Merge pull request #15367 from Security-Onion-Solutions/mwright/assistant-case-reports

ES 9.0.8

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -33,6 +33,7 @@ body:
         - 2.4.180
         - 2.4.190
         - 2.4.200
+        - 2.4.210
         - Other (please provide detail below)
     validations:
       required: true

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,17 +1,17 @@
-### 2.4.190-20251024 ISO image released on 2025/10/24
+### 2.4.200-20251216 ISO image released on 2025/12/16
 
 
 ### Download and Verify
 
-2.4.190-20251024 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso
+2.4.200-20251216 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso
  
-MD5: 25358481FB876226499C011FC0710358  
-SHA1: 0B26173C0CE136F2CA40A15046D1DFB78BCA1165  
-SHA256: 4FD9F62EDA672408828B3C0C446FE5EA9FF3C4EE8488A7AB1101544A3C487872  
+MD5: 07B38499952D1F2FD7B5AF10096D0043  
+SHA1: 7F3A26839CA3CAEC2D90BB73D229D55E04C7D370  
+SHA256: 8D3AC735873A2EA8527E16A6A08C34BD5018CBC0925AC4096E15A0C99F591D5F  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.190-20251024.iso.sig securityonion-2.4.190-20251024.iso
+gpg --verify securityonion-2.4.200-20251216.iso.sig securityonion-2.4.200-20251216.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 23 Oct 2025 07:21:46 AM EDT using RSA key ID FE507013
+gpg: Signature made Mon 15 Dec 2025 05:24:11 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.4.200
+2.4.210

pillar/top.sls

@@ -43,8 +43,6 @@ base:
     - secrets
     - manager.soc_manager
     - manager.adv_manager
-    - idstools.soc_idstools
-    - idstools.adv_idstools
     - logstash.nodes
     - logstash.soc_logstash
     - logstash.adv_logstash
@@ -117,8 +115,6 @@ base:
     - elastalert.adv_elastalert
     - manager.soc_manager
     - manager.adv_manager
-    - idstools.soc_idstools
-    - idstools.adv_idstools
     - soc.soc_soc
     - soc.adv_soc
     - kibana.soc_kibana
@@ -158,8 +154,6 @@ base:
     {% endif %}
     - secrets
     - healthcheck.standalone
-    - idstools.soc_idstools
-    - idstools.adv_idstools
     - kratos.soc_kratos
     - kratos.adv_kratos
     - hydra.soc_hydra

salt/allowed_states.map.jinja

@@ -38,8 +38,6 @@
     'hydra',
     'elasticfleet',
     'elastic-fleet-package-registry',
-    'idstools',
-    'suricata.manager',
     'utility'
 ] %}
 

salt/common/tools/sbin/so-image-common

@@ -25,7 +25,6 @@ container_list() {
   if [ $MANAGERCHECK == 'so-import' ]; then
     TRUSTED_CONTAINERS=(
       "so-elasticsearch"
-      "so-idstools"
       "so-influxdb"
       "so-kibana"
       "so-kratos"
@@ -49,7 +48,6 @@ container_list() {
       "so-elastic-fleet-package-registry"
       "so-elasticsearch"
       "so-idh"
-      "so-idstools"
       "so-influxdb"
       "so-kafka"
       "so-kibana"
@@ -69,7 +67,6 @@ container_list() {
     )
   else
     TRUSTED_CONTAINERS=(
-      "so-idstools"
       "so-elasticsearch"
       "so-logstash"
       "so-nginx"

salt/common/tools/sbin/so-log-check

@@ -129,6 +129,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|responded with status-code 503" # telegraf getting 503 from ES during startup
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process_cluster_event_timeout_exception" # logstash waiting for elasticsearch to start
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP"     # SO does not bundle the maxminddb with Zeek
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found"          # Salt loops until Kratos returns 200, during startup Kratos may not be ready
 fi
 
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then

salt/common/tools/sbin_jinja/so-import-pcap

@@ -85,7 +85,7 @@ function suricata() {
   docker run --rm \
     -v /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro \
     -v /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro \
-    -v /opt/so/conf/suricata/rules:/etc/suricata/rules:ro \
+    -v /opt/so/rules/suricata/:/etc/suricata/rules:ro \
     -v ${LOG_PATH}:/var/log/suricata/:rw \
     -v ${NSM_PATH}/:/nsm/:rw \
     -v "$PCAP:/input.pcap:ro" \

salt/docker/defaults.yaml

@@ -24,11 +24,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-    'so-idstools':
-      final_octet: 25
-      custom_bind_mounts: []
-      extra_hosts: []
-      extra_env: []
     'so-influxdb':
       final_octet: 26
       port_bindings:

salt/docker/soc_docker.yaml

@@ -41,7 +41,6 @@ docker:
         forcedType: "[]string"
     so-elastic-fleet: *dockerOptions
     so-elasticsearch: *dockerOptions
-    so-idstools: *dockerOptions
     so-influxdb: *dockerOptions
     so-kibana: *dockerOptions
     so-kratos: *dockerOptions
@@ -102,4 +101,4 @@ docker:
         multiline: True
         forcedType: "[]string"
     so-zeek: *dockerOptions
-    so-kafka: *dockerOptions
+    so-kafka: *dockerOptions

salt/elastalert/enabled.sls

@@ -60,7 +60,7 @@ so-elastalert:
     - watch:
       - file: elastaconf
     - onlyif:
-      - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
+      - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 9" {# only run this state if elasticsearch is version 9 #}
 
 delete_so-elastalert_so-status.disabled:
   file.uncomment:

salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json

@@ -5,7 +5,7 @@
   "package": {
     "name": "endpoint",
     "title": "Elastic Defend",
-    "version": "8.18.1",
+    "version": "9.0.2",
     "requires_root": true
   },
   "enabled": true,

salt/elasticfleet/integration-defaults.map.jinja

@@ -21,6 +21,7 @@
     'azure_application_insights.app_state': 'azure.app_state',
     'azure_billing.billing': 'azure.billing',
     'azure_functions.metrics': 'azure.function',
+    'azure_ai_foundry.metrics': 'azure.ai_foundry',
     'azure_metrics.compute_vm_scaleset': 'azure.compute_vm_scaleset',
     'azure_metrics.compute_vm': 'azure.compute_vm',
     'azure_metrics.container_instance': 'azure.container_instance',

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load

@@ -86,7 +86,7 @@ if [[ -f $STATE_FILE_SUCCESS  ]]; then
         latest_package_list=$(/usr/sbin/so-elastic-fleet-package-list)
         echo '{ "packages" : []}' > $BULK_INSTALL_PACKAGE_LIST
         rm -f $INSTALLED_PACKAGE_LIST
-        echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .savedObject.attributes.install_version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST
+        echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .installationInfo.version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST
 
         while read -r package; do
             # get package details

salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy

@@ -47,7 +47,7 @@ if ! kafka_output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://l
     --arg KAFKACA "$KAFKACA" \
     --arg MANAGER_IP "{{ GLOBALS.manager_ip }}:9092" \
     --arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \
-      '{"name":"grid-kafka", "id":"so-manager_kafka","type":"kafka","hosts":[ $MANAGER_IP ],"is_default":false,"is_default_monitoring":false,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topics":[{"topic":"default-securityonion"}],"headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}'
+      '{"name":"grid-kafka", "id":"so-manager_kafka","type":"kafka","hosts":[ $MANAGER_IP ],"is_default":false,"is_default_monitoring":false,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topic":"default-securityonion","headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}'
     )
     if ! response=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" --fail 2>/dev/null); then
       echo -e "\nFailed to setup Elastic Fleet output policy for Kafka...\n"
@@ -67,7 +67,7 @@ elif kafka_output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://l
     --arg ENABLED_DISABLED "$ENABLED_DISABLED"\
     --arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \
     --argjson HOSTS "$HOSTS" \
-      '{"name":"grid-kafka","type":"kafka","hosts":$HOSTS,"is_default":$ENABLED_DISABLED,"is_default_monitoring":$ENABLED_DISABLED,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topics":[{"topic":"default-securityonion"}],"headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}'
+      '{"name":"grid-kafka","type":"kafka","hosts":$HOSTS,"is_default":$ENABLED_DISABLED,"is_default_monitoring":$ENABLED_DISABLED,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topic":"default-securityonion","headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}'
     )
   if ! response=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_kafka" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" --fail 2>/dev/null); then
     echo -e "\nFailed to force update to Elastic Fleet output policy for Kafka...\n"

salt/elasticsearch/defaults.yaml

@@ -1,6 +1,6 @@
 elasticsearch:
   enabled: false
-  version: 8.18.8
+  version: 9.0.8
   index_clean: true
   config:
     action:
@@ -299,6 +299,19 @@ elasticsearch:
           hot:
             actions: {}
             min_age: 0ms
+    sos-backup:
+      index_sorting: false
+      index_template:
+        composed_of: []
+        ignore_missing_component_templates: []
+        index_patterns:
+        - sos-backup-*
+        priority: 501
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              number_of_shards: 1
     so-assistant-chat:
       index_sorting: false
       index_template:
@@ -844,53 +857,11 @@ elasticsearch:
         composed_of:
         - agent-mappings
         - dtc-agent-mappings
-        - base-mappings
-        - dtc-base-mappings
-        - client-mappings
-        - dtc-client-mappings
-        - container-mappings
-        - destination-mappings
-        - dtc-destination-mappings
-        - pb-override-destination-mappings
-        - dll-mappings
-        - dns-mappings
-        - dtc-dns-mappings
-        - ecs-mappings
-        - dtc-ecs-mappings
-        - error-mappings
-        - event-mappings
-        - dtc-event-mappings
-        - file-mappings
-        - dtc-file-mappings
-        - group-mappings
         - host-mappings
         - dtc-host-mappings
         - http-mappings
         - dtc-http-mappings
-        - log-mappings
         - metadata-mappings
-        - network-mappings
-        - dtc-network-mappings
-        - observer-mappings
-        - dtc-observer-mappings
-        - organization-mappings
-        - package-mappings
-        - process-mappings
-        - dtc-process-mappings
-        - related-mappings
-        - rule-mappings
-        - dtc-rule-mappings
-        - server-mappings
-        - service-mappings
-        - dtc-service-mappings
-        - source-mappings
-        - dtc-source-mappings
-        - pb-override-source-mappings
-        - threat-mappings
-        - tls-mappings
-        - url-mappings
-        - user_agent-mappings
-        - dtc-user_agent-mappings
         - common-settings
         - common-dynamic-mappings
         data_stream:

salt/elasticsearch/files/ingest/kratos

@@ -1,9 +1,90 @@
 {
-  "description" : "kratos",
-  "processors" : [
-    {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}},
-    {"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}},
-    {"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg"    }},
-    { "pipeline":    { "name": "common" } }
-  ]
+    "description": "kratos",
+    "processors": [
+        {
+            "set": {
+                "field": "audience",
+                "value": "access",
+                "override": false,
+                "ignore_failure": true
+            }
+        },
+        {
+            "set": {
+                "field": "event.dataset",
+                "ignore_empty_value": true,
+                "ignore_failure": true,
+                "value": "kratos.{{{audience}}}",
+                "media_type": "text/plain"
+            }
+        },
+        {
+            "set": {
+                "field": "event.action",
+                "ignore_failure": true,
+                "copy_from": "msg"
+            }
+        },
+        {
+            "rename": {
+                "field": "http_request",
+                "target_field": "http.request",
+                "ignore_failure": true,
+                "ignore_missing": true
+            }
+        },
+        {
+            "rename": {
+                "field": "http_response",
+                "target_field": "http.response",
+                "ignore_failure": true,
+                "ignore_missing": true
+            }
+        },
+        {
+            "rename": {
+                "field": "http.request.path",
+                "target_field": "http.uri",
+                "ignore_failure": true,
+                "ignore_missing": true
+            }
+        },
+        {
+            "rename": {
+                "field": "http.request.method",
+                "target_field": "http.method",
+                "ignore_failure": true,
+                "ignore_missing": true
+            }
+        },
+        {
+            "rename": {
+                "field": "http.request.method",
+                "target_field": "http.method",
+                "ignore_failure": true,
+                "ignore_missing": true
+            }
+        },
+        {
+            "rename": {
+                "field": "http.request.query",
+                "target_field": "http.query",
+                "ignore_failure": true,
+                "ignore_missing": true
+            }
+        },
+        {
+            "rename": {
+                "field": "http.request.headers.user-agent",
+                "target_field": "http.useragent",
+                "ignore_failure": true,
+                "ignore_missing": true
+            }
+        },
+        {
+            "pipeline": {
+                "name": "common"
+            }
+        }
+    ]
 }

salt/elasticsearch/tools/sbin_jinja/so-catrust

@@ -15,7 +15,7 @@ set -e
 if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then
     docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:$ELASTIC_AGENT_TARBALL_VERSION -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
     docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
-    docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
+    docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
     docker rm so-elasticsearchca
     echo "" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
     echo "sosca" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem

salt/idstools/config.sls

@@ -1,65 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-include:
-  - idstools.sync_files
-
-idstoolslogdir:
-  file.directory:
-    - name: /opt/so/log/idstools
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-idstools_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://idstools/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
-
-# If this is used, exclude so-rule-update
-#idstools_sbin_jinja:
-#  file.recurse:
-#    - name: /usr/sbin
-#    - source: salt://idstools/tools/sbin_jinja
-#    - user: 939
-#    - group: 939 
-#    - file_mode: 755
-#    - template: jinja
-
-idstools_so-rule-update:
-  file.managed:
-    - name: /usr/sbin/so-rule-update
-    - source: salt://idstools/tools/sbin_jinja/so-rule-update
-    - user: 939
-    - group: 939 
-    - mode: 755
-    - template: jinja
-
-suricatacustomdirsfile:
-  file.directory:
-    - name: /nsm/rules/detect-suricata/custom_file
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-suricatacustomdirsurl:
-  file.directory:
-    - name: /nsm/rules/detect-suricata/custom_temp
-    - user: 939
-    - group: 939
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/idstools/defaults.yaml

