/indices?v&pretty
+        echo
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
+        echo
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+/usr/sbin/so-filebeat-stop
+/usr/sbin/so-logstash-stop
+
+# Delete data
+echo "Deleting data..."
+
+INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }')
+for INDX in ${INDXS}
+do
+    curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1
+done
+
+/usr/sbin/so-logstash-start
+/usr/sbin/so-filebeat-start
+
--- a/salt/common/tools/sbin/so-elastic-diagnose
+++ b/salt/common/tools/sbin/so-elastic-diagnose
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Source common settings
+. /usr/sbin/so-common
+
+# Check for log files
+for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
+
+# If file exists, then look for errors or warnings 
+if [ -f $FILE ]; then
+	MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE` 
+	if [ ! -z "$MESSAGE" ]; then
+		header $FILE
+		echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
+		echo
+	fi
+fi
+done
--- a/salt/common/tools/sbin/so-elastic-download
+++ b/salt/common/tools/sbin/so-elastic-download
@@ -0,0 +1,46 @@
+#!/bin/bash
+MASTER=MASTER
+VERSION="HH1.1.4"
+TRUSTED_CONTAINERS=( \
+"so-auth-api:$VERSION" \
+"so-auth-ui:$VERSION" \
+"so-core:$VERSION" \
+"so-thehive-cortex:$VERSION" \
+"so-curator:$VERSION" \
+"so-domainstats:$VERSION" \
+"so-elastalert:$VERSION" \
+"so-elasticsearch:$VERSION" \
+"so-filebeat:$VERSION" \
+"so-fleet:$VERSION" \
+"so-fleet-launcher:$VERSION" \
+"so-freqserver:$VERSION" \
+"so-grafana:$VERSION" \
+"so-idstools:$VERSION" \
+"so-influxdb:$VERSION" \
+"so-kibana:$VERSION" \
+"so-logstash:$VERSION" \
+"so-mysql:$VERSION" \
+"so-navigator:$VERSION" \
+"so-playbook:$VERSION" \
+"so-redis:$VERSION" \
+"so-sensoroni:$VERSION" \
+"so-soctopus:$VERSION" \
+"so-steno:$VERSION" \
+#"so-strelka:$VERSION" \
+"so-suricata:$VERSION" \
+"so-telegraf:$VERSION" \
+"so-thehive:$VERSION" \
+"so-thehive-es:$VERSION" \
+"so-wazuh:$VERSION" \
+"so-zeek:$VERSION" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+  # Pull down the trusted docker image
+  echo "Downloading $i"
+  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+  # Tag it with the new registry destination
+  docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
+  docker push $MASTER:5000/soshybridhunter/$i
+  docker rmi soshybridhunter/$i
+done
--- a/salt/common/tools/sbin/so-elasticsearch-restart
+++ b/salt/common/tools/sbin/so-elasticsearch-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elasticsearch $1
--- a/salt/common/tools/sbin/so-elasticsearch-start
+++ b/salt/common/tools/sbin/so-elasticsearch-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elasticsearch $1
--- a/salt/common/tools/sbin/so-elasticsearch-stop
+++ b/salt/common/tools/sbin/so-elasticsearch-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elasticsearch $1
--- a/salt/common/tools/sbin/so-features-enable
+++ b/salt/common/tools/sbin/so-features-enable
@@ -0,0 +1,42 @@
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+# Modify static.sls to enable Features
+sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+SUFFIX="-features"
+TRUSTED_CONTAINERS=( \
+  "so-elasticsearch:$VERSION$SUFFIX" \
+  "so-filebeat:$VERSION$SUFFIX" \
+  "so-kibana:$VERSION$SUFFIX" \
+  "so-logstash:$VERSION$SUFFIX" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+done
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+done
--- a/salt/common/tools/sbin/so-filebeat-restart
+++ b/salt/common/tools/sbin/so-filebeat-restart
@@ -1,7 +1,7 @@
 #!/bin/bash

-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-filebeat && sudo docker rm so-filebeat && salt-call state.apply filebeat
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart filebeat $1
--- a/salt/common/tools/sbin/so-filebeat-start
+++ b/salt/common/tools/sbin/so-filebeat-start
@@ -1,7 +1,7 @@
 #!/bin/bash

-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker rm so-filebeat && salt-call state.apply filebeat
