Merge pull request #343 from Security-Onion-Solutions/dev

Update README.md

README.md

@@ -1,36 +1,33 @@
-## Hybrid Hunter Alpha 1.1.3
-
-### ISO Download:
-
-[HH1.1.3-20.iso](https://github.com/Security-Onion-Solutions/securityonion-hh-iso/releases/download/HH1.1.3/HH-1.1.3-20.iso)  
-MD5: 5A97980365A2A63EBFABB8C1DEB32BB6  
-SHA1: 2A780B41903D907CED91D944569FD24FC131281F  
-SHA256: 56FA65EB5957903B967C16E792B17386848101CD058E0289878373110446C4B2
-
-```
-Default Username: onion
-Default Password: V@daL1aZ
-```
+## Hybrid Hunter Alpha 1.1.4 - Feature Parity Release
 
 ### Changes:
 
-- Overhaul of the setup script to support both ISO and network based setups.
-- ISO will now boot properly from a USB stick.
-- Python 3 is now default.
-- Fix Filebeat from restarting every check in due to x509 refresh issue. 
-- Cortex installed and integrated with TheHive. 
-- Switched to using vanilla Kolide Fleet and upgraded to latest version (2.4) .  
-- Playbook changes:
-  - Now preloaded with Plays generated from Sysmon Sigma signatures in the [Sigma community repo](https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon).  
-  - New update script that updates / pulls in new Sigma signatures from the community repo .
-  - Bulk enable / disable plays from the webui . 
-  - Updated sigmac mapping template & configuration (backend is now `elastalert`) . 
-  - Updated TheHive alerts formatting . 
-- OS patch scheduling:
-  - During setup, choose between auto, manual, or scheduled OS patch interval
-  - For scheduled, create a new or import an existing named schedule
+- Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).
+- Web user creation is done via the browser now instead of so-user-add.
+- New Logstash pipeline setup. Now uses multiple pipelines.
+- New Master + Search node type and well as a Heavy Node type in the install. 
+- Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.
+- Zeek 3.0.1
+- Elastic 6.8.6
+- New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).
+- BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).
+- Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.
+- Added so-status script which gives an easy to read look at container status.
+- Manage threshold.conf for Suricata using the thresholding pillar.
+- The ISO now includes all the docker containers for faster install speeds.
+- You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup. 
+- Updated Helix parsers for better compatibility.
+- Updated telegraf docker to include curl and jq.
+- CVE-2020-0601 Zeek Detection Script. 
+- ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.
 
+## Version 1.1.4 ISO Download
 
+[HH1.1.4-44.ISO](https://download.securityonion.net/file/Hybrid-Hunter/HH-1.1.4-44.iso)  
+
+MD5: C881536D55C5791F69596E474513E953  
+SHA1: 1CF503A46279EDDC5C84AA9F02167839004E7723  
+SHA256: F5C2FB52DFD314540019953BFE1960AF130AB09CD75E60E66CAA122DAD4DA414  
 
 ### Warnings and Disclaimers
 

pillar/docker/config.sls

@@ -0,0 +1,205 @@
+{% set OSQUERY = salt['pillar.get']('master:osquery', '0') %}
+{% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
+{% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
+{% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
+{% set FREQSERVER = salt['pillar.get']('master:freq', '0') %}
+{% set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') %}
+{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+
+
+eval:
+  containers:
+    - so-core
+    - so-telegraf
+    {% if  GRAFANA == '1' %}
+    - so-influxdb
+    - so-grafana
+    {% endif %}
+    - so-dockerregistry
+    - so-sensoroni
+    - so-idstools
+    - so-auth-api
+    - so-auth-ui
+    {% if OSQUERY != '0' %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-steno
+    - so-suricata
+    - so-zeek
+    - so-curator
+    - so-elastalert
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+heavy_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-redis
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-steno
+    - so-suricata
+    - so-wazuh
+    - so-filebeat
+    {% if BROVER != 'SURICATA' %}
+    - so-zeek
+    {% endif %}
+helix:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-idstools
+    - so-steno
+    - so-zeek
+    - so-redis
+    - so-logstash
+    - so-filebeat
+hot_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+master_search:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-sensoroni
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-auth-api
+    - so-auth-ui
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-kibana
+    - so-elastalert
+    - so-filebeat
+    - so-soctopus
+    {% if OSQUERY != '0' %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+master:
+  containers:
+    - so-dockerregistry
+    - so-core
+    - so-telegraf
+    {% if  GRAFANA == '1' %}
+    - so-influxdb
+    - so-grafana
+    {% endif %}
+    - so-sensoroni
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-auth-api
+    - so-auth-ui
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-elastalert
+    - so-filebeat
+    {% if OSQUERY != '0' %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+parser_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-logstash
+search_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-filebeat
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+sensor:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-steno
+    - so-suricata
+    {% if BROVER != 'SURICATA' %}
+    - so-zeek
+    {% endif %}
+    - so-wazuh
+    - so-filebeat
+warm_node:
+  containers:
+    - so-core
+    - so-telegraf
+    - so-elasticsearch
+    