@@ -1,10 +0,0 @@
-idstools:
-  enabled: False
-  config:
-    urls: []
-    ruleset: ETOPEN
-    oinkcode: ""
-  sids:
-    enabled: []
-    disabled: []
-    modify: []

salt/idstools/disabled.sls

@@ -1,31 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-include:
-  - idstools.sostatus
-  
-so-idstools:
-  docker_container.absent:
-    - force: True
-
-so-idstools_so-status.disabled:
-  file.comment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-idstools$
-
-so-rule-update:
-  cron.absent:
-    - identifier: so-rule-update
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/idstools/enabled.sls

@@ -1,91 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   set proxy = salt['pillar.get']('manager:proxy') %}
-
-include:
-  - idstools.config
-  - idstools.sostatus
-
-so-idstools:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }}
-    - hostname: so-idstools
-    - user: socore
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }}
-    {% if proxy %}
-    - environment:
-      - http_proxy={{ proxy }}
-      - https_proxy={{ proxy }}
-      - no_proxy={{ salt['pillar.get']('manager:no_proxy') }}
-      {% if DOCKER.containers['so-idstools'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-idstools'].extra_env %}
-      - {{ XTRAENV }}
-        {% endfor %}
-      {% endif %}
-    {% elif DOCKER.containers['so-idstools'].extra_env %}
-    - environment:
-      {% for XTRAENV in DOCKER.containers['so-idstools'].extra_env %}
-      - {{ XTRAENV }}
-      {% endfor %}
-    {% endif %}
-    - binds:
-      - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro
-      - /opt/so/rules/nids/suri:/opt/so/rules/nids/suri:rw
-      - /nsm/rules/:/nsm/rules/:rw
-    {% if DOCKER.containers['so-idstools'].custom_bind_mounts %}
-      {% for BIND in DOCKER.containers['so-idstools'].custom_bind_mounts %}
-      - {{ BIND }}
-      {% endfor %}
-    {% endif %}
-    - extra_hosts:
-      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers['so-idstools'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-idstools'].extra_hosts %}
-      - {{ XTRAHOST }}
-      {% endfor %}
-    {% endif %}
-    - watch:
-      - file: idstoolsetcsync
-      - file: idstools_so-rule-update
-
-delete_so-idstools_so-status.disabled:
-  file.uncomment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-idstools$
-
-so-rule-update:
-  cron.present:
-    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download_cron.log 2>&1
-    - identifier: so-rule-update
-    - user: root
-    - minute: '1'
-    - hour: '7'
-
-# order this last to give so-idstools container time to be ready
-run_so-rule-update:
-  cmd.run:
-    - name: '/usr/sbin/so-rule-update > /opt/so/log/idstools/download_idstools_state.log 2>&1'
-    - require:
-      - docker_container: so-idstools
-    - onchanges:
-      - file: idstools_so-rule-update
-      - file: idstoolsetcsync
-      - file: synclocalnidsrules
-    - order: last
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/idstools/etc/disable.conf

@@ -1,16 +0,0 @@
-{%- set disabled_sids = salt['pillar.get']('idstools:sids:disabled', {}) -%}
-# idstools - disable.conf
-
-# Example of disabling a rule by signature ID (gid is optional).
-# 1:2019401
-# 2019401
-
-# Example of disabling a rule by regular expression.
-# - All regular expression matches are case insensitive.
-# re:hearbleed
-# re:MS(0[7-9]|10)-\d+
-{%- if disabled_sids != None %}
-{%- for sid in disabled_sids %}
-{{ sid }}
-{%- endfor %}
-{%- endif %}

salt/idstools/etc/enable.conf

@@ -1,16 +0,0 @@
-{%- set enabled_sids = salt['pillar.get']('idstools:sids:enabled', {}) -%}
-# idstools-rulecat - enable.conf
-
-# Example of enabling a rule by signature ID (gid is optional).
-# 1:2019401
-# 2019401
-
-# Example of enabling a rule by regular expression.
-# - All regular expression matches are case insensitive.
-# re:hearbleed
-# re:MS(0[7-9]|10)-\d+
-{%- if enabled_sids != None %}
-{%- for sid in enabled_sids %}
-{{ sid }}
-{%- endfor %}
-{%- endif %}

salt/idstools/etc/modify.conf

@@ -1,12 +0,0 @@
-{%- set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%}
-# idstools-rulecat - modify.conf
-
-# Format: <sid> "<from>" "<to>"
-
-# Example changing the seconds for rule 2019401 to 3600.
-#2019401 "seconds \d+" "seconds 3600"
-{%- if modify_sids != None %}
-{%- for sid in modify_sids %}
-{{ sid }}
-{%- endfor %}
-{%- endif %}

salt/idstools/etc/rulecat.conf

@@ -1,23 +0,0 @@
-{%- from 'vars/globals.map.jinja' import GLOBALS -%}
-{%- from 'soc/merged.map.jinja' import SOCMERGED -%}
---suricata-version=7.0.3
---merged=/opt/so/rules/nids/suri/all.rules
---output=/nsm/rules/detect-suricata/custom_temp
---local=/opt/so/rules/nids/suri/local.rules
-{%-   if GLOBALS.md_engine == "SURICATA" %}
---local=/opt/so/rules/nids/suri/extraction.rules
---local=/opt/so/rules/nids/suri/filters.rules
-{%-   endif %}
---url=http://{{ GLOBALS.manager }}:7788/suricata/emerging-all.rules
---disable=/opt/so/idstools/etc/disable.conf
---enable=/opt/so/idstools/etc/enable.conf
---modify=/opt/so/idstools/etc/modify.conf
-{%- if SOCMERGED.config.server.modules.suricataengine.customRulesets %}
-    {%- for ruleset in SOCMERGED.config.server.modules.suricataengine.customRulesets %}
-        {%- if 'url' in ruleset %}
---url={{ ruleset.url }}
-        {%- elif 'file' in ruleset %}
---local={{ ruleset.file }}
-        {%- endif %}
-    {%- endfor %}
-{%- endif %}

salt/idstools/init.sls

@@ -1,13 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'idstools/map.jinja' import IDSTOOLSMERGED %}
-
-include:
-{% if IDSTOOLSMERGED.enabled %}
-  - idstools.enabled
-{% else %}
-  - idstools.disabled
-{% endif %}

salt/idstools/map.jinja

@@ -1,7 +0,0 @@
-{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-   https://securityonion.net/license; you may not use this file except in compliance with the
-   Elastic License 2.0. #}
-   
-{% import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS with context %}
-{% set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %}

salt/idstools/rules/local.rules

@@ -1 +0,0 @@
-# Add your custom Suricata rules in this file.

salt/idstools/soc_idstools.yaml

@@ -1,72 +0,0 @@
-idstools:
-  enabled:
-    description: Enables or disables the IDStools process which is used by the Detection system.
-  config:
-    oinkcode:
-      description: Enter your registration code or oinkcode for paid NIDS rulesets.
-      title: Registration Code
-      global: True
-      forcedType: string
-      helpLink: rules.html
-    ruleset:
-      description: 'Defines the ruleset you want to run. Options are ETOPEN or ETPRO. Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 24 hours), or you can force the update by nagivating to Detections -->  Options dropdown menu --> Suricata --> Full Update. WARNING! Changing the ruleset will remove all existing non-overlapping Suricata rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
-      global: True
-      regex:  ETPRO\b|ETOPEN\b
-      helpLink: rules.html
-    urls:
-      description: This is a list of additional rule download locations. This feature is currently disabled. 
-      global: True
-      multiline: True
-      forcedType: "[]string"
-      readonly: True
-      helpLink: rules.html
-  sids:
-    disabled:
-      description: Contains the list of NIDS rules (or regex patterns) disabled across the grid. This setting is readonly; Use the Detections screen to disable rules.
-      global: True
-      multiline: True
-      forcedType: "[]string"
-      regex: \d*|re:.*
-      helpLink: managing-alerts.html
-      readonlyUi: True
-      advanced: true
-    enabled:
-      description: Contains the list of NIDS rules (or regex patterns) enabled across the grid. This setting is readonly; Use the Detections screen to enable rules.
-      global: True
-      multiline: True
-      forcedType: "[]string"
-      regex: \d*|re:.*
-      helpLink: managing-alerts.html
-      readonlyUi: True
-      advanced: true
-    modify:
-      description: Contains the list of NIDS rules (SID "REGEX_SEARCH_TERM" "REGEX_REPLACE_TERM"). This setting is readonly; Use the Detections screen to modify rules.
-      global: True
-      multiline: True
-      forcedType: "[]string"
-      helpLink: managing-alerts.html
-      readonlyUi: True
-      advanced: true
-  rules:
-    local__rules:
-      description: Contains the list of custom NIDS rules applied to the grid. This setting is readonly; Use the Detections screen to adjust rules.
-      file: True
-      global: True
-      advanced: True
-      title: Local Rules
-      helpLink: local-rules.html
-      readonlyUi: True
-    filters__rules:
-      description: If you are using Suricata for metadata, then you can set custom filters for that metadata here.
-      file: True
-      global: True
-      advanced: True
-      title: Filter Rules
-      helpLink: suricata.html
-    extraction__rules:
-      description: If you are using Suricata for metadata, then you can set a list of MIME types for file extraction here.
-      file: True
-      global: True
-      advanced: True
-      title: Extraction Rules
-      helpLink: suricata.html

salt/idstools/sostatus.sls

@@ -1,21 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-append_so-idstools_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-idstools
-    - unless: grep -q so-idstools /opt/so/conf/so-status/so-status.conf
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/idstools/sync_files.sls

@@ -1,37 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-idstoolsdir:
-  file.directory:
-    - name: /opt/so/conf/idstools/etc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-idstoolsetcsync:
-  file.recurse:
-    - name: /opt/so/conf/idstools/etc
-    - source: salt://idstools/etc
-    - user: 939
-    - group: 939
-    - template: jinja
-
-rulesdir:
-  file.directory:
-    - name: /opt/so/rules/nids/suri
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-# Don't show changes because all.rules can be large
-synclocalnidsrules:
-  file.recurse:
-    - name: /opt/so/rules/nids/suri/
-    - source: salt://idstools/rules/
-    - user: 939
-    - group: 939
-    - show_changes: False
-    - include_pat: 'E@.rules'

salt/idstools/tools/sbin/so-idstools-restart

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-restart idstools $1

salt/idstools/tools/sbin/so-idstools-start

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-start idstools $1

salt/idstools/tools/sbin/so-idstools-stop

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-stop idstools $1

salt/idstools/tools/sbin_jinja/so-rule-update

@@ -1,40 +0,0 @@
-#!/bin/bash
-
-# if this script isn't already running
-if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
-
-    . /usr/sbin/so-common
-
-{%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
-
-{%- set proxy = salt['pillar.get']('manager:proxy') %}
-{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %}
-
-{%- if proxy %}
-# Download the rules from the internet
-    export http_proxy={{ proxy }}
-    export https_proxy={{ proxy }}
-    export no_proxy="{{ noproxy }}"
-{%- endif %}
-
-    mkdir -p /nsm/rules/suricata
-    chown -R socore:socore /nsm/rules/suricata
-{%- if not GLOBALS.airgap %}
-# Download the rules from the internet
-{%-   if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %}
-    docker exec so-idstools idstools-rulecat -v --suricata-version 7.0.3 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
-{%-   elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %}
-    docker exec so-idstools idstools-rulecat -v --suricata-version 7.0.3 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }}
-{%-   endif %}
-{%- endif %}
-
-
-    argstr=""
-    for arg in "$@"; do
-        argstr="${argstr} \"${arg}\""
-    done
-
-    docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}"
-
-fi

salt/kratos/config.sls

@@ -75,6 +75,7 @@ kratosconfig:
     - group: 928
     - mode: 600
     - template: jinja
+    - show_changes: False
     - defaults:
         KRATOSMERGED: {{ KRATOSMERGED }}
 

salt/kratos/defaults.yaml

@@ -46,6 +46,7 @@ kratos:
           ui_url: https://URL_BASE/
         login:
           ui_url: https://URL_BASE/login/
+          lifespan: 60m
         error:
           ui_url: https://URL_BASE/login/
         registration:

salt/kratos/soc_kratos.yaml

@@ -182,6 +182,10 @@ kratos:
             global: True
             advanced: True
             helpLink: kratos.html
+          lifespan: 
+            description: Defines the duration that a login form will remain valid.
+            global: True
+            helpLink: kratos.html
         error:
           ui_url: 
             description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.

