From edce5186b95eb570c8f37defdf9a2eb210c2f053 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 29 Aug 2024 12:55:06 -0400
Subject: [PATCH 1/3] Add support to relaod rules instead of restart

---
 salt/suricata/enabled.sls                         |  7 ++++++-
 salt/suricata/tools/sbin/so-suricata-reload-rules | 12 ++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 salt/suricata/tools/sbin/so-suricata-reload-rules

diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls
index 3e015d100..b148e952a 100644
--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -57,7 +57,6 @@ so-suricata:
     - watch:
       - file: suriconfig
       - file: surithresholding
-      - file: /opt/so/conf/suricata/rules/
       - file: /opt/so/conf/suricata/bpf
       - file: suriclassifications
     - require:
@@ -66,6 +65,12 @@ so-suricata:
       - file: suribpf
       - file: suriclassifications
 
+surirulereload:
+  cmd.run: 
+    - name: /usr/sbin/so-suricata-reload-rules
+    - watch: 
+      - onchanges: surirulesync
+    
 delete_so-suricata_so-status.disabled:
   file.uncomment:
     - name: /opt/so/conf/so-status/so-status.conf
diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules
new file mode 100644
index 000000000..05301a4fc
--- /dev/null
+++ b/salt/suricata/tools/sbin/so-suricata-reload-rules
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket >> /opt/so/log/suricata/reload.log 2>&1
\ No newline at end of file

From b9f817201c63249a04e4da32e9463cef6bb2defc Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 30 Aug 2024 09:15:25 -0400
Subject: [PATCH 2/3] Add thresholds to the reload list

---
 salt/suricata/enabled.sls                         | 11 +++++------
 salt/suricata/tools/sbin/so-suricata-reload-rules |  2 +-
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls
index b148e952a..cd2f38951 100644
--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -56,24 +56,23 @@ so-suricata:
     {% endif %}
     - watch:
       - file: suriconfig
-      - file: surithresholding
       - file: /opt/so/conf/suricata/bpf
       - file: suriclassifications
     - require:
       - file: suriconfig
-      - file: surithresholding
       - file: suribpf
       - file: suriclassifications
 
 surirulereload:
   cmd.run: 
-    - name: /usr/sbin/so-suricata-reload-rules
-    - watch: 
-      - onchanges: surirulesync
+    - name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1
+    - onchanges: 
+        - surirulesync
+        - surithresholding
     
 delete_so-suricata_so-status.disabled:
   file.uncomment:
-    - name: /opt/so/conf/so-status/so-status.conf
+    - name: /opt/so/conf/so-status/so-status.conf 
     - regex: ^so-suricata$
 
 # Add eve clean cron
diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules
index 05301a4fc..ed0fd145c 100644
--- a/salt/suricata/tools/sbin/so-suricata-reload-rules
+++ b/salt/suricata/tools/sbin/so-suricata-reload-rules
@@ -9,4 +9,4 @@
 
 . /usr/sbin/so-common
 
-docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket >> /opt/so/log/suricata/reload.log 2>&1
\ No newline at end of file
+docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket 
\ No newline at end of file

From afcb30be0383b353b80f5b6985934adbb1bb252a Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 30 Aug 2024 09:43:35 -0400
Subject: [PATCH 3/3] Threhsolds require a restart

---
 salt/suricata/enabled.sls | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls
index cd2f38951..3f1469f0f 100644
--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -56,10 +56,12 @@ so-suricata:
     {% endif %}
     - watch:
       - file: suriconfig
+      - file: surithresholding
       - file: /opt/so/conf/suricata/bpf
       - file: suriclassifications
     - require:
       - file: suriconfig
+      - file: surithresholding
       - file: suribpf
       - file: suriclassifications
 
@@ -68,11 +70,10 @@ surirulereload:
     - name: /usr/sbin/so-suricata-reload-rules >> /opt/so/log/suricata/reload.log 2>&1
     - onchanges: 
         - surirulesync
-        - surithresholding
     
 delete_so-suricata_so-status.disabled:
   file.uncomment:
-    - name: /opt/so/conf/so-status/so-status.conf 
+    - name: /opt/so/conf/so-status/so-status.conf
     - regex: ^so-suricata$
 
 # Add eve clean cron