pillar/firewall/search_nodes.sls

@@ -0,0 +1,2 @@
+search_nodes:
+  - 127.0.0.1

pillar/firewall/storage_nodes.sls

@@ -1,2 +0,0 @@
-storage_nodes:
-  - 127.0.0.1

pillar/logstash/eval.sls

@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    eval:
+      config: "/usr/share/logstash/pipelines/eval/*.conf"

pillar/logstash/helix.sls

@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    helix:
+      config: "/usr/share/logstash/pipelines/helix/*.conf"

pillar/logstash/master.sls

@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    master:
+      config: "/usr/share/logstash/pipelines/master/*.conf"

pillar/logstash/search.sls

@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    search:
+      config: "/usr/share/logstash/pipelines/search/*.conf"

pillar/thresholding/pillar.example

@@ -0,0 +1,44 @@
+thresholding:
+  sids:
+    8675309:
+      - threshold:
+          gen_id: 1
+          type: threshold
+          track: by_src
+          count: 10
+          seconds: 10
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 100
+          seconds: 30
+      - rate_filter:
+          gen_id: 1
+          track: by_rule
+          count: 50
+          seconds: 30
+          new_action: alert
+          timeout: 30
+      - suppress:
+          gen_id: 1
+          track: by_either
+          ip: 10.10.3.7
+    11223344:
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 10
+          seconds: 10
+      - rate_filter:
+          gen_id: 1
+          track: by_src
+          count: 50
+          seconds: 20
+          new_action: pass
+          timeout: 60
+      - suppress:
+          gen_id: 1
+          track: by_src
+          ip: 10.10.3.0/24

pillar/thresholding/pillar.usage

@@ -0,0 +1,20 @@
+thresholding:
+  sids:
+    <signature id>:
+      - threshold:
+          gen_id: <generator id>
+          type: <threshold | limit | both>
+          track: <by_src | by_dst>
+          count: <count>
+          seconds: <seconds>
+      - rate_filter:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_rule | by_both>
+          count: <count>
+          seconds: <seconds>
+          new_action: <alert | pass>
+          timeout: <seconds>
+      - suppress:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_either>
+          ip: <ip | subnet>

pillar/top.sls

@@ -1,38 +1,55 @@
 base:
   '*':
     - patch.needs_restarting
+    - docker.config
+
+  'G@role:so-mastersearch or G@role:so-heavynode':
+    - match: compound
+    - logstash.master
+    - logstash.search
 
   'G@role:so-sensor':
-    - sensors.{{ grains.id }}
     - static
     - firewall.*
     - brologs
+    - minions.{{ grains.id }}
+
+  'G@role:so-master or G@role:so-mastersearch':
+    - match: compound
+    - static
+    - firewall.*
+    - data.*
+    - auth
+    - minions.{{ grains.id }}
 
   'G@role:so-master':
-    - masters.{{ grains.id }}
-    - static
-    - firewall.*
-    - data.*
-    - auth
+    - logstash.master
 
   'G@role:so-eval':
-    - masters.{{ grains.id }}
     - static
     - firewall.*
     - data.*
     - brologs
     - auth
+    - logstash.eval
+    - minions.{{ grains.id }}
 
   'G@role:so-node':
-    - nodes.{{ grains.id }}
     - static
     - firewall.*
+    - minions.{{ grains.id }}
+
+  'G@role:so-heavynode':
+    - static
+    - firewall.*
+    - brologs
+    - minions.{{ grains.id }}
 
