From f9edfd6391586fdf285cb290a653be8ff011f3b5 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Sun, 14 Dec 2025 12:03:44 -0500 Subject: [PATCH 1/9] Add trailing nl if it doesnt already exist --- salt/manager/tools/sbin/soup | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 51c77733b..75ad34618 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -1174,11 +1174,12 @@ hash_normalized_file() { return 1 fi - sed -E \ + # Ensure trailing newline for consistent hashing regardless of source file + { sed -E \ -e 's/^[[:space:]]+//; s/[[:space:]]+$//' \ -e '/^$/d' \ -e 's|--url=http://[^:]+:7788|--url=http://MANAGER:7788|' \ - "$file" | sha256sum | awk '{print $1}' + "$file"; echo; } | sed '/^$/d' | sha256sum | awk '{print $1}' } # Known-default hashes for so-rule-update (ETOPEN ruleset) From b2a469e08cb1aef136c0db4abd9f2d0d4e5d585a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 15 Dec 2025 11:56:23 -0500 Subject: [PATCH 2/9] Update so-minion --- salt/manager/tools/sbin/so-minion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index f098bd116..abb8f96ec 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -133,7 +133,7 @@ function getinstallinfo() { return 1 fi - source <(echo $INSTALLVARS) + export $(echo "$INSTALLVARS" | xargs) if [ $? -ne 0 ]; then log "ERROR" "Failed to source install variables" return 1 From 5588a56b243d0fbc3a7d6a03e141e3c1a7538733 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 16 Dec 2025 09:07:29 -0500 Subject: [PATCH 3/9] 2.4.200 --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.4.200-20251216.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.200-20251216.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index f354ed191..a8d270efc 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.190-20251024 ISO image released on 2025/10/24 +### 2.4.200-20251216 ISO image released on 2025/12/16 ### Download and Verify -2.4.190-20251024 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso +2.4.200-20251216 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso -MD5: 25358481FB876226499C011FC0710358 -SHA1: 0B26173C0CE136F2CA40A15046D1DFB78BCA1165 -SHA256: 4FD9F62EDA672408828B3C0C446FE5EA9FF3C4EE8488A7AB1101544A3C487872 +MD5: 07B38499952D1F2FD7B5AF10096D0043 +SHA1: 7F3A26839CA3CAEC2D90BB73D229D55E04C7D370 +SHA256: 8D3AC735873A2EA8527E16A6A08C34BD5018CBC0925AC4096E15A0C99F591D5F Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.190-20251024.iso.sig securityonion-2.4.190-20251024.iso +gpg --verify securityonion-2.4.200-20251216.iso.sig securityonion-2.4.200-20251216.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 23 Oct 2025 07:21:46 AM EDT using RSA key ID FE507013 +gpg: Signature made Mon 15 Dec 2025 05:24:11 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.200-20251216.iso.sig b/sigs/securityonion-2.4.200-20251216.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..cc7286fae9c0a0b0dcb15c24376ce21f2efdb9f1 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%<^sivS7<5PT3| zxBgIY6C&vk|5UcdXL3E3Ey{Yrta6j%jMLnTaLd4I9~p*@3n!hdY9hP50vtvYvOjA|olIk<|E!&(gk|V)ot{UDQ*P z0n1N(5DXZk1pxoVDaCgr8AW>8(VfY?TJRrw)D)F<92!pd+?J>YuBeN%BO_>~cHF!X zuwwD2oHXU_HgHQ`5nrbV>8(VkoFlHO!ASv}))oQG zrLZo`(^%j<+!K+OFsi@^Qd_B4NEqQ@t-i^^x6y^x7y11^f*Py_7OSQtY@N%*pk*ZYi>(x+fE`*BHf&*qa*z5in4o1kyjbM4|zr4F@I(62hHEp$BV&B2J0-CHz*Se4^L zMX(i5HwQLek_-b$fh9jRa()jT;DNfy>cfPI<{Ug0%!@qMDqk+no6zwGc!d}fAulh~ z+2_HAk1+{~)AH@&zIKzXwmIu49aFg2I)q_Q999om0$iyCQ`>7bY}M`Dj9Qw>>Gw5C EM4(y?bN~PV literal 0 HcmV?d00001 From 8509d1e454fc4bee216c3d5befe01e6b8841f3bf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 16 Dec 2025 11:23:12 -0500 Subject: [PATCH 4/9] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 86df31761..b880b422c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.200 +2.4.210 From 032e0abd615557a77877e01fd82b5858ac9729a6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 16 Dec 2025 11:23:53 -0500 Subject: [PATCH 5/9] Update 2-4.yml --- .github/DISCUSSION_TEMPLATE/2-4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 229e9f612..563b71c90 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -33,6 +33,7 @@ body: - 2.4.180 - 2.4.190 - 2.4.200 + - 2.4.210 - Other (please provide detail below) validations: required: true From dd8027480b873dd4ad66fb79f832b61bc9a110ed Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 16 Dec 2025 12:02:01 -0700 Subject: [PATCH 6/9] Un-Advanced Assistant ApiUrl --- salt/soc/soc_soc.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 11442afba..a9b09b813 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -652,7 +652,6 @@ soc: assistant: apiUrl: description: The URL of the AI gateway. - advanced: True global: True healthTimeoutSeconds: description: Timeout in seconds for the Onion AI health check. From b05de22f5840381635ca22a8c027bd4968079a1e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 24 Dec 2025 14:39:55 -0500 Subject: [PATCH 7/9] expose login form lifespan in config scr --- salt/kratos/defaults.yaml | 1 + salt/kratos/soc_kratos.yaml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml index 598a94fa1..b70141b6f 100644 --- a/salt/kratos/defaults.yaml +++ b/salt/kratos/defaults.yaml @@ -46,6 +46,7 @@ kratos: ui_url: https://URL_BASE/ login: ui_url: https://URL_BASE/login/ + lifespan: 60m error: ui_url: https://URL_BASE/login/ registration: diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index bc95d9b03..1b8c016c1 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -182,6 +182,10 @@ kratos: global: True advanced: True helpLink: kratos.html + lifespan: + description: Defines the duration that a login form will remain