salt/logrotate/defaults.yaml

@@ -1,15 +1,5 @@
 logrotate:
   config:
-    /opt/so/log/idstools/*_x_log:
-      - daily
-      - rotate 14
-      - missingok
-      - copytruncate
-      - compress
-      - create
-      - extension .log
-      - dateext
-      - dateyesterday
     /opt/so/log/nginx/*_x_log:
       - daily
       - rotate 14

salt/logrotate/soc_logrotate.yaml

@@ -1,12 +1,5 @@
 logrotate:
   config:
-    "/opt/so/log/idstools/*_x_log":
-      description: List of logrotate options for this file.
-      title: /opt/so/log/idstools/*.log
-      advanced: True
-      multiline: True
-      global: True
-      forcedType: "[]string"
     "/opt/so/log/nginx/*_x_log":
       description: List of logrotate options for this file.
       title: /opt/so/log/nginx/*.log

salt/logstash/defaults.yaml

@@ -63,7 +63,7 @@ logstash:
   settings:
     lsheap: 500m
   config:
-    http_x_host: 0.0.0.0
+    api_x_http_x_host: 0.0.0.0
     path_x_logs: /var/log/logstash
     pipeline_x_workers: 1
     pipeline_x_batch_x_size: 125

salt/logstash/pipelines/config/so/0011_input_endgame.conf

@@ -5,10 +5,10 @@ input {
     codec => es_bulk
     request_headers_target_field => client_headers
     remote_host_target_field => client_host
-    ssl => true
+    ssl_enabled => true
     ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
     ssl_certificate => "/usr/share/logstash/filebeat.crt"
     ssl_key => "/usr/share/logstash/filebeat.key"
-    ssl_verify_mode => "peer"
+    ssl_client_authentication => "required"
   }
 }

salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf.jinja

@@ -2,11 +2,11 @@ input {
   elastic_agent {
     port => 5055
     tags => [ "elastic-agent", "input-{{ GLOBALS.hostname }}" ]
-    ssl => true
+    ssl_enabled => true
     ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
     ssl_certificate => "/usr/share/logstash/elasticfleet-logstash.crt"
     ssl_key => "/usr/share/logstash/elasticfleet-logstash.key"
-    ssl_verify_mode => "force_peer"
+    ssl_client_authentication => "required"
     ecs_compatibility => v8
   }
 }

salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf

@@ -2,7 +2,7 @@ input {
   elastic_agent {
     port => 5056
     tags => [ "elastic-agent", "fleet-lumberjack-input" ]
-    ssl => true
+    ssl_enabled => true
     ssl_certificate => "/usr/share/logstash/elasticfleet-lumberjack.crt"
     ssl_key => "/usr/share/logstash/elasticfleet-lumberjack.key"
     ecs_compatibility => v8

salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja

@@ -8,8 +8,8 @@ output {
       document_id => "%{[metadata][_id]}"
       index => "so-ip-mappings"
       silence_errors_in_log => ["version_conflict_engine_exception"]
-      ssl => true
-      ssl_certificate_verification => false
+      ssl_enabled => true
+      ssl_verification_mode => "none"
     }
   }
   else {
@@ -25,8 +25,8 @@ output {
             document_id => "%{[metadata][_id]}"
             pipeline => "%{[metadata][pipeline]}"
             silence_errors_in_log => ["version_conflict_engine_exception"]
-            ssl => true
-            ssl_certificate_verification => false
+            ssl_enabled => true
+            ssl_verification_mode => "none"
           }
         }
         else {
@@ -37,8 +37,8 @@ output {
             user => "{{ ES_USER }}"
             password => "{{ ES_PASS }}"
             pipeline => "%{[metadata][pipeline]}"
-            ssl => true
-            ssl_certificate_verification => false
+            ssl_enabled => true
+            ssl_verification_mode => "none"
           }
         }
       }
@@ -49,8 +49,8 @@ output {
           data_stream => true
           user => "{{ ES_USER }}"
           password => "{{ ES_PASS }}"
-          ssl => true
-          ssl_certificate_verification => false
+          ssl_enabled => true
+          ssl_verification_mode=> "none"
         }
       }
     }

salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja

@@ -13,8 +13,8 @@ output {
       user => "{{ ES_USER }}"
       password => "{{ ES_PASS }}"
       index => "endgame-%{+YYYY.MM.dd}"
-      ssl => true
-      ssl_certificate_verification => false
+      ssl_enabled => true
+      ssl_verification_mode => "none"
     }
   }
 }

salt/logstash/soc_logstash.yaml

@@ -56,7 +56,7 @@ logstash:
       helpLink: logstash.html
       global: False
   config:
-    http_x_host: 
+    api_x_http_x_host:
       description: Host interface to listen to connections.
       helpLink: logstash.html
       readonly: True

salt/manager/init.sls

@@ -206,10 +206,33 @@ git_config_set_safe_dirs:
     - multivar:
       - /nsm/rules/custom-local-repos/local-sigma
       - /nsm/rules/custom-local-repos/local-yara
+      - /nsm/rules/custom-local-repos/local-suricata
       - /nsm/securityonion-resources
       - /opt/so/conf/soc/ai_summary_repos/securityonion-resources
       - /nsm/airgap-resources/playbooks
       - /opt/so/conf/soc/playbooks
+
+surinsmrulesdir:
+  file.directory:
+    - name: /nsm/rules/suricata/etopen
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+suriextractionrules:
+  file.managed:
+    - name: /nsm/rules/suricata/so_extraction.rules
+    - source: salt://suricata/files/so_extraction.rules
+    - user: 939
+    - group: 939
+
+surifiltersrules:
+  file.managed:
+    - name: /nsm/rules/suricata/so_filters.rules
+    - source: salt://suricata/files/so_filters.rules
+    - user: 939
+    - group: 939
+
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/manager/tools/sbin/so-minion

@@ -133,7 +133,7 @@ function getinstallinfo() {
 		return 1
 	fi
 	
-	source <(echo $INSTALLVARS)
+	export $(echo "$INSTALLVARS" | xargs)
 	if [ $? -ne 0 ]; then
 		log "ERROR" "Failed to source install variables"
 		return 1
@@ -604,16 +604,6 @@ function add_kratos_to_minion() {
     fi
 }
 
-function add_idstools_to_minion() {
-    printf '%s\n'\
-    "idstools:"\
-    "  enabled: True"\
-	"  " >> $PILLARFILE
-    if [ $? -ne 0 ]; then
-        log "ERROR" "Failed to add idstools configuration to $PILLARFILE"
-        return 1
-    fi
-}
 
 function add_elastic_fleet_package_registry_to_minion() {
     printf '%s\n'\
@@ -741,7 +731,6 @@ function createEVAL() {
 	add_soc_to_minion || return 1
 	add_registry_to_minion || return 1
 	add_kratos_to_minion || return 1
-	add_idstools_to_minion || return 1
 	add_elastic_fleet_package_registry_to_minion || return 1
 }
 
@@ -762,7 +751,6 @@ function createSTANDALONE() {
 	add_soc_to_minion || return 1
 	add_registry_to_minion || return 1
 	add_kratos_to_minion || return 1
-	add_idstools_to_minion || return 1
 	add_elastic_fleet_package_registry_to_minion || return 1
 }
 
@@ -779,7 +767,6 @@ function createMANAGER() {
 	add_soc_to_minion || return 1
 	add_registry_to_minion || return 1
 	add_kratos_to_minion || return 1
-	add_idstools_to_minion || return 1
 	add_elastic_fleet_package_registry_to_minion || return 1
 }
 
@@ -796,7 +783,6 @@ function createMANAGERSEARCH() {
 	add_soc_to_minion || return 1
 	add_registry_to_minion || return 1
 	add_kratos_to_minion || return 1
-	add_idstools_to_minion || return 1
 	add_elastic_fleet_package_registry_to_minion || return 1
 }
 
@@ -811,7 +797,6 @@ function createIMPORT() {
 	add_soc_to_minion || return 1
 	add_registry_to_minion || return 1
 	add_kratos_to_minion || return 1
-	add_idstools_to_minion || return 1
 	add_elastic_fleet_package_registry_to_minion || return 1
 }
 
@@ -896,7 +881,6 @@ function createMANAGERHYPE() {
 	add_soc_to_minion || return 1
 	add_registry_to_minion || return 1
 	add_kratos_to_minion || return 1
-	add_idstools_to_minion || return 1
 	add_elastic_fleet_package_registry_to_minion || return 1
 }
 

salt/manager/tools/sbin/soup

@@ -87,6 +87,12 @@ check_err() {
       113)
         echo 'No route to host'
       ;;
+      160)
+        echo 'Incompatiable Elasticsearch upgrade'
+      ;;
+      161)
+        echo 'Required intermediate Elasticsearch upgrade not complete'
+      ;;
       *)
         echo 'Unhandled error'
         echo "$err_msg"
@@ -427,6 +433,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.170 ]] && up_to_2.4.180
     [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190
     [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200
+    [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.210
     true
 }
 
@@ -459,6 +466,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION"  == 2.4.170 ]] && post_to_2.4.180
     [[ "$POSTVERSION"  == 2.4.180 ]] && post_to_2.4.190
     [[ "$POSTVERSION"  == 2.4.190 ]] && post_to_2.4.200
+    [[ "$POSTVERSION"  == 2.4.200 ]] && post_to_2.4.210
     true
 }
 
@@ -615,9 +623,6 @@ post_to_2.4.180() {
 }
 
 post_to_2.4.190() {
-    echo "Regenerating Elastic Agent Installers"
-    /sbin/so-elastic-agent-gen-installers
-
     # Only need to update import / eval nodes
     if [[ "$MINION_ROLE" == "import" ]] || [[ "$MINION_ROLE" == "eval" ]]; then
         update_import_fleet_output
@@ -639,10 +644,23 @@ post_to_2.4.190() {
 }
 
 post_to_2.4.200() {
-  echo "Nothing to apply"
+  echo "Initiating Suricata idstools migration..."
+  suricata_idstools_removal_post
+
   POSTVERSION=2.4.200
 }
 
+post_to_2.4.210() {
+  echo "Rolling over Kratos index to apply new index template"
+
+  rollover_index "logs-kratos-so"
+
+  echo "Regenerating Elastic Agent Installers"
+  /sbin/so-elastic-agent-gen-installers
+
+  POSTVERSION=2.4.210
+}
+
 repo_sync() {
   echo "Sync the local repo."
   su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -904,18 +922,26 @@ up_to_2.4.180() {
 }
 
 up_to_2.4.190() {
-  # Elastic Update for this release, so download Elastic Agent files
-  determine_elastic_agent_upgrade
-
+  echo "Nothing to do for 2.4.190"
   INSTALLEDVERSION=2.4.190
 }
 
 up_to_2.4.200() {
+  echo "Backing up idstools config..."
+  suricata_idstools_removal_pre
+
   touch /opt/so/state/esfleet_logstash_config_pillar
 
   INSTALLEDVERSION=2.4.200
 }
 
+up_to_2.4.210() {
+  # Elastic Update for this release, so download Elastic Agent files
+  determine_elastic_agent_upgrade
+
+  INSTALLEDVERSION=2.4.210
+}
+
 add_hydra_pillars() {
   mkdir -p /opt/so/saltstack/local/pillar/hydra
   touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
@@ -999,6 +1025,8 @@ rollover_index() {
 }
 
 suricata_idstools_migration() {
+  # For 2.4.70
+
   #Backup the pillars for idstools
   mkdir -p /nsm/backup/detections-migration/idstools
   rsync -av /opt/so/saltstack/local/pillar/idstools/* /nsm/backup/detections-migration/idstools
@@ -1099,6 +1127,217 @@ playbook_migration() {
   echo "Playbook Migration is complete...."
 }
 