   'G@role:so-helix':
-    - masters.{{ grains.id }}
-    - sensors.{{ grains.id }}
     - static
     - firewall.*
     - fireeye
-    - static
     - brologs
+    - logstash.helix
+    - static
+    - minions.{{ grains.id }}

salt/auth/init.sls

@@ -0,0 +1,30 @@
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
+so-auth-api-dir:
+  file.directory:
+    - name: /opt/so/conf/auth/api
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+so-auth-api:
+    docker_container.running:
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
+        - hostname: so-auth-api
+        - name: so-auth-api
+        - environment:
+            - BASE_PATH: "/so-auth/api"
+            - AUTH_TOKEN_TIMEOUT: 32400
+        - binds:
+            - /opt/so/conf/auth/api:/data
+        - port_bindings:
+            - 0.0.0.0:5656:5656
+
+so-auth-ui:
+    docker_container.running:
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
+        - hostname: so-auth-ui
+        - name: so-auth-ui
+        - port_bindings:
+            - 0.0.0.0:4242:80

salt/common/grafana/etc/dashboards/dashboard.yml

@@ -17,13 +17,13 @@ providers:
   editable: true
   options:
     path: /etc/grafana/grafana_dashboards/forward_nodes
-- name: 'Storage Nodes'
-  folder: 'Storage Nodes'
+- name: 'Search Nodes'
+  folder: 'Search Nodes'
   type: file
   disableDeletion: false
   editable: true
   options:
-    path: /etc/grafana/grafana_dashboards/storage_nodes
+    path: /etc/grafana/grafana_dashboards/search_nodes
 {%- else %}
 - name: 'Security Onion'
   folder: 'Eval Mode'

salt/common/grafana/grafana_dashboards/eval/eval.json

@@ -1395,7 +1395,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
@@ -1913,7 +1913,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }

salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json

@@ -1396,7 +1396,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
@@ -1901,7 +1901,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }

salt/common/grafana/grafana_dashboards/search_nodes/searchnode.json

@@ -12,7 +12,7 @@
       }
     ]
   },
-  "description": "This Dashboard provides a general overview of a Storage Node",
+  "description": "This Dashboard provides a general overview of a Search Node",
   "editable": true,
   "gnetId": 2381,
   "graphTooltip": 0,
@@ -3433,7 +3433,7 @@
     ]
   },
   "timezone": "browser",
-  "title": "Storage Node - {{ SERVERNAME }} Overview",
+  "title": "Search Node - {{ SERVERNAME }} Overview",
   "uid": "{{ UID }}",
   "version": 3
 }

salt/common/init.sls

@@ -1,4 +1,6 @@
-{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
   group.present:
@@ -100,6 +102,13 @@ nginxconf:
     - template: jinja
     - source: salt://common/nginx/nginx.conf.{{ grains.role }}
 
+copyindex:
+  file.managed:
+    - name: /opt/so/conf/nginx/index.html
+    - user: 939
+    - group: 939
+    - source: salt://common/nginx/index.html
+
 nginxlogdir:
   file.directory:
     - name: /opt/so/log/nginx/
@@ -114,21 +123,15 @@ nginxtmp:
     - group: 939
     - makedirs: True
 
-# Start the core docker
-so-coreimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
-
 so-core:
   docker_container.running:
-    - require:
-      - so-coreimage
-    - image: docker.io/soshybridhunter/so-core:HH1.1.3
+    - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
     - hostname: so-core
     - user: socore
     - binds:
       - /opt/so:/opt/so:rw
       - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - /opt/so/conf/nginx/index.html:/opt/socore/html/index.html:ro
       - /opt/so/log/nginx/:/var/log/nginx:rw
       - /opt/so/tmp/nginx/:/var/lib/nginx:rw
       - /opt/so/tmp/nginx/:/run:rw
@@ -175,15 +178,9 @@ tgrafconf:
     - template: jinja
     - source: salt://common/telegraf/etc/telegraf.conf
 
-so-telegrafimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-telegraf:HH1.1.0
-
 so-telegraf:
   docker_container.running:
-    - require:
-      - so-telegrafimage
-    - image: docker.io/soshybridhunter/so-telegraf:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
     - environment:
       - HOST_PROC=/host/proc
       - HOST_ETC=/host/etc
@@ -200,7 +197,7 @@ so-telegraf:
       - /proc:/host/proc:ro
       - /nsm:/host/nsm:ro
       - /etc:/host/etc:ro
-      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
       - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
       {% else %}
       - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro
@@ -214,7 +211,7 @@ so-telegraf:
       - /opt/so/conf/telegraf/etc/telegraf.conf
       - /opt/so/conf/telegraf/scripts
 
-# If its a master or eval lets install the back end for now		
+# If its a master or eval lets install the back end for now
 {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %}
 
 # Influx DB
@@ -236,15 +233,9 @@ influxdbconf:
     - template: jinja
     - source: salt://common/influxdb/etc/influxdb.conf
 