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start filebeat $1
--- a/salt/common/tools/sbin/so-filebeat-stop
+++ b/salt/common/tools/sbin/so-filebeat-stop
@@ -1,7 +1,7 @@
 #!/bin/bash

-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-filebeat
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop filebeat $1
--- a/salt/common/tools/sbin/so-fleet-restart
+++ b/salt/common/tools/sbin/so-fleet-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart fleet $1
--- a/salt/common/tools/sbin/so-fleet-start
+++ b/salt/common/tools/sbin/so-fleet-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start fleet $1
--- a/salt/common/tools/sbin/so-fleet-stop
+++ b/salt/common/tools/sbin/so-fleet-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop fleet $1
--- a/salt/common/tools/sbin/so-get-parsed
+++ b/salt/common/tools/sbin/so-get-parsed
@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed
--- a/salt/common/tools/sbin/so-get-unparsed
+++ b/salt/common/tools/sbin/so-get-unparsed
@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed
--- a/salt/common/tools/sbin/so-grafana-restart
+++ b/salt/common/tools/sbin/so-grafana-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart grafana $1
--- a/salt/common/tools/sbin/so-grafana-start
+++ b/salt/common/tools/sbin/so-grafana-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start grafana $1
--- a/salt/common/tools/sbin/so-grafana-stop
+++ b/salt/common/tools/sbin/so-grafana-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop grafana $1
--- a/salt/common/tools/sbin/so-helix-apikey
+++ b/salt/common/tools/sbin/so-helix-apikey
--- a/salt/common/tools/sbin/so-index-list
+++ b/salt/common/tools/sbin/so-index-list
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+curl -X GET "localhost:9200/_cat/indices?v"
--- a/salt/common/tools/sbin/so-kibana-restart
+++ b/salt/common/tools/sbin/so-kibana-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart kibana $1
--- a/salt/common/tools/sbin/so-kibana-start
+++ b/salt/common/tools/sbin/so-kibana-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start kibana $1
--- a/salt/common/tools/sbin/so-kibana-stop
+++ b/salt/common/tools/sbin/so-kibana-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop kibana $1
--- a/salt/common/tools/sbin/so-list-index
+++ b/salt/common/tools/sbin/so-list-index
@@ -1 +0,0 @@
-curl -X GET "localhost:9200/_cat/indices?v"
--- a/salt/common/tools/sbin/so-logstash-get-parsed
+++ b/salt/common/tools/sbin/so-logstash-get-parsed
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec -it so-redis redis-cli llen logstash:unparsed
--- a/salt/common/tools/sbin/so-logstash-get-unparsed
+++ b/salt/common/tools/sbin/so-logstash-get-unparsed
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec -it so-redis redis-cli llen logstash:unparsed
--- a/salt/common/tools/sbin/so-logstash-restart
+++ b/salt/common/tools/sbin/so-logstash-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart logstash $1
--- a/salt/common/tools/sbin/so-logstash-start
+++ b/salt/common/tools/sbin/so-logstash-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start logstash $1
--- a/salt/common/tools/sbin/so-logstash-stop
+++ b/salt/common/tools/sbin/so-logstash-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop logstash $1
--- a/salt/common/tools/sbin/so-mysql-restart
+++ b/salt/common/tools/sbin/so-mysql-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart mysql $1
--- a/salt/common/tools/sbin/so-mysql-start
+++ b/salt/common/tools/sbin/so-mysql-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start mysql $1
--- a/salt/common/tools/sbin/so-mysql-stop
+++ b/salt/common/tools/sbin/so-mysql-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop mysql $1
--- a/salt/common/tools/sbin/so-nsm-clear
+++ b/salt/common/tools/sbin/so-nsm-clear
@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion NSM Data Deletion
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)" 
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+delete_pcap() {
+  PCAP_DATA="/nsm/pcap/"