+suricata_idstools_removal_pre() {
+# For SOUPs beginning with 2.4.200 - pre SOUP checks
+
+# Create syncBlock file
+install -d -o 939 -g 939 -m 755 /opt/so/conf/soc/fingerprints
+install -o 939 -g 939 -m 644 /dev/null /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
+cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
+Suricata ruleset sync is blocked until this file is removed. **CRITICAL** Make sure that you have manually added any custom Suricata rulesets via SOC config before removing this file - review the documentation for more details: https://docs.securityonion.net/en/2.4/nids.html#sync-block
+EOF
+
+# Remove possible symlink & create salt local rules dir
+[ -L /opt/so/saltstack/local/salt/suricata/rules ] && rm -f /opt/so/saltstack/local/salt/suricata/rules
+install -d -o 939 -g 939 /opt/so/saltstack/local/salt/suricata/rules/ || echo "Failed to create Suricata local rules directory"
+
+# Backup custom rules & overrides
+mkdir -p /nsm/backup/detections-migration/2-4-200
+cp /usr/sbin/so-rule-update /nsm/backup/detections-migration/2-4-200
+cp /opt/so/conf/idstools/etc/rulecat.conf /nsm/backup/detections-migration/2-4-200
+
+# Backup so-detection index via reindex
+echo "Creating sos-backup index template..."
+template_result=$(/sbin/so-elasticsearch-query '_index_template/sos-backup' -X PUT \
+    --retry 5 --retry-delay 15 --retry-all-errors \
+    -d '{"index_patterns":["sos-backup-*"],"priority":501,"template":{"settings":{"index":{"number_of_replicas":0,"number_of_shards":1}}}}')
+
+if [[ -z "$template_result" ]] || ! echo "$template_result" | jq -e '.acknowledged == true' > /dev/null 2>&1; then
+    echo "Error: Failed to create sos-backup index template"
+    echo "$template_result"
+    exit 1
+fi
+
+BACKUP_INDEX="sos-backup-detection-$(date +%Y%m%d-%H%M%S)"
+echo "Backing up so-detection index to $BACKUP_INDEX..."
+reindex_result=$(/sbin/so-elasticsearch-query '_reindex?wait_for_completion=true' \
+    --retry 5 --retry-delay 15 --retry-all-errors \
+    -X POST -d "{\"source\": {\"index\": \"so-detection\"}, \"dest\": {\"index\": \"$BACKUP_INDEX\"}}")
+
+if [[ -z "$reindex_result" ]]; then
+    echo "Error: Backup of detections failed - no response from Elasticsearch"
+    exit 1
+elif echo "$reindex_result" | jq -e '.created >= 0' > /dev/null 2>&1; then
+    echo "Backup complete: $(echo "$reindex_result" | jq -r '.created') documents copied"
+elif echo "$reindex_result" | grep -q "index_not_found_exception"; then
+    echo "so-detection index does not exist, skipping backup"
+else
+    echo "Error: Backup of detections failed"
+    echo "$reindex_result"
+    exit 1
+fi
+
+}
+
+suricata_idstools_removal_post() {
+# For SOUPs beginning with 2.4.200 - post SOUP checks
+
+echo "Checking idstools configuration for custom modifications..."
+
+# Normalize and hash file content for consistent comparison
+# Args: $1 - file path
+# Outputs: SHA256 hash to stdout
+# Returns: 0 on success, 1 on failure
+hash_normalized_file() {
+    local file="$1"
+
+    if [[ ! -r "$file" ]]; then
+        return 1
+    fi
+
+    # Ensure trailing newline for consistent hashing regardless of source file
+    { sed -E \
+        -e 's/^[[:space:]]+//; s/[[:space:]]+$//' \
+        -e '/^$/d' \
+        -e 's|--url=http://[^:]+:7788|--url=http://MANAGER:7788|' \
+        "$file"; echo; } | sed '/^$/d' | sha256sum | awk '{print $1}'
+}
+
+# Known-default hashes for so-rule-update (ETOPEN ruleset)
+KNOWN_SO_RULE_UPDATE_HASHES=(
+    # 2.4.100+ (suricata 7.0.3, non-airgap)
+    "5fbd067ced86c8ec72ffb7e1798aa624123b536fb9d78f4b3ad8d3b45db1eae7"  # 2.4.100-2.4.190 non-Airgap
+    # 2.4.90+ airgap (same for 2.4.90 and 2.4.100+)
+    "61f632c55791338c438c071040f1490066769bcce808b595b5cc7974a90e653a"  # 2.4.90+ Airgap
+    # 2.4.90 (suricata 6.0, non-airgap, comment inside proxy block)
+    "0380ec52a05933244ab0f0bc506576e1d838483647b40612d5fe4b378e47aedd"  # 2.4.90 non-Airgap
+    # 2.4.10-2.4.80 (suricata 6.0, non-airgap, comment outside proxy block)
+    "b6e4d1b5a78d57880ad038a9cd2cc6978aeb2dd27d48ea1a44dd866a2aee7ff4"  # 2.4.10-2.4.80 non-Airgap
+    # 2.4.10-2.4.80 airgap
+    "b20146526ace2b142fde4664f1386a9a1defa319b3a1d113600ad33a1b037dad"  # 2.4.10-2.4.80 Airgap
+    # 2.4.5 and earlier (no pidof check, non-airgap)
+    "d04f5e4015c348133d28a7840839e82d60009781eaaa1c66f7f67747703590dc"  # 2.4.5 non-Airgap
+)
+
+# Known-default hashes for rulecat.conf
+KNOWN_RULECAT_CONF_HASHES=(
+    # 2.4.100+ (suricata 7.0.3)
+    "302e75dca9110807f09ade2eec3be1fcfc8b2bf6cf2252b0269bb72efeefe67e"  # 2.4.100-2.4.190 without SURICATA md_engine
+    "8029b7718c324a9afa06a5cf180afde703da1277af4bdd30310a6cfa3d6398cb"  # 2.4.100-2.4.190 with SURICATA md_engine
+    # 2.4.80-2.4.90 (suricata 6.0, with --suricata-version and --output)
+    "4d8b318e6950a6f60b02f307cf27c929efd39652990c1bd0c8820aa8a307e1e7"  # 2.4.80-2.4.90 without SURICATA md_engine
+    "a1ddf264c86c4e91c81c5a317f745a19466d4311e4533ec3a3c91fed04c11678"  # 2.4.80-2.4.90 with SURICATA md_engine
+    # 2.4.50-2.4.70 (/suri/ path, no --suricata-version)
+    "86e3afb8d0f00c62337195602636864c98580a13ca9cc85029661a539deae6ae"  # 2.4.50-2.4.70 without SURICATA md_engine
+    "5a97604ca5b820a10273a2d6546bb5e00c5122ca5a7dfe0ba0bfbce5fc026f4b"  # 2.4.50-2.4.70 with SURICATA md_engine
+    # 2.4.20-2.4.40 (/nids/ path without /suri/)
+    "d098ea9ecd94b5cca35bf33543f8ea8f48066a0785221fabda7fef43d2462c29"  # 2.4.20-2.4.40 without SURICATA md_engine
+    "9dbc60df22ae20d65738ba42e620392577857038ba92278e23ec182081d191cd"  # 2.4.20-2.4.40 with SURICATA md_engine
+    # 2.4.5-2.4.10 (/sorules/ path for extraction/filters)
+    "490f6843d9fca759ee74db3ada9c702e2440b8393f2cfaf07bbe41aaa6d955c3"  # 2.4.5-2.4.10 with SURICATA md_engine
+    # Note: 2.4.5-2.4.10 without SURICATA md_engine has same hash as 2.4.20-2.4.40 without SURICATA md_engine
+)
+
+# Check a config file against known hashes
+# Args: $1 - file path, $2 - array name of known hashes
+check_config_file() {
+    local file="$1"
+    local known_hashes_array="$2"
+    local file_display_name=$(basename "$file")
+
+    if [[ ! -f "$file" ]]; then
+        echo "Warning: $file not found"
+        echo "$file_display_name not found - manual verification required" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
+        return 1
+    fi
+
+    echo "Hashing $file..."
+    local file_hash
+    if ! file_hash=$(hash_normalized_file "$file"); then
+        echo "Warning: Could not read $file"
+        echo "$file_display_name not readable - manual verification required" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
+        return 1
+    fi
+
+    echo "  Hash: $file_hash"
+
+    # Check if hash matches any known default
+    local -n known_hashes=$known_hashes_array
+    for known_hash in "${known_hashes[@]}"; do
+        if [[ "$file_hash" == "$known_hash" ]]; then
+            echo "  Matches known default configuration"
+            return 0
+        fi
+    done
+
+    # No match - custom configuration detected
+    echo "Does not match known default - custom configuration detected"
+    echo "Custom $file_display_name detected (hash: $file_hash)" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
+
+    # If this is so-rule-update, check for ETPRO license code and write out to the syncBlock file
+    # If ETPRO is enabled, the license code already exists in the so-rule-update script, this is just making it easier to migrate
+    if [[ "$file_display_name" == "so-rule-update" ]]; then
+        local etpro_code
+        etpro_code=$(grep -oP '\-\-etpro=\K[0-9a-fA-F]+' "$file" 2>/dev/null) || true
+        if [[ -n "$etpro_code" ]]; then
+            echo "ETPRO code found: $etpro_code" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
+        fi
+    fi
+
+    return 1
+}
+
+# Check so-rule-update and rulecat.conf
+SO_RULE_UPDATE="/usr/sbin/so-rule-update"
+RULECAT_CONF="/opt/so/conf/idstools/etc/rulecat.conf"
+
+custom_found=0
+
+check_config_file "$SO_RULE_UPDATE" "KNOWN_SO_RULE_UPDATE_HASHES" || custom_found=1
+check_config_file "$RULECAT_CONF" "KNOWN_RULECAT_CONF_HASHES" || custom_found=1
+
+# Check for ETPRO rules on airgap systems
+if [[ $is_airgap -eq 0 ]] && grep -q 'ETPRO ' /nsm/rules/suricata/emerging-all.rules 2>/dev/null; then
+    echo "ETPRO rules detected on airgap system - custom configuration"
+    echo "ETPRO rules detected on Airgap in /nsm/rules/suricata/emerging-all.rules" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
+    custom_found=1
+fi
+
+# If no custom configs found, remove syncBlock
+if [[ $custom_found -eq 0 ]]; then
+    echo "idstools migration completed successfully - removing Suricata engine syncBlock"
+    rm -f /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
+else
+    echo "Custom idstools configuration detected - syncBlock remains in place"
+    echo "Review /opt/so/conf/soc/fingerprints/suricataengine.syncBlock for details"
+fi
+
+echo "Cleaning up idstools"
+echo "Stopping and removing the idstools container..."
+if [ -n "$(docker ps -q -f name=^so-idstools$)" ]; then
+    image_name=$(docker ps -a --filter name=^so-idstools$ --format '{{.Image}}' 2>/dev/null || true)
+    docker stop so-idstools || echo "Warning: failed to stop so-idstools container"
+    docker rm so-idstools || echo "Warning: failed to remove so-idstools container"
+
+    if [[ -n "$image_name" ]]; then
+        echo "Removing idstools image: $image_name"
+        docker rmi "$image_name" || echo "Warning: failed to remove image $image_name"
+    fi
+fi
+
+echo "Removing idstools symlink and scripts..."
+rm -rf /usr/sbin/so-idstools*
+sed -i '/^#\?so-idstools$/d' /opt/so/conf/so-status/so-status.conf
+crontab -l | grep -v 'so-rule-update' | crontab -
+
+# Backup the salt master config & manager pillar before editing it
+cp /opt/so/saltstack/local/pillar/minions/$MINIONID.sls /nsm/backup/detections-migration/2-4-200/
+cp /etc/salt/master  /nsm/backup/detections-migration/2-4-200/
+so-yaml.py remove /opt/so/saltstack/local/pillar/minions/$MINIONID.sls idstools
+so-yaml.py removelistitem /etc/salt/master file_roots.base /opt/so/rules/nids
+
+}
+
 determine_elastic_agent_upgrade() {
   if [[ $is_airgap -eq 0 ]]; then
     update_elastic_agent_airgap
@@ -1145,7 +1384,7 @@ unmount_update() {
 
 update_airgap_rules() {
   # Copy the rules over to update them for airgap.
-  rsync -a $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/
+  rsync -a --delete $UPDATE_DIR/agrules/suricata/ /nsm/rules/suricata/etopen/
   rsync -a $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
   rsync -a $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
   # Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch
@@ -1394,6 +1633,243 @@ verify_latest_update_script() {
   fi
 
