From 1888f9e757b8b4f73f18bc3462ac870a3c0c9025 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 23 Feb 2026 10:07:16 -0500 Subject: [PATCH 1/6] Soup to 3 --- salt/manager/tools/sbin/soupto3 | 126 ++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100755 salt/manager/tools/sbin/soupto3 diff --git a/salt/manager/tools/sbin/soupto3 b/salt/manager/tools/sbin/soupto3 new file mode 100755 index 000000000..984f204ad --- /dev/null +++ b/salt/manager/tools/sbin/soupto3 @@ -0,0 +1,126 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +. /usr/sbin/so-common + +UPDATE_URL=https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/refs/heads/3/main/VERSION + +echo "" +echo "Checking PCAP settings." +echo "" + +# Check pcapengine setting - must be SURICATA before upgrading to version 3 +PCAP_ENGINE=$(lookup_pillar "pcapengine") + +case "$PCAP_ENGINE" in + SURICATA) + echo "PCAP engine settings OK." + ;; + TRANSITION) + echo "" + echo "=========================================================================" + echo " PCAP Engine Check Failed" + echo "=========================================================================" + echo "" + echo " Your pcapengine is currently set to TRANSITION." + echo "" + echo " Before upgrading to Security Onion 3, you must:" + echo " 1. Ensure your old PCAP data has finished rolling off from Stenographer" + echo " 2. Change pcapengine to SURICATA in:" + echo " /opt/so/saltstack/local/pillar/global/soc_global.sls" + echo "" + echo " Once pcapengine is set to SURICATA, run this script again." + echo "" + exit 1 + ;; + STENO) + echo "" + echo "=========================================================================" + echo " PCAP Engine Check Failed" + echo "=========================================================================" + echo "" + echo " Your pcapengine is currently set to STENO." + echo "" + echo " Before upgrading to Security Onion 3, you must:" + echo "" + echo " Preserve existing PCAP during transition" + echo " 1. Change pcapengine to TRANSITION in:" + echo " /opt/so/saltstack/local/pillar/global/soc_global.sls" + echo " 2. Wait for old PCAP to roll off from Stenographer to Suricata" + echo " 3. Change pcapengine to SURICATA" + echo " 4. Run this script again" + echo "" + exit 1 + ;; + *) + echo "" + echo "=========================================================================" + echo " PCAP Engine Check Failed" + echo "=========================================================================" + echo "" + echo " Unable to determine pcapengine setting (got: '$PCAP_ENGINE')." + echo " Please ensure pcapengine is set to SURICATA in:" + echo " /opt/so/saltstack/local/pillar/global/soc_global.sls" + echo "" + exit 1 + ;; +esac + +echo "" +echo "Checking Versions." +echo "" + +# Check if Security Onion 3 has been released +VERSION=$(curl -sSf "$UPDATE_URL" 2>/dev/null) + +if [[ -z "$VERSION" ]]; then + echo "" + echo "=========================================================================" + echo " Unable to Check Version" + echo "=========================================================================" + echo "" + echo " Could not retrieve version information from:" + echo " $UPDATE_URL" + echo "" + echo " Please check your network connection and try again." + echo "" + exit 1 +fi + +if [[ "$VERSION" == "UNRELEASED" ]]; then + echo "" + echo "=========================================================================" + echo " Security Onion 3 Not Available" + echo "=========================================================================" + echo "" + echo " Security Onion 3 has not been released yet." + echo "" + echo " Please check back later or visit https://securityonion.net for updates." + echo "" + exit 1 +fi + +# Validate version format (e.g., 3.0.2) +if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "" + echo "=========================================================================" + echo " Invalid Version" + echo "=========================================================================" + echo "" + echo " Received unexpected version format: '$VERSION'" + echo "" + echo " Please check back later or visit https://securityonion.net for updates." + echo "" + exit 1 +fi + +echo "Security Onion 3 ($VERSION) is available. Upgrading..." +echo "" + +# All checks passed - proceed with upgrade +BRANCH=3/main soup From bbc76687863e3af50b74f900f45c89ec08be80a1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 23 Feb 2026 10:49:54 -0500 Subject: [PATCH 2/6] Add version check, PCAP cleanup prompts, and SOC config references to soupto3 - Skip upgrade if already running Security Onion 3.x.x - Add interactive prompts to delete Stenographer PCAP data (with double confirmation) and change pcapengine to SURICATA - Direct users to SOC Configuration UI instead of editing pillar files directly - Consolidate TRANSITION and STENO cases to reduce repeated code --- salt/manager/tools/sbin/soupto3 | 90 +++++++++++++++++++++++---------- 1 file changed, 63 insertions(+), 27 deletions(-) diff --git a/salt/manager/tools/sbin/soupto3 b/salt/manager/tools/sbin/soupto3 index 984f204ad..58e165d92 100755 --- a/salt/manager/tools/sbin/soupto3 +++ b/salt/manager/tools/sbin/soupto3 @@ -10,6 +10,20 @@ UPDATE_URL=https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/refs/heads/3/main/VERSION +# Check if already running version 3 +CURRENT_VERSION=$(cat /etc/soversion 2>/dev/null) +if [[ "$CURRENT_VERSION" =~ ^3\. ]]; then + echo "" + echo "=========================================================================" + echo " Already Running Security Onion 3" + echo "=========================================================================" + echo "" + echo " This system is already running Security Onion $CURRENT_VERSION." + echo " Use 'soup' to update within the 3.x release line." + echo "" + exit 0 +fi + echo "" echo "Checking PCAP settings." echo "" @@ -17,43 +31,64 @@ echo "" # Check pcapengine setting - must be SURICATA before upgrading to version 3 PCAP_ENGINE=$(lookup_pillar "pcapengine") +prompt_delete_pcap() { + read -rp " Would you like to delete all remaining Stenographer PCAP data? (y/N): " DELETE_PCAP + if [[ "$DELETE_PCAP" =~ ^[Yy]$ ]]; then + echo "" + echo " WARNING: This will permanently delete all Stenographer PCAP data" + echo " on all nodes. This action cannot be undone." + echo "" + read -rp " Are you sure? (y/N): " CONFIRM_DELETE + if [[ "$CONFIRM_DELETE" =~ ^[Yy]$ ]]; then + echo "" + echo " Deleting Stenographer PCAP data on all nodes..." + salt '*' cmd.run "rm -rf /nsm/pcap/* && rm -rf /nsm/pcapindex/*" + echo " Done." + else + echo "" + echo " Delete cancelled." + fi + fi +} + +prompt_change_engine() { + local current_engine=$1 + echo "" + read -rp " Would you like to change pcapengine to SURICATA now? (y/N): " CHANGE_ENGINE + if [[ "$CHANGE_ENGINE" =~ ^[Yy]$ ]]; then + echo "" + echo " Updating pcapengine to SURICATA..." + sed -i "s/pcapengine: $current_engine/pcapengine: SURICATA/" /opt/so/saltstack/local/pillar/global/soc_soc.sls + echo " Done. Please run this script again to continue the upgrade." + else + echo "" + echo " You can change pcapengine to SURICATA by navigating in SOC to:" + echo " Configuration -> global -> pcapengine" + fi +} + case "$PCAP_ENGINE" in SURICATA) echo "PCAP engine settings OK." ;; - TRANSITION) + TRANSITION|STENO) echo "" echo "=========================================================================" echo " PCAP Engine Check Failed" echo "=========================================================================" echo "" - echo " Your pcapengine is currently set to TRANSITION." + echo " Your pcapengine is currently set to $PCAP_ENGINE." echo "" - echo " Before upgrading to Security Onion 3, you must:" - echo " 1. Ensure your old PCAP data has finished rolling off from Stenographer" - echo " 2. Change pcapengine to SURICATA in:" - echo " /opt/so/saltstack/local/pillar/global/soc_global.sls" + echo " Before upgrading to Security Onion 3, Stenographer PCAP data must be" + echo " removed and pcapengine must be set to SURICATA." echo "" - echo " Once pcapengine is set to SURICATA, run this script again." + echo " To check remaining Stenographer PCAP usage, run:" + echo " salt '*' cmd.run 'du -sh /nsm/pcap'" echo "" - exit 1 - ;; - STENO) - echo "" - echo "=========================================================================" - echo " PCAP Engine Check Failed" - echo "=========================================================================" - echo "" - echo " Your pcapengine is currently set to STENO." - echo "" - echo " Before upgrading to Security Onion 3, you must:" - echo "" - echo " Preserve existing PCAP during transition" - echo " 1. Change pcapengine to TRANSITION in:" - echo " /opt/so/saltstack/local/pillar/global/soc_global.sls" - echo " 2. Wait for old PCAP to roll off from Stenographer to Suricata" - echo " 3. Change pcapengine to SURICATA" - echo " 4. Run this script again" + + prompt_delete_pcap + prompt_change_engine "$PCAP_ENGINE" + echo "" exit 1 ;; @@ -64,8 +99,9 @@ case "$PCAP_ENGINE" in echo "=========================================================================" echo "" echo " Unable to determine pcapengine setting (got: '$PCAP_ENGINE')." - echo " Please ensure pcapengine is set to SURICATA in:" - echo " /opt/so/saltstack/local/pillar/global/soc_global.sls" + echo " Please ensure pcapengine is set to SURICATA." + echo " In SOC, navigate to Configuration -> global -> pcapengine" + echo " and change the value to SURICATA." echo "" exit 1 ;; From f17e2961edf6b0ab698b1f6634dac686bb991c16 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 23 Feb 2026 11:05:30 -0500 Subject: [PATCH 3/6] Add PCAP orphan warning and require SURICATA before upgrade - Warn users that undeleted Stenographer PCAP data will be inaccessible and never automatically cleaned up if they switch to SURICATA without deleting it first - Require pcapengine to be set to SURICATA before allowing upgrade, with clear messaging when the user declines to change it --- salt/manager/tools/sbin/soupto3 | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/salt/manager/tools/sbin/soupto3 b/salt/manager/tools/sbin/soupto3 index 58e165d92..ba6c537d0 100755 --- a/salt/manager/tools/sbin/soupto3 +++ b/salt/manager/tools/sbin/soupto3 @@ -31,6 +31,8 @@ echo "" # Check pcapengine setting - must be SURICATA before upgrading to version 3 PCAP_ENGINE=$(lookup_pillar "pcapengine") +PCAP_DELETED=false + prompt_delete_pcap() { read -rp " Would you like to delete all remaining Stenographer PCAP data? (y/N): " DELETE_PCAP if [[ "$DELETE_PCAP" =~ ^[Yy]$ ]]; then @@ -44,6 +46,7 @@ prompt_delete_pcap() { echo " Deleting Stenographer PCAP data on all nodes..." salt '*' cmd.run "rm -rf /nsm/pcap/* && rm -rf /nsm/pcapindex/*" echo " Done." + PCAP_DELETED=true else echo "" echo " Delete cancelled." @@ -51,19 +54,36 @@ prompt_delete_pcap() { fi } +pcapengine_not_changed() { + echo "" + echo " pcapengine must be set to SURICATA before upgrading to Security Onion 3." + echo " You can change this in SOC by navigating to:" + echo " Configuration -> global -> pcapengine" +} + prompt_change_engine() { local current_engine=$1 echo "" read -rp " Would you like to change pcapengine to SURICATA now? (y/N): " CHANGE_ENGINE if [[ "$CHANGE_ENGINE" =~ ^[Yy]$ ]]; then + if [[ "$PCAP_DELETED" != "true" ]]; then + echo "" + echo " WARNING: Stenographer PCAP data was not deleted. If you proceed," + echo " this data will no longer be accessible through SOC and will never" + echo " be automatically deleted. You will need to manually remove it later." + echo "" + read -rp " Continue with changing pcapengine to SURICATA? (y/N): " CONFIRM_CHANGE + if [[ ! "$CONFIRM_CHANGE" =~ ^[Yy]$ ]]; then + pcapengine_not_changed + return + fi + fi echo "" echo " Updating pcapengine to SURICATA..." sed -i "s/pcapengine: $current_engine/pcapengine: SURICATA/" /opt/so/saltstack/local/pillar/global/soc_soc.sls echo " Done. Please run this script again to continue the upgrade." else - echo "" - echo " You can change pcapengine to SURICATA by navigating in SOC to:" - echo " Configuration -> global -> pcapengine" + pcapengine_not_changed fi } From ca040044bb94ecba1f02d97786b2cc383cacab4f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 23 Feb 2026 11:16:30 -0500 Subject: [PATCH 4/6] Use so-yaml to update pcapengine pillar and fix file path Replace fragile sed with so-yaml.py replace for proper YAML handling. Also correct the pillar file path from soc_soc.sls to soc_global.sls. --- salt/manager/tools/sbin/soupto3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soupto3 b/salt/manager/tools/sbin/soupto3 index ba6c537d0..0a9661fb4 100755 --- a/salt/manager/tools/sbin/soupto3 +++ b/salt/manager/tools/sbin/soupto3 @@ -80,7 +80,7 @@ prompt_change_engine() { fi echo "" echo " Updating pcapengine