-so-influximage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-influxdb:HH1.1.0
-
 so-influxdb:
   docker_container.running:
-    - require:
-      - so-influximage
-    - image: docker.io/soshybridhunter/so-influxdb:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
     - hostname: influxdb
     - environment:
       - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -303,7 +294,7 @@ grafanadashfndir:
 
 grafanadashsndir:
   file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
     - user: 939
     - group: 939
     - makedirs: True
@@ -360,13 +351,13 @@ dashboard-{{ SN }}:
 
 {% if salt['pillar.get']('nodestab', False) %}
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-dashboard-{{ SN }}:
+dashboardsearch-{{ SN }}:
   file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes/{{ SN }}-Node.json
+    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
     - user: 939
     - group: 939
     - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/storage_nodes/storage.json
+    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
     - defaults:
       SERVERNAME: {{ SN }}
       MANINT: {{ SNDATA.manint }}
@@ -400,14 +391,9 @@ dashboard-{{ SN }}:
 {% endfor %}
 {% endif %}
 
-# Install the docker. This needs to be behind nginx at some point
-so-grafanaimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-grafana:HH1.1.0
-
 so-grafana:
   docker_container.running:
-    - image: docker.io/soshybridhunter/so-grafana:HH1.1.0
+    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
     - hostname: grafana
     - user: socore
     - binds:

salt/common/nginx/index.html

@@ -0,0 +1,130 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<title>Security Onion - Hybrid Hunter</title>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
+<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
+<style>
+* {
+  box-sizing: border-box;
+  font-family: Arial, Helvetica, sans-serif;
+	padding-left: 30px;
+	padding-right: 30px;
+}
+
+body {
+  font-family: Arial, Helvetica, sans-serif;
+	background-color: #2a2a2a;
+
+}
+a {
+	color: #f2f2f2;
+	text-align: left;
+	padding: 0px;
+}
+
+.center {
+	margin: 0 auto;
+}
+
+/* Style the top navigation bar */
+.topnav {
+  overflow: hidden;
+  background-color: #333;
+  width: 1080px;
+  display: flex;
+  align-content: center;
+}
+
+/* Style the topnav links */
+.topnav a {
+  margin: auto;
+  color: #f2f2f2;
+  text-align: center;
+  padding: 14px 16px;
+  text-decoration: none;
+}
+
+/* Change color on hover */
+.topnav a:hover {
+  background-color: #ddd;
+  color: black;
+}
+
+/* Style the content */
+.content {
+  background-color: #2a2a2a;
+  padding: 10px;
+	padding-top: 20px;
+	padding-left: 60px;
+	color: #E3DBCC;
+	width: 1080px;
+}
+
+/* Style the footer */
+.footer {
+  background-color: #2a2a2a;
+  padding: 60px;
+  color: #E3DBCC;
+  width: 1080px;
+}
+
+</style>
+</head>
+<body>
+	<div class="center">
+		<div class="topnav center">
+			<a href="/so-auth/loginpage/create-user" target="_blank">Create New User</a>
+			<a href="/kibana/" target="_blank">Kibana</a>
+			<a href="/grafana/" target="_blank">Grafana</a>
+			<a href="/sensoroni/" target="_blank">Sensoroni</a>
+	  		<a href="/playbook/" target="_blank">Playbook</a>
+			<a href="/fleet/" target="_blank">Fleet</a>
+			<a href="/thehive/" target="_blank">TheHive</a>
+			<a href="/packages/" target="_blank">Osquery Packages</a>
+			<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
+			<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
+			<a href="https://blog.securityonion.net" target="_blank">Blog</a>
+		</div>
+
+		<div class="content center">
+			<center><a href="https://securityonion.net"><img STYLE="border: none;" src="alpha_logo.jpg" alt="Security Onion" align="center" target="_blank"></img></a><br></center>
+
+			<p><center><h1>Hybrid Hunter Alpha 1.1.4 - Feature Parity Release</h1></center><br>
+				<h2>Changes:</h2>
+        <ul>
+          <li>Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).</li>
+          <li>Web user creation is done via the browser now instead of so-user-add.</li>
+          <li>New Logstash pipeline setup. Now uses multiple pipelines.</li>
+          <li>New Master + Search node type and well as a Heavy Node type in the install.</li>
+          <li>Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.</li>
+          <li>Zeek 3.0.1</li>
+          <li>Elastic 6.8.6</li>
+          <li>New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).</li>
+          <li>BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).</li>
+          <li>Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.</li>
+          <li>Added so-status script which gives an easy to read look at container status.</li>
+          <li>Manage threshold.conf for Suricata using the thresholding pillar.</li>
+          <li>The ISO now includes all the docker containers for faster install speeds.</li>
+          <li>You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup.</li>
+          <li>Updated Helix parsers for better compatibility.</li>
+          <li>Updated telegraf docker to include curl and jq.</li>
+          <li>CVE-2020-0601 Zeek Detection Script.</li>
+          <li>ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.</li>
+    		  <li>Check out the <a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide" target="_blank">Hybrid Hunter Quick Start Guide</a>.</li>
+		   </ul>
+	  </p>
+		</div>
+
+		<div class="footer center">
+		<b>Disclaimer of Warranty</b><br>
+			<small>THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.</small><br>
+			<br>
+			<b>Limitation of Liability</b><br>
+			<small>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.</small><br>
+		</div>
+	</div>
+</body>
+</html>