 }
+
+verify_es_version_compatibility() {
+
+  local es_required_version_statefile="/opt/so/state/so_es_required_upgrade_version.txt"
+  local es_verification_script="/tmp/so_intermediate_upgrade_verification.sh"
+  # supported upgrade paths for SO-ES versions
+  declare -A es_upgrade_map=(
+    ["8.14.3"]="8.17.3 8.18.4 8.18.6 8.18.8"
+    ["8.17.3"]="8.18.4 8.18.6 8.18.8"
+    ["8.18.4"]="8.18.6 8.18.8 9.0.8"
+    ["8.18.6"]="8.18.8 9.0.8"
+    ["8.18.8"]="9.0.8"
+  )
+
+  # Elasticsearch MUST upgrade through these versions
+  declare -A es_to_so_version=(
+    ["8.18.8"]="2.4.190-20251024"
+  )
+
+  # Get current Elasticsearch version
+  if es_version_raw=$(so-elasticsearch-query / --fail --retry 5 --retry-delay 10); then
+    es_version=$(echo "$es_version_raw" | jq -r '.version.number' )
+  else
+    echo "Could not determine current Elasticsearch version to validate compatibility with post soup Elasticsearch version."
+    exit 160
+  fi
+
+  if ! target_es_version=$(so-yaml.py get $UPDATE_DIR/salt/elasticsearch/defaults.yaml elasticsearch.version | sed -n '1p'); then
+    # so-yaml.py failed to get the ES version from upgrade versions elasticsearch/defaults.yaml file. Likely they are upgrading to an SO version older than 2.4.110 prior to the ES version pinning and should be OKAY to continue with the upgrade.
+
+    # if so-yaml.py failed to get the ES version AND the version we are upgrading to is newer than 2.4.110 then we should bail
+    if [[ $(cat $UPDATE_DIR/VERSION | cut -d'.' -f3) > 110 ]]; then
+      echo "Couldn't determine the target Elasticsearch version (post soup version) to ensure compatibility with current Elasticsearch version. Exiting"
+      exit 160
+    fi
+
+    # allow upgrade to version < 2.4.110 without checking ES version compatibility
+    return 0
+
+  fi
+
+  # if this statefile exists then we have done an intermediate upgrade and we need to ensure that ALL ES nodes have been upgraded to the version in the statefile before allowing soup to continue
+  if [[ -f "$es_required_version_statefile" ]]; then
+    # required so verification script should have already been created
+    if [[ ! -f "$es_verification_script" ]]; then
+        create_intermediate_upgrade_verification_script $es_verification_script
+    fi
+
+    local es_required_version_statefile_value=$(cat $es_required_version_statefile)
+    echo -e "\n##############################################################################################################################\n"
+    echo "A previously required intermediate Elasticsearch upgrade was detected. Verifying that all Searchnodes/Heavynodes have successfully upgraded Elasticsearch to $es_required_version_statefile_value before proceeding with soup to avoid potential data loss!"
+    # create script using version in statefile
+    timeout --foreground 4000 bash "$es_verification_script" "$es_required_version_statefile_value" "$es_required_version_statefile"
+    if [[ $? -ne 0 ]]; then
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+
+        echo "A previous required intermediate Elasticsearch upgrade to $es_required_version_statefile_value has yet to successfully complete across the grid. Please allow time for all Searchnodes/Heavynodes to have upgraded Elasticsearch to $es_required_version_statefile_value before running soup again to avoid potential data loss!"
+
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+        exit 161
+    fi
+    echo -e "\n##############################################################################################################################\n"
+  fi
+
+  if [[ " ${es_upgrade_map[$es_version]} " =~ " $target_es_version " || "$es_version" == "$target_es_version" ]]; then
+    # supported upgrade
+    return 0
+  else
+    compatible_versions=${es_upgrade_map[$es_version]}
+    next_step_so_version=${es_to_so_version[${compatible_versions##* }]}
+    echo -e "\n##############################################################################################################################\n"
+    echo -e "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version $next_step_so_version before updating to $(cat $UPDATE_DIR/VERSION).\n"
+
+    echo "${compatible_versions##* }" > "$es_required_version_statefile"
+
+    # We expect to upgrade to the latest compatiable minor version of ES
+    create_intermediate_upgrade_verification_script $es_verification_script
+
+    if [[ $is_airgap -eq 0 ]]; then
+      echo "You can download the $next_step_so_version ISO image from https://download.securityonion.net/file/securityonion/securityonion-$next_step_so_version.iso"
+      echo "*** Once you have updated to $next_step_so_version, you can then run soup again to update to $(cat $UPDATE_DIR/VERSION). ***"
+      echo -e "\n##############################################################################################################################\n"
+      exit 160
+    else
+      # preserve BRANCH value if set originally
+      if [[ -n "$BRANCH" ]]; then
+        local originally_requested_so_version="$BRANCH"
+      else
+        local originally_requested_so_version="2.4/main"
+      fi
+
+      echo "Starting automated intermediate upgrade to $next_step_so_version."
+      echo "After completion, the system will automatically attempt to upgrade to the latest version."
+      echo -e "\n##############################################################################################################################\n"
+      exec bash -c "BRANCH=$next_step_so_version soup -y && BRANCH=$next_step_so_version soup -y && \
+       echo -e \"\n##############################################################################################################################\n\" && \
+       echo -e \"Verifying Elasticsearch was successfully upgraded to ${compatible_versions##* } across the grid. This part can take a while as Searchnodes/Heavynodes sync up with the Manager! \n\nOnce verification completes the next soup will begin automatically. If verification takes longer than 1 hour it will stop waiting and your grid will remain at $next_step_so_version. Allowing for all Searchnodes/Heavynodes to upgrade Elasticsearch to the required version on their own time.\n\" \
+       && timeout --foreground 4000 bash /tmp/so_intermediate_upgrade_verification.sh ${compatible_versions##* } $es_required_version_statefile && \
+       echo -e \"\n##############################################################################################################################\n\" \
+       && BRANCH=$originally_requested_so_version soup -y && BRANCH=$originally_requested_so_version soup -y"
+    fi
+  fi
+
+}
+
+create_intermediate_upgrade_verification_script() {
+    # After an intermediate upgrade, verify that ALL nodes running Elasticsearch are at the expected version BEFORE proceeding to the next upgrade step. This is a CRITICAL step
+    local verification_script="$1"
+
+    cat << 'EOF' > "$verification_script"
+    #!/bin/bash
+
+    SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE="/root/so_intermediate_upgrade_verification_failures.log"
+    CURRENT_TIME=$(date +%Y%m%d.%H%M%S)
+    EXPECTED_ES_VERSION="$1"
+
+    if [[ -z "$EXPECTED_ES_VERSION" ]]; then
+        echo -e "\nExpected Elasticsearch version not provided. Usage: $0 <expected_es_version>"
+        exit 1
+    fi
+
+    if [[ -f "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE" ]]; then
+        mv "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE" "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE.$CURRENT_TIME"
+    fi
+
+    check_heavynodes_es_version() {
+        # Check if heavynodes are in this grid
+        if ! salt-key -l accepted | grep -q 'heavynode$'; then
+
+            # No heavynodes, skip version check
+            echo "No heavynodes detected in this Security Onion deployment. Skipping heavynode Elasticsearch version verification."
+            return 0
+        fi
+
+        echo -e "\nOne or more heavynodes detected. Verifying their Elasticsearch versions."
+
+        local retries=20
+        local retry_count=0
+        local delay=180
+
+        while [[ $retry_count -lt $retries ]]; do
+            # keep stderr with variable for logging
+            heavynode_versions=$(salt -C 'G@role:so-heavynode' cmd.run 'so-elasticsearch-query / --retry 3 --retry-delay 10 | jq ".version.number"' shell=/bin/bash --out=json 2> /dev/null)
+            local exit_status=$?
+
+            # Check that all heavynodes returned good data
+            if [[ $exit_status -ne 0 ]]; then
+                echo "Failed to retrieve Elasticsearch version from one or more heavynodes... Retrying in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                ((retry_count++))
+                sleep $delay
+
+                continue
+            else
+                if echo "$heavynode_versions" | jq -s --arg expected "\"$EXPECTED_ES_VERSION\"" --exit-status 'all(.[]; . | to_entries | all(.[]; .value == $expected))' > /dev/null; then
+                    echo -e "\nAll heavynodes are at the expected Elasticsearch version $EXPECTED_ES_VERSION."
+
+                    return 0
+                else
+                    echo "One or more heavynodes are not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                    ((retry_count++))
+                    sleep $delay
+
+                    continue
+                fi
+            fi
+        done
+
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+        echo "One or more heavynodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION."
+        echo "Current versions:"
+        echo "$heavynode_versions" | jq -s 'add'
+        echo "$heavynode_versions" | jq -s 'add' >> "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE"
+        echo -e "\n Stopping automatic upgrade to latest Security Onion version. Heavynodes must ALL be at Elasticsearch version $EXPECTED_ES_VERSION before proceeding with the next upgrade step to avoid potential data loss!"
+        echo -e "\n Heavynodes will upgrade themselves to Elasticsearch $EXPECTED_ES_VERSION on their own, but this process can take a long time depending on network link between Manager and Heavynodes."
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+
+        return 1
+    }
+
+    check_searchnodes_es_version() {
+        local retries=20
+        local retry_count=0
+        local delay=180
+
+        while [[ $retry_count -lt $retries ]]; do
+            # keep stderr with variable for logging
+            cluster_versions=$(so-elasticsearch-query _nodes/_all/version --retry 5 --retry-delay 10 --fail 2>&1)
+            local exit_status=$?
+
+            if [[ $exit_status -ne 0 ]]; then
+                echo "Failed to retrieve Elasticsearch versions from searchnodes... Retrying in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                ((retry_count++))
+                sleep $delay
+
+                continue
+            else
+                if echo "$cluster_versions" | jq --arg expected "$EXPECTED_ES_VERSION" --exit-status '.nodes | to_entries | all(.[].value.version; . == $expected)' > /dev/null; then
+                    echo "All Searchnodes are at the expected Elasticsearch version $EXPECTED_ES_VERSION."
+
+                    return 0
+                else
+                    echo "One or more Searchnodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                    ((retry_count++))
+                    sleep $delay
+
+                    continue
+                fi
+            fi
+        done
+
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+        echo "One or more Searchnodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION."
+        echo "Current versions:"
+        echo "$cluster_versions" | jq '.nodes | to_entries | map({(.value.name): .value.version}) | sort | add'
+        echo "$cluster_versions" >> "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE"
+        echo -e "\nStopping automatic upgrade to latest version. Searchnodes must ALL be at Elasticsearch version $EXPECTED_ES_VERSION before proceeding with the next upgrade step to avoid potential data loss!"
+        echo -e "\nSearchnodes will upgrade themselves to Elasticsearch $EXPECTED_ES_VERSION on their own, but this process can take a while depending on cluster size / network link between Manager and Searchnodes."
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+
+        echo "$cluster_versions" > "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE"
+
+        return 1
+
+    }
+
+    # Need to add a check for heavynodes and ensure all heavynodes get their own "cluster" upgraded before moving on to final upgrade.
+    check_searchnodes_es_version || exit 1
+    check_heavynodes_es_version || exit 1
+
+    # Remove required version state file after successful verification
+    rm -f "$2"
+
+    exit 0
+
+EOF
+}
+
 # Keeping this block in case we need to do a hotfix that requires salt update
 apply_hotfix() {
   if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then
@@ -1490,6 +1966,8 @@ main() {
   echo "Verifying we have the latest soup script."
   verify_latest_update_script
 
+  verify_es_version_compatibility
+
   echo "Let's see if we need to update Security Onion."
   upgrade_check
   upgrade_space
@@ -1655,7 +2133,7 @@ main() {
       if [[ $is_airgap -eq 0 ]]; then
         echo ""
         echo "Cleaning repos on remote Security Onion nodes."
-        salt -C 'not *_eval and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
+        salt -C 'not *_eval and not *_manager* and not *_standalone and G@os:OEL' cmd.run "dnf clean all"
         echo ""
       fi
     fi

salt/salt/files/engines.conf

@@ -6,30 +6,6 @@ engines:
       interval: 60
   - pillarWatch:
       fpa:
-        - files:
-            - /opt/so/saltstack/local/pillar/idstools/soc_idstools.sls
-            - /opt/so/saltstack/local/pillar/idstools/adv_idstools.sls
-          pillar: idstools.config.ruleset
-          default: ETOPEN
-          actions:
-            from:
-              '*':
-                to:
-                  '*':
-                  - cmd.run:
-                      cmd: /usr/sbin/so-rule-update
-        - files:
-            - /opt/so/saltstack/local/pillar/idstools/soc_idstools.sls
-            - /opt/so/saltstack/local/pillar/idstools/adv_idstools.sls
-          pillar: idstools.config.oinkcode
-          default: ''
-          actions:
-            from:
-              '*':
-                to:
-                  '*':
-                  - cmd.run:
-                      cmd: /usr/sbin/so-rule-update
         - files:
             - /opt/so/saltstack/local/pillar/global/soc_global.sls
             - /opt/so/saltstack/local/pillar/global/adv_global.sls

salt/sensoroni/files/templates/reports/standard/assistant_session_report.md

@@ -0,0 +1,91 @@
+Onion AI Session Report
+==========================
+
+## Session Details
+
+**Session ID:** {{.Session.SessionId}}
+
+**Title:** {{.Session.Title}}
+
+**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Session.CreateTime}}
+
+**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Session.UpdateTime}}
+
+{{ if .Session.DeleteTime }}
+**Deleted:** {{ formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Session.DeleteTime}}
+{{ end }}
+
+**User ID:** {{getUserDetail "email" .Session.UserId}}
+
+## Session Usage
+
+**Total Input Tokens** {{.Session.Usage.TotalInputTokens}}
+
+**Total Output Tokens** {{.Session.Usage.TotalOutputTokens}}
+
+**Total Credits:** {{.Session.Usage.TotalCredits}}
+
+**Total Messages:** {{.Session.Usage.TotalMessages}}
+
+## Messages
+
+{{ range $index, $msg := sortAssistantMessages "CreateTime" "asc" .History }}
+#### Message {{ add $index 1 }}
+
+**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $msg.CreateTime}}
+
+**User ID:** {{getUserDetail "email" $msg.UserId}}
+
+**Role:** {{$msg.Message.Role}}
+
+{{ range $i, $block := $msg.Message.ContentBlocks }}
+
+---
+
+{{ if eq $block.Type "text" }}
+**Text:** {{ stripEmoji $block.Text }}
+{{ else if eq $block.Type "tool_use" }}
+**Tool:** {{ $block.Name }}
+{{ if $block.Input }}
+**Parameters:**
+{{ range $key, $value := parseJSON $block.Input }}
+{{ if eq $key "limit" }}- {{ $key }}: {{ $value }}
+{{ else }}- {{ $key }}: "{{ $value }}"
+{{ end }}{{ end }}{{ end }}
+{{ else if $block.ToolResult }}
+**Tool Result:**
+{{ if $block.ToolResult.Content }}
+{{ range $j, $contentBlock := $block.ToolResult.Content }}
+{{ if gt $j 0 }}
+
+---
+
+{{ end }}
+{{ if $contentBlock.Text }}
+{{ if $block.ToolResult.IsError }}
+**Error:** {{ $contentBlock.Text }}
+{{ else }}
+{{ $contentBlock.Text }}
+{{ end }}
+{{ else if $contentBlock.Json }}
+```json
+{{ toJSON $contentBlock.Json }}
+```
+{{ end }}{{ end }}
+{{ end }}{{ end }}{{ end }}
+
+{{ if eq $msg.Message.Role "assistant" }}{{ if $msg.Message.Usage }}
+
+---
+
+**Message Usage:**
+
+- Input Tokens: {{$msg.Message.Usage.InputTokens}}
+- Output Tokens: {{$msg.Message.Usage.OutputTokens}}
+- Credits: {{$msg.Message.Usage.Credits}}
+
+{{end}}{{end}}
+
+---
+
+{{end}}

salt/sensoroni/files/templates/reports/standard/case_report.md

@@ -130,4 +130,42 @@ Security Onion Case Report
 | ---- | ---- | ------ | --------- |
 {{ range sortHistory "CreateTime" "asc" .History -}}
 | {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}} | {{getUserDetail "email" .UserId}} | {{.Kind}} | {{.Operation}} |
+{{end}}
+
+## Attached Onion AI Sessions
+
+{{ range $idx, $session := sortAssistantSessionDetails "CreateTime" "desc" .AssistantSessions }}
+
+#### Session {{ add $idx 1 }}
+
+**Session ID:** {{$session.Session.SessionId}}
+
+**Title:** {{$session.Session.Title}}
+
+**User ID:** {{getUserDetail "email" $session.Session.UserId}}
+
+**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.CreateTime}}
+
+**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.UpdateTime}}
+
+{{ if $session.Session.DeleteTime }}
+**Deleted:** {{ formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.DeleteTime}}
+{{ end }}
+
+#### Messages
+
+{{ range $index, $msg := sortAssistantMessages "CreateTime" "asc" $session.History }}
+{{ range $i, $block := $msg.Message.ContentBlocks }}
+
+{{ if eq $block.Type "text" }}
+
+**Role:** {{$msg.Message.Role}}
+
+{{ stripEmoji $block.Text }}
+
+---
+
+{{ end }}{{ end }}
+
+{{end}}
 {{end}}

salt/sensoroni/soc_sensoroni.yaml

@@ -357,7 +357,7 @@ sensoroni:
       reports:
         standard:
           case_report__md:
-            title: Case report Template
+            title: Case Report Template
             description: The template used when generating a case report. Supports markdown format.
             file: True
             global: True
@@ -370,6 +370,13 @@ sensoroni:
             global: True
             syntax: md
             helpLink: reports.html
+          assistant_session_report__md:
+            title: Assistant Session Report Template
+            description: The template used when generating an assistant session report. Supports markdown format.
+            file: True
+            global: True
+            syntax: md
+            helplink: reports.html
         custom:
           generic_report1__md:
             title: Custom Report 1

salt/soc/config.sls

@@ -215,7 +215,6 @@ socsensoronirepos:
     - mode: 775
     - makedirs: True
 
-
 create_custom_local_yara_repo_template:
   git.present:
     - name: /nsm/rules/custom-local-repos/local-yara
@@ -249,6 +248,39 @@ add_readme_custom_local_sigma_repo_template:
     - context:
         repo_type: "sigma"
 