valid. + global: True + helpLink: kratos.html error: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. From a53619f10f88dcb177dede28e1ace1f5891fb23d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 5 Jan 2026 12:22:01 -0600 Subject: [PATCH 8/9] update kratos index template --- salt/elasticsearch/defaults.yaml | 42 -------------------------------- salt/manager/tools/sbin/soup | 16 ++++++++++++ 2 files changed, 16 insertions(+), 42 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c9f77aa7d..38559e68c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -857,53 +857,11 @@ elasticsearch: composed_of: - agent-mappings - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - container-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - - log-mappings - metadata-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - common-settings - common-dynamic-mappings data_stream: diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 06fdbd70f..c8627ab46 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -427,6 +427,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.170 ]] && up_to_2.4.180 [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190 [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200 + [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.210 true } @@ -459,6 +460,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.170 ]] && post_to_2.4.180 [[ "$POSTVERSION" == 2.4.180 ]] && post_to_2.4.190 [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200 + [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.210 true } @@ -645,6 +647,14 @@ post_to_2.4.200() { POSTVERSION=2.4.200 } +post_to_2.4.210() { + echo "Rolling over Kratos index to apply new index template" + + rollover_index "logs-kratos-so" + + POSTVERSION=2.4.210 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -921,6 +931,12 @@ up_to_2.4.200() { INSTALLEDVERSION=2.4.200 } +up_to_2.4.210() { + echo "Nothing to do for 2.4.210" + + INSTALLEDVERSION=2.4.210 +} + add_hydra_pillars() { mkdir -p /opt/so/saltstack/local/pillar/hydra touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls From f2b7ffe0ebdeba70654bcf133e3bee8a3776368f Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 5 Jan 2026 14:48:10 -0600 Subject: [PATCH 9/9] align with ECS fieldnames --- salt/elasticsearch/files/ingest/kratos | 95 ++++++++++++++++++++++++-- salt/soc/defaults.yaml | 14 ++-- 2 files changed, 95 insertions(+), 14 deletions(-) diff --git a/salt/elasticsearch/files/ingest/kratos b/salt/elasticsearch/files/ingest/kratos index 9551dad24..d59f45587 100644 --- a/salt/elasticsearch/files/ingest/kratos +++ b/salt/elasticsearch/files/ingest/kratos @@ -1,9 +1,90 @@ { - "description" : "kratos", - "processors" : [ - {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}}, - {"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}}, - {"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }}, - { "pipeline": { "name": "common" } } - ] + "description": "kratos", + "processors": [ + { + "set": { + "field": "audience", + "value": "access", + "override": false, + "ignore_failure": true + } + }, + { + "set": { + "field": "event.dataset", + "ignore_empty_value": true, + "ignore_failure": true, + "value": "kratos.{{{audience}}}", + "media_type": "text/plain" + } + }, + { + "set": { + "field": "event.action", + "ignore_failure": true, + "copy_from": "msg" + } + }, + { + "rename": { + "field": "http_request", + "target_field": "http.request", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http_response", + "target_field": "http.response", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.path", + "target_field": "http.uri", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.method", + "target_field": "http.method", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.method", + "target_field": "http.method", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.query", + "target_field": "http.query", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.headers.user-agent", + "target_field": "http.useragent", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "pipeline": { + "name": "common" + } + } + ] } \ No newline at end of file diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 28db2ef5f..6f9fc0226 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -115,16 +115,16 @@ soc: ':kratos:': - soc_timestamp - event.dataset - - http_request.headers.x-real-ip + - http.request.headers.x-real-ip - user.name - - http_request.headers.user-agent + - http.useragent - msg ':hydra:': - soc_timestamp - event.dataset - - http_request.headers.x-real-ip + - http.request.headers.x-real-ip - user.name - - http_request.headers.user-agent + - http.useragent - msg '::conn': - soc_timestamp @@ -1747,7 +1747,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -2027,10 +2027,10 @@ soc: query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SOC Logins description: SOC (Security Onion Console) logins - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip user.name | groupby user.name | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip user.name | groupby user.name | groupby http.useragent' - name: SOC Login Failures description: SOC (Security Onion Console) login failures - query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip http_request.headers.user-agent | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip http.useragent | groupby http.useragent' - name: Alerts description: Overview of all alerts query: 'tags:alert | groupby event.module* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby event.severity | groupby destination.as.organization.name'