to SURICATA..." - sed -i "s/pcapengine: $current_engine/pcapengine: SURICATA/" /opt/so/saltstack/local/pillar/global/soc_soc.sls + so-yaml.py replace /opt/so/saltstack/local/pillar/global/soc_global.sls global.pcapengine SURICATA echo " Done. Please run this script again to continue the upgrade." else pcapengine_not_changed From 7170289a5e3c12171ada9288fe59d74f0d5724ec Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 23 Feb 2026 11:35:32 -0500 Subject: [PATCH 5/6] Continue upgrade after pcapengine is changed to SURICATA Instead of exiting and requiring the user to rerun the script after changing pcapengine to SURICATA, let the script continue to the version check and upgrade. --- salt/manager/tools/sbin/soupto3 | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/salt/manager/tools/sbin/soupto3 b/salt/manager/tools/sbin/soupto3 index 0a9661fb4..62ec83ec3 100755 --- a/salt/manager/tools/sbin/soupto3 +++ b/salt/manager/tools/sbin/soupto3 @@ -75,15 +75,17 @@ prompt_change_engine() { read -rp " Continue with changing pcapengine to SURICATA? (y/N): " CONFIRM_CHANGE if [[ ! "$CONFIRM_CHANGE" =~ ^[Yy]$ ]]; then pcapengine_not_changed - return + return 1 fi fi echo "" echo " Updating pcapengine to SURICATA..." so-yaml.py replace /opt/so/saltstack/local/pillar/global/soc_global.sls global.pcapengine SURICATA - echo " Done. Please run this script again to continue the upgrade." + echo " Done." + return 0 else pcapengine_not_changed + return 1 fi } @@ -107,10 +109,10 @@ case "$PCAP_ENGINE" in echo "" prompt_delete_pcap - prompt_change_engine "$PCAP_ENGINE" - - echo "" - exit 1 + if ! prompt_change_engine "$PCAP_ENGINE"; then + echo "" + exit 1 + fi ;; *) echo "" From be35b59b8c75f977b8b836d08d84d2c44ce4ff69 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 24 Feb 2026 10:04:26 -0500 Subject: [PATCH 6/6] Update echo messages for PCAP engine clarity --- salt/manager/tools/sbin/soupto3 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/manager/tools/sbin/soupto3 b/salt/manager/tools/sbin/soupto3 index 62ec83ec3..d830eb07c 100755 --- a/salt/manager/tools/sbin/soupto3 +++ b/salt/manager/tools/sbin/soupto3 @@ -56,7 +56,7 @@ prompt_delete_pcap() { pcapengine_not_changed() { echo "" - echo " pcapengine must be set to SURICATA before upgrading to Security Onion 3." + echo " PCAP engine must be set to SURICATA before upgrading to Security Onion 3." echo " You can change this in SOC by navigating to:" echo " Configuration -> global -> pcapengine" } @@ -64,7 +64,7 @@ pcapengine_not_changed() { prompt_change_engine() { local current_engine=$1 echo "" - read -rp " Would you like to change pcapengine to SURICATA now? (y/N): " CHANGE_ENGINE + read -rp " Would you like to change the PCAP engine to SURICATA now? (y/N): " CHANGE_ENGINE if [[ "$CHANGE_ENGINE" =~ ^[Yy]$ ]]; then if [[ "$PCAP_DELETED" != "true" ]]; then echo "" @@ -79,7 +79,7 @@ prompt_change_engine() { fi fi echo "" - echo " Updating pcapengine to SURICATA..." + echo " Updating PCAP engine to SURICATA..." so-yaml.py replace /opt/so/saltstack/local/pillar/global/soc_global.sls global.pcapengine SURICATA echo " Done." return 0 @@ -99,10 +99,10 @@ case "$PCAP_ENGINE" in echo " PCAP Engine Check Failed" echo "=========================================================================" echo "" - echo " Your pcapengine is currently set to $PCAP_ENGINE." + echo " Your PCAP engine is currently set to $PCAP_ENGINE." echo "" echo " Before upgrading to Security Onion 3, Stenographer PCAP data must be" - echo " removed and pcapengine must be set to SURICATA." + echo " removed and the PCAP engine must be set to SURICATA." echo "" echo " To check remaining Stenographer PCAP usage, run:" echo " salt '*' cmd.run 'du -sh /nsm/pcap'" @@ -120,8 +120,8 @@ case "$PCAP_ENGINE" in echo " PCAP Engine Check Failed" echo "=========================================================================" echo "" - echo " Unable to determine pcapengine setting (got: '$PCAP_ENGINE')." - echo " Please ensure pcapengine is set to SURICATA." + echo " Unable to determine the PCAP engine setting (got: '$PCAP_ENGINE')." + echo " Please ensure the PCAP engine is set to SURICATA." echo " In SOC, navigate to Configuration -> global -> pcapengine" echo " and change the value to SURICATA." echo ""