+create_custom_local_suricata_repo_template:
+  git.present:
+    - name: /nsm/rules/custom-local-repos/local-suricata
+    - bare: False
+    - force: True
+
+add_readme_custom_local_suricata_repo_template:
+  file.managed:
+    - name: /nsm/rules/custom-local-repos/local-suricata/README
+    - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
+    - user: 939
+    - group: 939
+    - template: jinja
+    - context:
+        repo_type: "suricata"
+
+etpro_airgap_folder:
+  file.directory:
+    - name: /nsm/rules/custom-local-repos/local-etpro-suricata
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+add_readme_etpro_airgap_template:
+  file.managed:
+    - name: /nsm/rules/custom-local-repos/local-etpro-suricata/README
+    - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
+    - user: 939
+    - group: 939
+    - template: jinja
+    - context:
+        repo_type: "suricata-etpro"
+
 socore_own_custom_repos:
   file.directory:
     - name: /nsm/rules/custom-local-repos/

salt/soc/defaults.yaml

@@ -115,16 +115,16 @@ soc:
       ':kratos:':
         - soc_timestamp
         - event.dataset
-        - http_request.headers.x-real-ip
+        - http.request.headers.x-real-ip
         - user.name
-        - http_request.headers.user-agent
+        - http.useragent
         - msg
       ':hydra:':
         - soc_timestamp
         - event.dataset
-        - http_request.headers.x-real-ip
+        - http.request.headers.x-real-ip
         - user.name
-        - http_request.headers.user-agent
+        - http.useragent
         - msg
       '::conn':
         - soc_timestamp
@@ -1563,12 +1563,105 @@ soc:
           disableRegex: []
           enableRegex: []
           failAfterConsecutiveErrorCount: 10
-          communityRulesFile: /nsm/rules/suricata/emerging-all.rules
           rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
           stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state
           integrityCheckFrequencySeconds: 1200
           ignoredSidRanges:
             - '1100000-1101000'
+          rulesetSources:
+            default:
+              - name: Emerging-Threats
+                description: "Emerging Threats ruleset - To enable ET Pro, enter your license key below. Leave empty for ET Open (free) rules."
+                licenseKey: ""
+                enabled: true
+                sourceType: url
+                sourcePath: 'https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz'
+                urlHash: "https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz.md5"
+                license: "BSD"
+                excludeFiles:
+                  - "*deleted*"
+                  - "*retired*"
+                proxyURL: ""
+                proxyUsername: ""
+                proxyPassword: ""
+                proxyCACert: ""
+                insecureSkipVerify: false
+                readOnly: true
+                deleteUnreferenced: true
+              - name: ABUSECH-SSLBL
+                deleteUnreferenced: true
+                description: 'Abuse.ch SSL Blacklist'
+                enabled: false
+                license: CC0-1.0
+                readOnly: true
+                sourcePath: https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.tar.gz
+                sourceType: url
+              - name: local-rules
+                description: "Local rules from files (*.rules) in a directory on the filesystem"
+                license: "custom"
+                sourceType: directory
+                sourcePath: /nsm/rules/custom-local-repos/local-suricata
+                readOnly: false
+                deleteUnreferenced: false
+                enabled: true
+              - name: SO_FILTERS
+                deleteUnreferenced: true
+                description: Filter rules for when Suricata is set as the metadata engine
+                enabled: false
+                license: Elastic-2.0
+                readOnly: true
+                sourcePath: /nsm/rules/suricata/so_filters.rules
+                sourceType: directory
+              - name: SO_EXTRACTIONS
+                description: Extraction rules for when Suricata is set as the metadata engine
+                deleteUnreferenced: true
+                enabled: false
+                license: Elastic-2.0
+                readOnly: true
+                sourcePath: /nsm/rules/suricata/so_extraction.rules
+                sourceType: directory
+            airgap:
+              - name: Emerging-Threats
+                description: "Emerging Threats ruleset - To enable ET Pro on Airgap, review the documentation at https://docs.securityonion.net/suricata"
+                licenseKey: ""
+                enabled: true
+                sourceType: directory
+                sourcePath: /nsm/rules/suricata/etopen/
+                license: "BSD"
+                excludeFiles:
+                  - "*deleted*"
+                  - "*retired*"
+                proxyURL: ""
+                proxyUsername: ""
+                proxyPassword: ""
+                proxyCACert: ""
+                insecureSkipVerify: false
+                readOnly: true
+                deleteUnreferenced: true
+              - name: local-rules
+                description: "Local rules from files (*.rules) in a directory on the filesystem"
+                license: "custom"
+                sourceType: directory
+                sourcePath: /nsm/rules/custom-local-repos/local-suricata
+                readOnly: false
+                deleteUnreferenced: false
+                enabled: true
+              - name: SO_FILTERS
+                deleteUnreferenced: true
+                description: Filter rules for when Suricata is set as the metadata engine
+                enabled: false
+                license: Elastic-2.0
+                readOnly: true
+                sourcePath: /nsm/rules/suricata/so_filters.rules
+                sourceType: directory
+              - name: SO_EXTRACTIONS
+                description: Extraction rules for when Suricata is set as the metadata engine
+                deleteUnreferenced: true
+                enabled: false
+                license: Elastic-2.0
+                readOnly: true
+                sourcePath: /nsm/rules/suricata/so_extraction.rules
+                sourceType: directory
         navigator:
           intervalMinutes: 30
           outputPath: /opt/sensoroni/navigator
@@ -1654,7 +1747,7 @@ soc:
               showSubtitle: true
             - name: SOC - Auth
               description: Users authenticated to SOC grouped by IP address and identity
-              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name'
               showSubtitle: true
             - name: SOC - App
               description: Logs generated by the Security Onion Console (SOC) server and modules
@@ -1934,10 +2027,10 @@ soc:
               query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port'
             - name: SOC Logins
               description: SOC (Security Onion Console) logins
-              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip user.name | groupby user.name | groupby http_request.headers.user-agent'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip user.name | groupby user.name | groupby http.useragent'
             - name: SOC Login Failures
               description: SOC (Security Onion Console) login failures
-              query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip http_request.headers.user-agent | groupby http_request.headers.user-agent'
+              query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip http.useragent | groupby http.useragent'
             - name: Alerts
               description: Overview of all alerts
               query: 'tags:alert | groupby event.module* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby event.severity | groupby destination.as.organization.name'
@@ -2559,26 +2652,16 @@ soc:
           thresholdColorRatioMed: 0.75
           thresholdColorRatioMax: 1
           availableModels:
-            - id: sonnet-4
-              displayName: Claude Sonnet 4
-              contextLimitSmall: 200000
-              contextLimitLarge: 1000000
-              lowBalanceColorAlert: 500000
-              enabled: true
             - id: sonnet-4.5
-              displayName: Claude Sonnet 4.5
+              displayName: Claude Sonnet 4.5 ($$$)
+              origin: USA
               contextLimitSmall: 200000
               contextLimitLarge: 1000000
               lowBalanceColorAlert: 500000
               enabled: true
-            - id: gptoss-120b
-              displayName: GPT-OSS 120B
-              contextLimitSmall: 128000
-              contextLimitLarge: 128000
-              lowBalanceColorAlert: 500000
-              enabled: true
             - id: qwen-235b
-              displayName: QWEN 235B
+              displayName: QWEN 235B ($)
+              origin: China
               contextLimitSmall: 256000
               contextLimitLarge: 256000
               lowBalanceColorAlert: 500000

salt/soc/enabled.sls

@@ -27,7 +27,8 @@ so-soc:
       - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
       - /opt/so/conf/sigma:/opt/sensoroni/sigma:rw
       - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
-      - /opt/so/rules/nids/suri:/opt/sensoroni/nids:ro
+      - /opt/so/saltstack/local/salt/suricata/rules:/opt/sensoroni/suricata/rules:rw
+      - /opt/so/saltstack/local/salt/suricata/files:/opt/sensoroni/suricata/threshold:rw
       - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
       - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
       - /nsm/soc/uploads:/nsm/soc/uploads:rw

salt/soc/files/soc/detections_custom_repo_template_readme.jinja

@@ -45,6 +45,61 @@ Finally, commit it:
 The next time the Strelka / YARA engine syncs, the new rule should be imported
 If there are errors, review the sync log to troubleshoot further.
 
+{% elif repo_type == 'suricata' %}
+# Suricata Local Custom Rules Repository
+
+This folder has already been initialized as a git repo 
+and your Security Onion grid is configured to import any Suricata rule files found here. 
+
+Just add your rule file and commit it.
+
+For example:
+
+** Note: If this is your first time making changes to this repo, you may run into the following error:
+
+fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-suricata'
+To add an exception for this directory, call:
+	git config --global --add safe.directory /nsm/rules/custom-local-repos/local-suricata
+
+This means that the user you are running commands as does not match the user that is used for this git repo (socore).
+You will need to make sure your rule files are accessible to the socore user, so either su to socore 
+or add the exception and then chown the rule files later.
+
+Also, you will be asked to set some configuration:
+```
+Author identity unknown
+*** Please tell me who you are.
+Run
+  git config --global user.email "you@example.com"
+  git config --global user.name "Your Name"
+to set your account's default identity.
+Omit --global to set the identity only in this repository.
+```
+
+Run these commands, ommitting the `--global`.
+
+With that out of the way:
+
+First, create the rule file with a .rules extension:
+`vi my_custom_rules.rules`
+
+Next, use git to stage the new rule to be committed:
+`git add my_custom_rules.rules`
+
+Finally, commit it:
+`git commit -m "Initial commit of my_custom_rule.rules"`
+
+The next time the Suricata engine syncs, the new rule/s should be imported
+If there are errors, review the sync log to troubleshoot further.
+
+{% elif repo_type == 'suricata-etpro' %}
+# Suricata ETPRO - Airgap
+
+This folder has been initialized for use with ETPRO during Airgap deployment.
+
+Just add your ETPRO rule/s file to this folder and the Suricata engine will import them.
+
+If there are errors, review the sync log to troubleshoot further.
 {% elif repo_type == 'sigma' %}
 # Sigma Local Custom Rules Repository
 

salt/soc/files/soc/so-detections-backup.py

@@ -6,6 +6,7 @@
 # This script queries Elasticsearch for Custom Detections and all Overrides,
 # and git commits them to disk at $OUTPUT_DIR
 
+import argparse
 import os
 import subprocess
 import json
@@ -18,10 +19,10 @@ from datetime import datetime
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
 # Constants
-ES_URL = "https://localhost:9200/so-detection/_search"
+DEFAULT_INDEX = "so-detection"
+DEFAULT_OUTPUT_DIR = "/nsm/backup/detections/repo"
 QUERY_DETECTIONS = '{"query": {"bool": {"must": [{"match_all": {}}, {"term": {"so_detection.ruleset": "__custom__"}}]}},"size": 10000}'
 QUERY_OVERRIDES = '{"query": {"bool": {"must": [{"exists": {"field": "so_detection.overrides"}}]}},"size": 10000}'
-OUTPUT_DIR = "/nsm/backup/detections/repo"
 AUTH_FILE = "/opt/so/conf/elasticsearch/curl.config"
 
 def get_auth_credentials(auth_file):
@@ -30,9 +31,10 @@ def get_auth_credentials(auth_file):
             if line.startswith('user ='):
                 return line.split('=', 1)[1].strip().replace('"', '')
 
-def query_elasticsearch(query, auth):
+def query_elasticsearch(query, auth, index):
+    url = f"https://localhost:9200/{index}/_search"
     headers = {"Content-Type": "application/json"}
-    response = requests.get(ES_URL, headers=headers, data=query, auth=auth, verify=False)
+    response = requests.get(url, headers=headers, data=query, auth=auth, verify=False)
     response.raise_for_status()
     return response.json()
 
@@ -47,12 +49,12 @@ def save_content(hit, base_folder, subfolder="", extension="txt"):
         f.write(content)
     return file_path
 
-def save_overrides(hit):
+def save_overrides(hit, output_dir):
     so_detection = hit["_source"]["so_detection"]
     public_id = so_detection["publicId"]
     overrides = so_detection["overrides"]
     language = so_detection["language"]
-    folder = os.path.join(OUTPUT_DIR, language, "overrides")
+    folder = os.path.join(output_dir, language, "overrides")
     os.makedirs(folder, exist_ok=True)
     extension = "yaml" if language == "sigma" else "txt"
     file_path = os.path.join(folder, f"{public_id}.{extension}")
@@ -60,20 +62,20 @@ def save_overrides(hit):
         f.write('\n'.join(json.dumps(override) for override in overrides) if isinstance(overrides, list) else overrides)
     return file_path
 
-def ensure_git_repo():
-    if not os.path.isdir(os.path.join(OUTPUT_DIR, '.git')):
+def ensure_git_repo(output_dir):
+    if not os.path.isdir(os.path.join(output_dir, '.git')):
         subprocess.run(["git", "config", "--global", "init.defaultBranch", "main"], check=True)
-        subprocess.run(["git", "-C", OUTPUT_DIR, "init"], check=True)
-        subprocess.run(["git", "-C", OUTPUT_DIR, "remote", "add", "origin", "default"], check=True)
+        subprocess.run(["git", "-C", output_dir, "init"], check=True)
+        subprocess.run(["git", "-C", output_dir, "remote", "add", "origin", "default"], check=True)
 
-def commit_changes():
-    ensure_git_repo()
-    subprocess.run(["git", "-C", OUTPUT_DIR, "config", "user.email", "securityonion@local.invalid"], check=True)
-    subprocess.run(["git", "-C", OUTPUT_DIR, "config", "user.name", "securityonion"], check=True)
-    subprocess.run(["git", "-C", OUTPUT_DIR, "add", "."], check=True)
-    status_result = subprocess.run(["git", "-C", OUTPUT_DIR, "status"], capture_output=True, text=True)
+def commit_changes(output_dir):
+    ensure_git_repo(output_dir)
+    subprocess.run(["git", "-C", output_dir, "config", "user.email", "securityonion@local.invalid"], check=True)
+    subprocess.run(["git", "-C", output_dir, "config", "user.name", "securityonion"], check=True)
+    subprocess.run(["git", "-C", output_dir, "add", "."], check=True)
+    status_result = subprocess.run(["git", "-C", output_dir, "status"], capture_output=True, text=True)
     print(status_result.stdout)
-    commit_result = subprocess.run(["git", "-C", OUTPUT_DIR, "commit", "-m", "Update detections and overrides"], check=False, capture_output=True)
+    commit_result = subprocess.run(["git", "-C", output_dir, "commit", "-m", "Update detections and overrides"], check=False, capture_output=True)
     if commit_result.returncode == 1:
         print("No changes to commit.")
     elif commit_result.returncode == 0:
@@ -81,29 +83,41 @@ def commit_changes():
     else:
         commit_result.check_returncode()
 
