From e38a4a21ee59609a69475cba430ea553248b67ac Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 5 Mar 2026 11:52:51 -0500
Subject: [PATCH 1/7] version for delta

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 4a36342fc..103421a90 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.0.0
+3.0.0-delta

From cea55a72c3f03da00b299bccbf128ce4f8fd8122 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Thu, 5 Mar 2026 16:35:15 -0500
Subject: [PATCH 2/7] upgrade salt 3006.23

---
 salt/salt/master.defaults.yaml | 2 +-
 salt/salt/minion.defaults.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml
index a54c33014..319b02155 100644
--- a/salt/salt/master.defaults.yaml
+++ b/salt/salt/master.defaults.yaml
@@ -1,4 +1,4 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   master:
-    version: '3006.19'
+    version: '3006.23'
diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml
index 11f3dab41..6f6e87db1 100644
--- a/salt/salt/minion.defaults.yaml
+++ b/salt/salt/minion.defaults.yaml
@@ -1,5 +1,5 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   minion:
-    version: '3006.19'
+    version: '3006.23'
     check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default

From d452694c550dbdafb8c949015fb3b95cf8ad4b14 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 10 Mar 2026 11:30:24 -0400
Subject: [PATCH 3/7] enable/disable suricata pcap

---
 salt/suricata/defaults.yaml     | 3 +--
 salt/suricata/map.jinja         | 2 +-
 salt/suricata/soc_suricata.yaml | 9 +++------
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
index cdb243465..811053cd0 100644
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -1,6 +1,7 @@
 suricata:
   enabled: False
   pcap:
+    enabled: "no"
     filesize: 1000mb
     maxsize: 25
     compression: "none"
@@ -141,8 +142,6 @@ suricata:
         enabled: "no"
       tls-store:
         enabled: "no"
-      pcap-log:
-        enabled: "no"
       alert-debug:
         enabled: "no"
       alert-prelude:
diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index f7dec7493..adde8d3ee 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -16,8 +16,8 @@
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}
 
-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
+{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': SURICATAMERGED.pcap.enabled}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %}
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 03f30be75..76031cfd2 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -22,6 +22,9 @@ suricata:
       title: Classifications
       helpLink: suricata.html
   pcap:
+    enabled:
+      description: Enables or disables the Suricata packet recording process.
+      helpLink: suricata.html
     filesize: 
       description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
       advanced: True
@@ -209,12 +212,6 @@ suricata:
               header:
                 description: Header name where the actual IP address will be reported.
                 helpLink: suricata.html
-      pcap-log:
-        enabled:
-          description: This value is ignored by SO. pcapengine in globals takes precedence.
-          readonly: True
-          helpLink: suricata.html
-          advanced: True        
     asn1-max-frames:
       description: Maximum nuber of asn1 frames to decode.
       helpLink: suricata.html

From 88de779ff7ba3c73e41a294ce1d38b62b6bd4186 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 10 Mar 2026 11:31:56 -0400
Subject: [PATCH 4/7] revert to salt 3006.19

---
 salt/salt/master.defaults.yaml | 2 +-
 salt/salt/minion.defaults.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml
index 319b02155..a54c33014 100644
--- a/salt/salt/master.defaults.yaml
+++ b/salt/salt/master.defaults.yaml
@@ -1,4 +1,4 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   master:
-    version: '3006.23'
+    version: '3006.19'
diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml
index 6f6e87db1..11f3dab41 100644
--- a/salt/salt/minion.defaults.yaml
+++ b/salt/salt/minion.defaults.yaml
@@ -1,5 +1,5 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   minion:
-    version: '3006.23'
+    version: '3006.19'
     check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default

From 32241faf5525dd8a419e553a15e30c6a4010e6c0 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 10 Mar 2026 14:02:28 -0400
Subject: [PATCH 5/7] cleanup steno

---
 salt/pcap/cleanup.sls | 59 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 salt/pcap/cleanup.sls

diff --git a/salt/pcap/cleanup.sls b/salt/pcap/cleanup.sls
new file mode 100644
index 000000000..e5ad2b6c5
--- /dev/null
+++ b/salt/pcap/cleanup.sls
@@ -0,0 +1,59 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+{% if GLOBALS.is_sensor %}
+
+delete_so-steno_so-status.conf:
+  file.line:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - mode: delete
+    - match: so-steno
+
+remove_stenographer_user:
+  user.absent:
+    - name: stenographer
+    - force: True
+
+remove_stenographer_log_dir:
+  file.absent:
+    - name: /opt/so/log/stenographer
+
+remove_stenoloss_script:
+  file.absent:
+    - name: /opt/so/conf/telegraf/scripts/stenoloss.sh
+
+remove_steno_conf_dir:
+  file.absent:
+    - name: /opt/so/conf/steno
+
+remove_so_pcap_export:
+  file.absent:
+    - name: /usr/sbin/so-pcap-export
+
+remove_so_pcap_restart:
+  file.absent:
+    - name: /usr/sbin/so-pcap-restart
+
+remove_so_pcap_start:
+  file.absent:
+    - name: /usr/sbin/so-pcap-start
+
+remove_so_pcap_stop:
+  file.absent:
+    - name: /usr/sbin/so-pcap-stop
+
+so-steno:
+  docker_container.absent:
+    - force: True
+
+{% else %}
+
+{{sls}}.non_sensor_node:
+  test.show_notification:
+    - text: "Stenographer cleanup not applicable on non-sensor nodes."
+
+{% endif %}

From 398bd0c1da206036e75ca7dd7a4db370626cea9b Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 10 Mar 2026 15:00:19 -0400
Subject: [PATCH 6/7] Update VERSION

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 103421a90..4a36342fc 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.0.0-delta
+3.0.0

From 0360d4145c4030f078d2d7796e89f4f5a6458a61 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 10 Mar 2026 15:58:26 -0400
Subject: [PATCH 7/7] sensors run pcap.cleanup state

---
 salt/top.sls | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/salt/top.sls b/salt/top.sls
index ef01d97e2..9334192b9 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -85,6 +85,7 @@ base:
     - elastalert
     - utility
     - elasticfleet
+    - pcap.cleanup
 
   '*_standalone and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
@@ -116,6 +117,7 @@ base:
     - elasticfleet
     - stig
     - kafka
+    - pcap.cleanup
 
   '*_manager or *_managerhype and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
@@ -197,6 +199,7 @@ base:
     - suricata
     - zeek
     - elasticfleet
+    - pcap.cleanup
 
   '*_searchnode and G@saltversion:{{saltversion}}':
     - match: compound
@@ -223,6 +226,7 @@ base:
     - strelka
     - elasticfleet.install_agent_grid
     - stig
+    - pcap.cleanup
 
   '*_heavynode and G@saltversion:{{saltversion}}':
     - match: compound
@@ -240,6 +244,7 @@ base:
     - zeek
     - elasticfleet.install_agent_grid
     - elasticagent
+    - pcap.cleanup
 
   '*_receiver and G@saltversion:{{saltversion}}':
     - match: compound