+  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
+}
+delete_suricata() {
+  SURI_LOG="/opt/so/log/suricata/eve.json"
+  [ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
+}
+delete_zeek() {
+  ZEEK_LOG="/nsm/zeek/logs/"
+  [ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
+}
+
+delete_pcap
+delete_suricata
+delete_zeek
+
--- a/salt/common/tools/sbin/so-pcap-restart
+++ b/salt/common/tools/sbin/so-pcap-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart steno $1
--- a/salt/common/tools/sbin/so-pcap-start
+++ b/salt/common/tools/sbin/so-pcap-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start steno $1
--- a/salt/common/tools/sbin/so-pcap-stop
+++ b/salt/common/tools/sbin/so-pcap-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop steno $1
--- a/salt/common/tools/sbin/so-playbook-restart
+++ b/salt/common/tools/sbin/so-playbook-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart playbook $1
--- a/salt/common/tools/sbin/so-playbook-ruleupdate
+++ b/salt/common/tools/sbin/so-playbook-ruleupdate
@@ -1 +1,20 @@
-sudo docker exec so-soctopus python3 playbook_bulk-update.py
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec so-soctopus python3 playbook_bulk-update.py
--- a/salt/common/tools/sbin/so-playbook-start
+++ b/salt/common/tools/sbin/so-playbook-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start playbook $1
--- a/salt/common/tools/sbin/so-playbook-stop
+++ b/salt/common/tools/sbin/so-playbook-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop playbook $1
--- a/salt/common/tools/sbin/so-playbook-sync
+++ b/salt/common/tools/sbin/so-playbook-sync
@@ -1 +1,20 @@
-sudo docker exec so-soctopus python3 playbook_play-sync.py
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec so-soctopus python3 playbook_play-sync.py
--- a/salt/common/tools/sbin/so-redis-count
+++ b/salt/common/tools/sbin/so-redis-count
@@ -1 +1,20 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec -it so-redis redis-cli llen logstash:unparsed
--- a/salt/common/tools/sbin/so-redis-restart
+++ b/salt/common/tools/sbin/so-redis-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart redis $1
--- a/salt/common/tools/sbin/so-redis-start
+++ b/salt/common/tools/sbin/so-redis-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start redis $1
--- a/salt/common/tools/sbin/so-redis-stop
+++ b/salt/common/tools/sbin/so-redis-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop redis $1
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-restart  filebeat | kibana | playbook | thehive
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
+echo $banner
+
+if [ "$2" = "--force" ]
+then
+   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+   salt-call saltutil.kill_all_jobs
+fi
+
+case $1 in
+   "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
+   "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
+   "auth") docker stop so-auth-api; docker stop so-auth-ui; salt-call state.apply auth queue=True;;
+   *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
+esac
--- a/salt/common/tools/sbin/so-rule-update
+++ b/salt/common/tools/sbin/so-rule-update
--- a/salt/common/tools/sbin/so-salt-start
+++ b/salt/common/tools/sbin/so-salt-start
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Starting local Salt Minion...\n"
+echo $banner
+
+service salt-minion start
+service salt-minion status
--- a/salt/common/tools/sbin/so-salt-stop
+++ b/salt/common/tools/sbin/so-salt-stop
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Stopping local Salt Minion...\n"
+echo $banner
+
+service salt-minion stop
+service salt-minion status
--- a/salt/common/tools/sbin/so-soctopus-restart
+++ b/salt/common/tools/sbin/so-soctopus-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart soctopus $1
--- a/salt/common/tools/sbin/so-soctopus-start
+++ b/salt/common/tools/sbin/so-soctopus-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start soctopus $1
--- a/salt/common/tools/sbin/so-soctopus-stop