+def parse_args():
+    parser = argparse.ArgumentParser(description="Backup custom detections and overrides from Elasticsearch")
+    parser.add_argument("--output", "-o", default=DEFAULT_OUTPUT_DIR,
+                        help=f"Output directory for backups (default: {DEFAULT_OUTPUT_DIR})")
+    parser.add_argument("--index", "-i", default=DEFAULT_INDEX,
+                        help=f"Elasticsearch index to query (default: {DEFAULT_INDEX})")
+    return parser.parse_args()
+
 def main():
+    args = parse_args()
+    output_dir = args.output
+    index = args.index
+
     try:
         timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
-        print(f"Backing up Custom Detections and all Overrides to {OUTPUT_DIR} - {timestamp}\n")
-        
-        os.makedirs(OUTPUT_DIR, exist_ok=True)
+        print(f"Backing up Custom Detections and all Overrides to {output_dir} - {timestamp}\n")
+
+        os.makedirs(output_dir, exist_ok=True)
 
         auth_credentials = get_auth_credentials(AUTH_FILE)
         username, password = auth_credentials.split(':', 1)
         auth = HTTPBasicAuth(username, password)
-        
+
         # Query and save custom detections
-        detections = query_elasticsearch(QUERY_DETECTIONS, auth)["hits"]["hits"]
+        detections = query_elasticsearch(QUERY_DETECTIONS, auth, index)["hits"]["hits"]
         for hit in detections:
-            save_content(hit, OUTPUT_DIR, hit["_source"]["so_detection"]["language"], "yaml" if hit["_source"]["so_detection"]["language"] == "sigma" else "txt")
-        
+            save_content(hit, output_dir, hit["_source"]["so_detection"]["language"], "yaml" if hit["_source"]["so_detection"]["language"] == "sigma" else "txt")
+
         # Query and save overrides
-        overrides = query_elasticsearch(QUERY_OVERRIDES, auth)["hits"]["hits"]
+        overrides = query_elasticsearch(QUERY_OVERRIDES, auth, index)["hits"]["hits"]
         for hit in overrides:
-            save_overrides(hit)
-        
-        commit_changes()
-        
+            save_overrides(hit, output_dir)
+
+        commit_changes(output_dir)
+
         timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
         print(f"Backup Completed - {timestamp}")
     except Exception as e:

salt/soc/files/soc/so-detections-backup_test.py

@@ -57,12 +57,12 @@ class TestBackupScript(unittest.TestCase):
         mock_response.json.return_value = {'hits': {'hits': []}}
         mock_response.raise_for_status = MagicMock()
         mock_get.return_value = mock_response
-        
-        response = ds.query_elasticsearch(ds.QUERY_DETECTIONS, self.auth)
-        
+
+        response = ds.query_elasticsearch(ds.QUERY_DETECTIONS, self.auth, ds.DEFAULT_INDEX)
+
         self.assertEqual(response, {'hits': {'hits': []}})
         mock_get.assert_called_once_with(
-            ds.ES_URL,
+            f"https://localhost:9200/{ds.DEFAULT_INDEX}/_search",
             headers={"Content-Type": "application/json"},
             data=ds.QUERY_DETECTIONS,
             auth=self.auth,
@@ -81,7 +81,7 @@ class TestBackupScript(unittest.TestCase):
     @patch('os.makedirs')
     @patch('builtins.open', new_callable=mock_open)
     def test_save_overrides(self, mock_file, mock_makedirs):
-        file_path = ds.save_overrides(self.mock_override_hit)
+        file_path = ds.save_overrides(self.mock_override_hit, self.output_dir)
         expected_path = f'{self.output_dir}/sigma/overrides/test_id.yaml'
         self.assertEqual(file_path, expected_path)
         mock_makedirs.assert_called_once_with(f'{self.output_dir}/sigma/overrides', exist_ok=True)
@@ -90,9 +90,9 @@ class TestBackupScript(unittest.TestCase):
     @patch('subprocess.run')
     def test_ensure_git_repo(self, mock_run):
         mock_run.return_value = MagicMock(returncode=0)
-        
-        ds.ensure_git_repo()
-        
+
+        ds.ensure_git_repo(self.output_dir)
+
         mock_run.assert_has_calls([
             call(["git", "config", "--global", "init.defaultBranch", "main"], check=True),
             call(["git", "-C", self.output_dir, "init"], check=True),
@@ -106,9 +106,9 @@ class TestBackupScript(unittest.TestCase):
         mock_commit_result = MagicMock(returncode=1)
         # Ensure sufficient number of MagicMock instances for each subprocess.run call
         mock_run.side_effect = [mock_status_result, mock_commit_result, MagicMock(returncode=0), MagicMock(returncode=0), MagicMock(returncode=0), MagicMock(returncode=0), MagicMock(returncode=0), MagicMock(returncode=0)]
-        
+
         print("Running test_commit_changes...")
-        ds.commit_changes()
+        ds.commit_changes(self.output_dir)
         print("Finished test_commit_changes.")
 
         mock_run.assert_has_calls([
@@ -120,39 +120,45 @@ class TestBackupScript(unittest.TestCase):
         ])
 
     @patch('builtins.print')
-    @patch('so-detections-backup.commit_changes')
-    @patch('so-detections-backup.save_overrides')
-    @patch('so-detections-backup.save_content')
-    @patch('so-detections-backup.query_elasticsearch')
-    @patch('so-detections-backup.get_auth_credentials')
+    @patch.object(ds, 'commit_changes')
+    @patch.object(ds, 'save_overrides')
+    @patch.object(ds, 'save_content')
+    @patch.object(ds, 'query_elasticsearch')
+    @patch.object(ds, 'get_auth_credentials')
     @patch('os.makedirs')
-    def test_main(self, mock_makedirs, mock_get_auth, mock_query, mock_save_content, mock_save_overrides, mock_commit, mock_print):
+    @patch.object(ds, 'parse_args')
+    def test_main(self, mock_parse_args, mock_makedirs, mock_get_auth, mock_query, mock_save_content, mock_save_overrides, mock_commit, mock_print):
+        mock_args = MagicMock()
+        mock_args.output = self.output_dir
+        mock_args.index = ds.DEFAULT_INDEX
+        mock_parse_args.return_value = mock_args
         mock_get_auth.return_value = self.auth_credentials
         mock_query.side_effect = [
             {'hits': {'hits': [{"_source": {"so_detection": {"publicId": "1", "content": "content1", "language": "sigma"}}}]}},
             {'hits': {'hits': [{"_source": {"so_detection": {"publicId": "2", "overrides": [{"key": "value"}], "language": "suricata"}}}]}}
         ]
-        
+
         with patch('datetime.datetime') as mock_datetime:
             mock_datetime.now.return_value.strftime.return_value = "2024-05-23 20:49:44"
             ds.main()
-        
+
         mock_makedirs.assert_called_once_with(self.output_dir, exist_ok=True)
         mock_get_auth.assert_called_once_with(ds.AUTH_FILE)
         mock_query.assert_has_calls([
-            call(ds.QUERY_DETECTIONS, self.auth),
-            call(ds.QUERY_OVERRIDES, self.auth)
+            call(ds.QUERY_DETECTIONS, self.auth, ds.DEFAULT_INDEX),
+            call(ds.QUERY_OVERRIDES, self.auth, ds.DEFAULT_INDEX)
         ])
         mock_save_content.assert_called_once_with(
-            {"_source": {"so_detection": {"publicId": "1", "content": "content1", "language": "sigma"}}}, 
-            self.output_dir, 
-            "sigma", 
+            {"_source": {"so_detection": {"publicId": "1", "content": "content1", "language": "sigma"}}},
+            self.output_dir,
+            "sigma",
             "yaml"
         )
         mock_save_overrides.assert_called_once_with(
-            {"_source": {"so_detection": {"publicId": "2", "overrides": [{"key": "value"}], "language": "suricata"}}}
+            {"_source": {"so_detection": {"publicId": "2", "overrides": [{"key": "value"}], "language": "suricata"}}},
+            self.output_dir
         )
-        mock_commit.assert_called_once()
+        mock_commit.assert_called_once_with(self.output_dir)
         mock_print.assert_called()
 
 if __name__ == '__main__':

salt/soc/merged.map.jinja

@@ -50,17 +50,104 @@
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'enabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules.default}) %}
 {% endif %}
 
-{# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #}
+{# set elastalertengine.rulesRepos, strelkaengine.rulesRepos, and suricataengine.rulesetSources based on airgap or not #}
 {% if GLOBALS.airgap %}
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %}
 {%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %}
+{#%   if SOCMERGED.config.server.modules.suricataengine.rulesetSources is mapping %#}
+{%     do SOCMERGED.config.server.modules.suricataengine.update({'rulesetSources': SOCMERGED.config.server.modules.suricataengine.rulesetSources.airgap}) %}
+{#%   endif %#}
 {%   do SOCMERGED.config.server.update({'airgapEnabled': true}) %}
 {% else %}
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %}
 {%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %}
+{#%   if SOCMERGED.config.server.modules.suricataengine.rulesetSources is mapping %#}
+{%     do SOCMERGED.config.server.modules.suricataengine.update({'rulesetSources': SOCMERGED.config.server.modules.suricataengine.rulesetSources.default}) %}
+{#%   endif %#}
 {%   do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
 {% endif %}
 
+
+{# Define the Detections custom ruleset that should always be present #}
+{% set CUSTOM_RULESET = {
+  'name': '__custom__',
+  'description': 'User-created custom rules created via the Detections module in the SOC UI',
+  'sourceType': 'elasticsearch',
+  'sourcePath': 'so_detection.ruleset:__custom__',
+  'readOnly': false,
+  'deleteUnreferenced': false,
+  'license': 'Custom',
+  'enabled': true
+} %}
+
+{# Always append the custom ruleset to suricataengine.rulesetSources if not already present #}
+{% if SOCMERGED.config.server.modules.suricataengine is defined and SOCMERGED.config.server.modules.suricataengine.rulesetSources is defined %}
+{%   if SOCMERGED.config.server.modules.suricataengine.rulesetSources is not mapping %}
+{%     set custom_names = SOCMERGED.config.server.modules.suricataengine.rulesetSources | selectattr('name', 'equalto', '__custom__') | list %}
+{%     if custom_names | length == 0 %}
+{%       do SOCMERGED.config.server.modules.suricataengine.rulesetSources.append(CUSTOM_RULESET) %}
+{%     endif %}
+{%   endif %}
+{% endif %}
+
+{# Enable SO_FILTERS and SO_EXTRACTIONS when Suricata is the metadata engine #}
+{% if SOCMERGED.config.server.modules.suricataengine is defined and SOCMERGED.config.server.modules.suricataengine.rulesetSources is defined %}
+{%   if SOCMERGED.config.server.modules.suricataengine.rulesetSources is not mapping %}
+{%     for ruleset in SOCMERGED.config.server.modules.suricataengine.rulesetSources %}
+{%       if ruleset.name in ['SO_FILTERS', 'SO_EXTRACTIONS'] and GLOBALS.md_engine == 'SURICATA' %}
+{%         do ruleset.update({'enabled': true}) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+
+{# Transform Emerging-Threats ruleset based on license key #}
+{% if SOCMERGED.config.server.modules.suricataengine is defined and SOCMERGED.config.server.modules.suricataengine.rulesetSources is defined %}
+{%   if SOCMERGED.config.server.modules.suricataengine.rulesetSources is not mapping %}
+{%     for ruleset in SOCMERGED.config.server.modules.suricataengine.rulesetSources %}
+{%     if ruleset.name == 'Emerging-Threats' %}
+{%       if ruleset.licenseKey and ruleset.licenseKey != '' %}
+{#         License key is defined - transform to ETPRO #}
+{%         if ruleset.sourceType == 'directory' %}
+{#           Airgap mode - update directory path #}
+{%           do ruleset.update({
+               'name': 'ETPRO',
+               'sourcePath': '/nsm/rules/custom-local-repos/local-etpro-suricata/etpro.rules.tar.gz',
+               'license': 'Commercial'
+             }) %}
+{%         else %}
+{#           Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
+{%           do ruleset.update({
+               'name': 'ETPRO',
+               'sourcePath': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz',
+               'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
+               'license': 'Commercial'
+             }) %}
+{%         endif %}
+{%       else %}
+{#         No license key - explicitly set to ETOPEN #}
+{%         if ruleset.sourceType == 'directory' %}
+{#           Airgap mode - update directory path #}
+{%           do ruleset.update({
+               'name': 'ETOPEN',
+               'sourcePath': '/nsm/rules/suricata/etopen/',
+               'license': 'BSD'
+             }) %}
+{%         else %}
+{%           do ruleset.update({
+               'name': 'ETOPEN',
+               'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
+               'urlHash': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz.md5',
+               'license': 'BSD'
+             }) %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+
+
 {# set playbookRepos based on airgap or not #}
 {% if GLOBALS.airgap %}
 {%   do SOCMERGED.config.server.modules.playbook.update({'playbookRepos': SOCMERGED.config.server.modules.playbook.playbookRepos.airgap}) %}

salt/soc/soc_soc.yaml

@@ -563,6 +563,64 @@ soc:
             advanced: True
             forcedType: "[]string"
             helpLink: detections.html#rule-engine-status
+          rulesetSources:
+            default: &serulesetSources
+              description: "Ruleset sources for Suricata rules. Supports URL downloads and local directories. Refer to the linked documentation for details on how to configure this setting."
+              global: True
+              advanced: False
+              forcedType: "[]{}"
+              helpLink: suricata.html
+              syntax: json
+              uiElements:
+              - field: name
+                label: Ruleset Name (This will be the name of the ruleset in the UI)
+                required: True
+                readonly: True
+              - field: description
+                label: Description
+              - field: enabled
+                label: Enabled (If false, existing rules & overrides will be removed)
+                forcedType: bool
+                required: True
+              - field: licenseKey
+                label: License Key
+                required: False
+              - field: sourceType
+                label: Source Type
+                required: True
+                options:
+                  - url
+                  - directory
+              - field: sourcePath
+                label: Source Path (full url or directory path)
+                required: True
+              - field: excludeFiles
+                label: Exclude Files (list of file names to exclude, separated by commas)
+                required: False
+              - field: license
+                label: Ruleset License
+                required: True
+              - field: readOnly
+                label: Read Only (Prevents changes to the rule itself - can still be enabled/disabled/tuned)
+                forcedType: bool
+                required: False
+              - field: deleteUnreferenced
+                label: Delete Unreferenced (Deletes rules that are no longer referenced by ruleset source)
+                forcedType: bool
+                required: False
+              - field: proxyURL
+                label: HTTP/HTTPS proxy URL for downloading the ruleset.
+                required: False
+              - field: proxyUsername
+                label: Proxy authentication username.
+                required: False
+              - field: proxyPassword
+                label: Proxy authentication password.
+                required: False
+              - field: proxyCACert
+                label: Path to CA certificate file for MITM proxy verification.
+                required: False
+            airgap: *serulesetSources
         navigator:
           intervalMinutes:
             description: How often to generate the Navigator Layers. (minutes)
@@ -594,7 +652,6 @@ soc:
         assistant:
           apiUrl:
             description: The URL of the AI gateway.
-            advanced: True
             global: True
           healthTimeoutSeconds:
             description: Timeout in seconds for the Onion AI health check.
@@ -650,6 +707,9 @@ soc:
             - field: displayName
               label: Display Name
               required: True
+            - field: origin
+              label: Country of Origin for the Model Training
+              required: false
             - field: contextLimitSmall
               label: Context Limit (Small)
               forcedType: int

salt/suricata/config.sls

@@ -10,12 +10,6 @@
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
 {%   from 'bpf/suricata.map.jinja' import SURICATABPF, SURICATA_BPF_STATUS, SURICATA_BPF_CALC %}
 
-suridir:
-  file.directory:
-    - name: /opt/so/conf/suricata
-    - user: 940
-    - group: 940
-
 {%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 {%     from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC %}
 # BPF compilation and configuration
@@ -28,6 +22,14 @@ suriPCAPbpfcompilationfailure:
 {%     endif %}
 {%   endif %}
 
+suridir:
+  file.directory:
+    - name: /opt/so/conf/suricata
+    - user: 940
+    - group: 939
+    - mode: 775
+    - makedirs: True
+
 # BPF applied to all of Suricata - alerts/metadata/pcap
 suribpf:
   file.managed:
@@ -89,9 +91,11 @@ suricata_sbin_jinja:
 
 suriruledir:
   file.directory:
-    - name: /opt/so/conf/suricata/rules
+    - name: /opt/so/rules/suricata
     - user: 940
-    - group: 940
+    - group: 939
+    - mode: 775
+    - makedirs: True
 
 surilogdir:
   file.directory:
@@ -115,14 +119,12 @@ suridatadir:
     - mode: 770
     - makedirs: True
 
-# salt:// would resolve to /opt/so/rules/nids because of the defined file_roots and
-#  not existing under /opt/so/saltstack/local/salt or /opt/so/saltstack/default/salt
 surirulesync:
   file.recurse:
-    - name: /opt/so/conf/suricata/rules/
-    - source: salt://suri/
+    - name: /opt/so/rules/suricata/
+    - source: salt://suricata/rules/
     - user: 940
-    - group: 940
+    - group: 939
     - show_changes: False
 
 surilogscript:
@@ -155,10 +157,9 @@ suriconfig:
 surithresholding:
   file.managed:
     - name: /opt/so/conf/suricata/threshold.conf
-    - source: salt://suricata/files/threshold.conf.jinja
+    - source: salt://suricata/files/threshold.conf
     - user: 940
     - group: 940
-    - template: jinja
 
 suriclassifications:
   file.managed:
@@ -176,6 +177,14 @@ so-suricata-eve-clean:
     - template: jinja
     - source: salt://suricata/cron/so-suricata-eve-clean
 
+so-suricata-rulestats:
+  file.managed:
+    - name: /usr/sbin/so-suricata-rulestats
+    - user: root
+    - group: root
+    - mode: 755
+    - source: salt://suricata/cron/so-suricata-rulestats
+
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/suricata/cron/so-suricata-rulestats

@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# Query Suricata for ruleset stats and reload time, write to JSON file for Telegraf to consume
+
+OUTFILE="/opt/so/log/suricata/rulestats.json"
+SURICATASC="docker exec so-suricata /opt/suricata/bin/suricatasc"
+SOCKET="/var/run/suricata/suricata-command.socket"
+
+query() {
+    timeout 10 $SURICATASC -c "$1" "$SOCKET" 2>/dev/null
+}
+
+STATS=$(query "ruleset-stats")
+RELOAD=$(query "ruleset-reload-time")
+[ -z "$RELOAD" ] && RELOAD='{}'
+
+# Outputs valid JSON on success, empty on failure
+OUTPUT=$(jq -n \
+    --argjson stats "$STATS" \
+    --argjson reload "$RELOAD" \
+    'if $stats.return == "OK" and ($stats.message[0].rules_loaded | type) == "number" and ($stats.message[0].rules_failed | type) == "number" then
+        {
+            rules_loaded: $stats.message[0].rules_loaded,
+            rules_failed: $stats.message[0].rules_failed,
+            last_reload: ($reload.message[0].last_reload // ""),
+            return: "OK"
+        }
+    else empty end' 2>/dev/null)
+
+if [ -n "$OUTPUT" ]; then
+    echo "$OUTPUT" > "$OUTFILE"
+else
+    echo '{"return":"FAIL"}' > "$OUTFILE"
+fi

salt/suricata/defaults.yaml

@@ -467,7 +467,7 @@ suricata:
         append: "yes"
     default-rule-path: /etc/suricata/rules
     rule-files:
-      - all.rules
+      - all-rulesets.rules
     classification-file: /etc/suricata/classification.config
     reference-config-file: /etc/suricata/reference.config
     threshold-file: /etc/suricata/threshold.conf

salt/suricata/disabled.sls

@@ -23,6 +23,11 @@ clean_suricata_eve_files:
   cron.absent:
     - identifier: clean_suricata_eve_files
 
+# Remove rulestats cron
+rulestats:
+  cron.absent:
+    - identifier: suricata_rulestats
+
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/suricata/enabled.sls

@@ -36,7 +36,7 @@ so-suricata:
       - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
       - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
       - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro
-      - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
+      - /opt/so/rules/suricata:/etc/suricata/rules:ro
       - /opt/so/log/suricata/:/var/log/suricata/:rw
       - /nsm/suricata/:/nsm/:rw
       - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
@@ -90,6 +90,18 @@ clean_suricata_eve_files:
     - month: '*'
     - dayweek: '*'
 
+# Add rulestats cron - runs every minute to query Suricata for rule load status
+suricata_rulestats:
+  cron.present:
+    - name: /usr/sbin/so-suricata-rulestats > /dev/null 2>&1
+    - identifier: suricata_rulestats
+    - user: root
+    - minute: '*'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/suricata/files/so_extraction.rules

@@ -23,4 +23,4 @@ alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestor
 alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100016; rev:1;)
 alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100017; rev:1;)
 alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100018; rev:1;)
-alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100019; rev:1;)
+alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; noalert; sid:1100019; rev:1;)

salt/suricata/files/so_filters.rules

@@ -9,3 +9,4 @@
 #config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;)
 # Example of filtering out a md5 of a file from being in the files log.
 #config fileinfo any any -> any any (fileinfo.filemd5; content:"7a125dc69c82d5caf94d3913eecde4b5"; config: logging disable, type tx, scope tx; sid:1200004;)
+

salt/suricata/files/threshold.conf

@@ -0,0 +1,2 @@
+# Threshold configuration generated by Security Onion
+# This file is automatically generated - do not edit manually

salt/suricata/files/threshold.conf.jinja

@@ -1,35 +0,0 @@
-{% import_yaml 'suricata/thresholding/sids.yaml' as THRESHOLDING %}
-{% if THRESHOLDING -%}
-  
-  {% for EACH_SID in THRESHOLDING -%}
-    {% for ACTIONS_LIST in THRESHOLDING[EACH_SID] -%}
-      {% for EACH_ACTION in ACTIONS_LIST -%}
-        
-        {%- if EACH_ACTION == 'threshold' %}
-{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, type {{ ACTIONS_LIST[EACH_ACTION].type }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}
-        
-        {%- elif EACH_ACTION == 'rate_filter' %}
-          {%- if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
-{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
-          {%- else %}
-##### Security Onion does not support drop or reject actions for rate_filter
-##### {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
-          {%- endif %}
-        
-        {%- elif EACH_ACTION == 'suppress' %}
-          {%- if ACTIONS_LIST[EACH_ACTION].track is defined %}
-{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, ip {{ ACTIONS_LIST[EACH_ACTION].ip }}
-          {%- else %}
-{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}
-          {%- endif %}
-        
-        {%- endif %}
-      
-      {%- endfor %}
-    {%- endfor %}
-  {%- endfor %}
-
-{%- else %}
-##### Navigate to suricata > thresholding > SIDS in SOC to define thresholding
-
-{%- endif %}

salt/suricata/manager.sls

@@ -1,30 +0,0 @@
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-
-surilocaldir:
-  file.directory:
-    - name: /opt/so/saltstack/local/salt/suricata
-    - user: socore
-    - group: socore
-    - makedirs: True
-
-ruleslink:
-  file.symlink:
-    - name: /opt/so/saltstack/local/salt/suricata/rules
-    - user: socore
-    - group: socore
-    - target: /opt/so/rules/nids/suri
-
-refresh_salt_master_fileserver_suricata_ruleslink:
-  salt.runner:
-    - name: fileserver.update
-    - onchanges:
-      - file: ruleslink
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/telegraf/defaults.yaml

@@ -21,6 +21,7 @@ telegraf:
       - sostatus.sh
       - stenoloss.sh
       - suriloss.sh
+      - surirules.sh
       - zeekcaptureloss.sh
       - zeekloss.sh
     standalone:
@@ -36,6 +37,7 @@ telegraf:
       - sostatus.sh
       - stenoloss.sh
       - suriloss.sh
+      - surirules.sh
       - zeekcaptureloss.sh
       - zeekloss.sh
       - features.sh
@@ -81,6 +83,7 @@ telegraf:
       - sostatus.sh
       - stenoloss.sh
       - suriloss.sh
+      - surirules.sh
       - zeekcaptureloss.sh
       - zeekloss.sh
       - features.sh
@@ -95,6 +98,7 @@ telegraf:
       - sostatus.sh
       - stenoloss.sh
       - suriloss.sh
+      - surirules.sh
       - zeekcaptureloss.sh
       - zeekloss.sh
     idh:

salt/telegraf/scripts/surirules.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# Read Suricata ruleset stats from JSON file written by so-suricata-rulestats cron job
+# JSON format: {"rules_loaded":45879,"rules_failed":1,"last_reload":"2025-12-04T14:10:57+0000","return":"OK"}
+# or on failure: {"return":"FAIL"}
+
+# if this script isn't already running
+if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
+
+    STATSFILE="/var/log/suricata/rulestats.json"
+
+    # Check file exists, is less than 90 seconds old, and has valid data
+    if [ -f "$STATSFILE" ] && [ $(($(date +%s) - $(stat -c %Y "$STATSFILE"))) -lt 90 ] && jq -e '.return == "OK" and .rules_loaded != null and .rules_failed != null' "$STATSFILE" > /dev/null 2>&1; then
+        LOADED=$(jq -r '.rules_loaded' "$STATSFILE")
+        FAILED=$(jq -r '.rules_failed' "$STATSFILE")
+        RELOAD_TIME=$(jq -r 'if .last_reload then .last_reload else "" end' "$STATSFILE")
+
+        if [ -n "$RELOAD_TIME" ]; then
+            echo "surirules loaded=${LOADED}i,failed=${FAILED}i,reload_time=\"${RELOAD_TIME}\",status=\"ok\""
+        else
+            echo "surirules loaded=${LOADED}i,failed=${FAILED}i,status=\"ok\""
+        fi
+    else
+        echo "surirules loaded=0i,failed=0i,status=\"unknown\""
+    fi
+
+fi
+
+exit 0

salt/top.sls

@@ -74,8 +74,6 @@ base:
     - sensoroni
     - telegraf
     - firewall
-    - idstools
-    - suricata.manager
     - healthcheck
     - elasticsearch
     - elastic-fleet-package-registry
@@ -106,8 +104,6 @@ base:
     - firewall
     - sensoroni
     - telegraf
-    - idstools
-    - suricata.manager
     - healthcheck
     - elasticsearch
     - logstash
@@ -142,8 +138,6 @@ base:
     - sensoroni
     - telegraf
     - backup.config_backup
-    - idstools
-    - suricata.manager
     - elasticsearch
     - logstash
     - redis
@@ -177,8 +171,6 @@ base:
     - sensoroni
     - telegraf
     - backup.config_backup
-    - idstools
-    - suricata.manager
     - elasticsearch
     - logstash
     - redis
@@ -208,8 +200,6 @@ base:
     - sensoroni
     - telegraf
     - firewall
-    - idstools
-    - suricata.manager
     - pcap
     - elasticsearch
     - elastic-fleet-package-registry

setup/so-functions

@@ -816,7 +816,6 @@ create_manager_pillars() {
 	backup_pillar
 	docker_pillar
 	redis_pillar
-	idstools_pillar
 	kratos_pillar
 	hydra_pillar
 	soc_pillar
@@ -1282,11 +1281,6 @@ ls_heapsize() {
 
 }
 
-idstools_pillar() {
-	title "Ading IDSTOOLS pillar options"
-	touch $adv_idstools_pillar_file
-}
-
 nginx_pillar() {
 	title "Creating the NGINX pillar"
 	[[ -z "$TESTING" ]] && return
@@ -1462,7 +1456,7 @@ make_some_dirs() {
 	mkdir -p $local_salt_dir/salt/firewall/portgroups
 	mkdir -p $local_salt_dir/salt/firewall/ports
 
-	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idstools idh elastalert stig global kafka versionlock hypervisor vm; do
+	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idh elastalert stig global kafka versionlock hypervisor vm; do
 	mkdir -p $local_salt_dir/pillar/$THEDIR
 	touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
 	touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls

setup/so-variables

@@ -166,12 +166,6 @@ export hydra_pillar_file
 adv_hydra_pillar_file="$local_salt_dir/pillar/hydra/adv_hydra.sls"
 export adv_hydra_pillar_file
 
-idstools_pillar_file="$local_salt_dir/pillar/idstools/soc_idstools.sls"
-export idstools_pillar_file
-
-adv_idstools_pillar_file="$local_salt_dir/pillar/idstools/adv_idstools.sls"
-export adv_idstools_pillar_file
-
 nginx_pillar_file="$local_salt_dir/pillar/nginx/soc_nginx.sls"
 export nginx_pillar_file