+++ b/salt/common/tools/sbin/so-soctopus-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop soctopus $1
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -1 +1,47 @@
-sudo salt-call state.highstate
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-start  all | filebeat | kibana | playbook | thehive
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
+echo $banner
+
+if [ "$2" = "--force" ]
+then
+   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+   salt-call saltutil.kill_all_jobs
+fi
+
+case $1 in
+   "all") salt-call state.highstate queue=True;;
+   "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
+   "auth") 
+      if docker ps | grep -q so-auth-api; then
+         if docker ps | grep -q so-auth-ui; then
+            printf "\n$1 is already running!\n\n"
+         else
+            docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
+         fi
+      else
+         docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
+      fi
+      ;;
+   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
+esac
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -0,0 +1,206 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+{%- set pillar_suffix = ':containers' -%}
+{%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
+    {%- set pillar_val = 'master_search' -%}
+{%- elif (salt['grains.get']('role') == 'so-master') -%}
+    {%- set pillar_val = 'master' -%}
+{%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
+    {%- set pillar_val = 'heavy_node' -%}
+{%- elif (salt['grains.get']('role') == 'so-sensor') -%}
+    {%- set pillar_val = 'sensor' -%}
+{%- elif (salt['grains.get']('role') == 'so-eval') -%}
+    {%- set pillar_val = 'eval' -%}
+{%- elif (salt['grains.get']('role') == 'so-helix') -%}
+    {%- set pillar_val = 'helix' -%}
+{%- elif (salt['grains.get']('role') == 'so-node') -%}
+    {%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
+        {%- set pillar_val = 'parser_node' -%}
+    {%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
+        {%- set pillar_val = 'hot_node' -%}
+    {%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
+        {%- set pillar_val = 'warm_node' -%}
+    {%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
+        {%- set pillar_val = 'search_node' -%}
+    {%- endif -%}
+{%- endif -%}
+{%- set pillar_name = pillar_val ~ pillar_suffix -%}
+{%- set container_list = salt['pillar.get'](pillar_name) %}
+
+if ! [ "$(id -u)" = 0 ]; then
+   echo "This command must be run as root"
+   exit 1
+fi
+
+# Constants
+ERROR_STRING="ERROR"
+SUCCESS_STRING="OK"
+PENDING_STRING="PENDING"
+MISSING_STRING='MISSING'
+declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
+declare -a PENDING_STATUSES=("paused" "created" "restarting")
+declare -a GOOD_STATUSES=("running")
+
+declare -a temp_container_name_list=()
+declare -a temp_container_state_list=()
+
+declare -a container_name_list=()
+declare -a container_state_list=()
+
+declare -a expected_container_list=()
+
+# {% raw %}
+
+compare_lists() {
+    local found=0
+
+    create_expected_container_list
+
+    if [[ ${#expected_container_list[@]} = 0 ]]; then
+        container_name_list="${temp_container_name_list[*]}"
+        container_state_list="${temp_container_state_list[*]}"
+        return 1
+    fi
+
+    for intended_item in "${expected_container_list[@]}"; do
+        found=0
+        for i in "${!temp_container_name_list[@]}"; do
+            [[ ${temp_container_name_list[$i]} = "$intended_item" ]] \
+                && found=1 \
+                && container_name_list+=("${temp_container_name_list[$i]}") \
+                && container_state_list+=("${temp_container_state_list[$i]}") \
+                && break
+        done
+        if [[ $found = 0 ]]; then
+            container_name_list+=("$intended_item")
+            container_state_list+=("missing")
+        fi
+    done
+}
+
+# {% endraw %}
+
+create_expected_container_list() {
+    {% for item in container_list%}
+        expected_container_list+=("{{ item }}")
+    {% endfor %}
+}
+
+populate_container_lists() {
+    systemctl is-active --quiet docker
+
+    if [[ $? = 0 ]]; then
+        mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/containers/json?all=1 \
+            | jq -c '.[] | { Name: .Names[0], State: .State }' \
+            | tr -d '/{"}')
+    else
+        exit 1
+    fi
+
+    local container_name=""
+    local container_state=""
+
+    for line in "${docker_raw_list[@]}"; do
+        container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names)
+        container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states)
+        
+        temp_container_name_list+=( "${container_name}" )
+        temp_container_state_list+=( "${container_state}" )
+    done
+
+    compare_lists
+}
+
+parse_status() {
+    local container_state=${1}
+
+    [[ $container_state = "missing" ]] && printf $MISSING_STRING && return 1
+
+    for state in "${GOOD_STATUSES[@]}"; do
+        [[ $container_state = "$state" ]] && printf $SUCCESS_STRING && return 0
+    done
+
+    for state in "${PENDING_STATUSES[@]}"; do
+        [[ $container_state = "$state" ]] && printf $PENDING_STRING && return 0
+    done
+
+    # This is technically not needed since the default is error state
+    for state in "${BAD_STATUSES[@]}"; do
+        [[ $container_state = "$state" ]] && printf $ERROR_STRING && return 1
+    done
+
+    printf $ERROR_STRING && return 1
+}
+
+# {% raw %}
+
+print_line() {
+    local service_name=${1}
+    local service_state="$( parse_status ${2} )"
+    local columns=$(tput cols)
+    local state_color="\e[0m"
+
+    local PADDING_CONSTANT=14
+
+    if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
+        state_color="\e[1;31m"
+    elif [[ $service_state = "$SUCCESS_STRING" ]]; then
+        state_color="\e[1;32m"
+    elif [[ $service_state = "$PENDING_STRING" ]]; then
+        state_color="\e[1;33m"
+    fi
+
+    printf "    $service_name "
+    for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
+        printf "-"
+    done
+    printf " [ "
+    printf "${state_color}%b\e[0m" "$service_state"
+    printf "%s    \n" " ]"
+}
+
+main() {
+    local focus_color="\e[1;34m"
+    printf "\n"
+    printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
+
+    systemctl is-active --quiet docker
+    if [[ $? = 0 ]]; then
+        print_line "Docker" "running"
+    else
+        print_line "Docker" "exited"
+    fi
+
+    populate_container_lists
+
+    printf "\n"
+    printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
+
+    local num_containers=${#container_name_list[@]}
+
+    for i in $(seq 0 $(($num_containers - 1 ))); do
+        print_line ${container_name_list[$i]} ${container_state_list[$i]}
+    done
+
+    printf "\n"
+}
+
+# {% endraw %}
+
+
+main
--- a/salt/common/tools/sbin/so-stop
+++ b/salt/common/tools/sbin/so-stop
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-stop  filebeat | kibana | playbook | thehive
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Stopping $1...\n"
+echo $banner
+
+case $1 in
+    "auth") docker stop so-auth-api; docker rm so-auth-api; docker stop so-auth-ui; docker rm so-auth-ui ;;
+    *) docker stop so-$1 ; docker rm so-$1 ;;
+esac
+
--- a/salt/common/tools/sbin/so-suricata-restart
+++ b/salt/common/tools/sbin/so-suricata-restart
@@ -1,7 +1,7 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-suricata && sudo docker rm so-suricata && salt-call state.apply suricata
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart suricata $1
--- a/salt/common/tools/sbin/so-suricata-start
+++ b/salt/common/tools/sbin/so-suricata-start
@@ -1,7 +1,7 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,4 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker rm so-suricata && salt-call state.apply suricata
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start suricata $1
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`sudo docker exec -it so-redis redis-cli llen logstash:unparsed`
				`@@ -1 +0,0 @@`
				`curl -X GET "localhost:9200/_cat/indices?v"`