salt/common/nginx/nginx.conf.so-eval

@@ -58,9 +58,9 @@ http {
     #    }
     #}
     server {
-	      listen 80 default_server;
-	      server_name _;
-	      return 301 https://$host$request_uri;
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
     }
 
 
@@ -88,8 +88,8 @@ http {
     #    }
 
         location /grafana/ {
-	  rewrite /grafana/(.*) /$1 break;
-          proxy_pass http://{{ masterip }}:3000/;
+          rewrite               /grafana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -100,10 +100,9 @@ http {
         }
 
         location /kibana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-	  rewrite /kibana/(.*) /$1 break;
-          proxy_pass http://{{ masterip }}:5601/;
+          auth_request          /so-auth/api/auth/;
+          rewrite               /kibana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -114,7 +113,7 @@ http {
         }
 
         location /playbook/ {
-          proxy_pass http://{{ masterip }}:3200/playbook/;
+          proxy_pass            http://{{ masterip }}:3200/playbook/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -126,9 +125,8 @@ http {
 
 
         location /navigator/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-          proxy_pass http://{{ masterip }}:4200/navigator/;
+          auth_request          /so-auth/api/auth/;
+          proxy_pass            http://{{ masterip }}:4200/navigator/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -139,7 +137,7 @@ http {
         }
 
         location /api/ {
-          proxy_pass https://{{ masterip }}:8080/api/;
+          proxy_pass            https://{{ masterip }}:8080/api/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Upgrade $http_upgrade;
@@ -152,7 +150,7 @@ http {
         }
 
         location /fleet/ {
-          proxy_pass https://{{ masterip }}:8080/fleet/;
+          proxy_pass            https://{{ masterip }}:8080/fleet/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -163,10 +161,10 @@ http {
         }
 
         location /thehive/ {
-          proxy_pass http://{{ masterip }}:9000/thehive/;
+          proxy_pass            http://{{ masterip }}:9000/thehive/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_http_version    1.1; # this is essential for chunked responses to work
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -175,10 +173,10 @@ http {
         }
 
         location /cortex/ {
-          proxy_pass http://{{ masterip }}:9001/cortex/;
+          proxy_pass            http://{{ masterip }}:9001/cortex/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_http_version    1.1; # this is essential for chunked responses to work
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -186,20 +184,8 @@ http {
 
         }
         
-        location /cyberchef/ {
-          proxy_pass http://{{ masterip }}:9080/;
-          proxy_read_timeout    90;
-          proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
-          proxy_set_header      Host $host;
-          proxy_set_header      X-Real-IP $remote_addr;
-          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header      Proxy "";
-
-        }
-	
         location /soctopus/ {
-          proxy_pass http://{{ masterip }}:7000/;
+          proxy_pass            http://{{ masterip }}:7000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -210,17 +196,16 @@ http {
         }
 
         location /sensoroni/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-          proxy_pass http://{{ masterip }}:9822/;
+          auth_request          /so-auth/api/auth/;
+          proxy_pass            http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "Upgrade";
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
 
         }
 
@@ -237,15 +222,34 @@ http {
         }
 
         location /sensoroniagents/ {
-          proxy_pass http://{{ masterip }}:9822/;
+          proxy_pass            http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
         }
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }

salt/common/nginx/nginx.conf.so-heavynode

@@ -0,0 +1,89 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2 default_server;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers HIGH:!aNULL:!MD5;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        location / {
+#        }
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}

salt/common/nginx/nginx.conf.so-master

@@ -88,7 +88,7 @@ http {
     #    }
 
         location /grafana/ {
-	  rewrite /grafana/(.*) /$1 break;
+          rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -100,9 +100,8 @@ http {
         }
 
         location /kibana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-	  rewrite /kibana/(.*) /$1 break;
+          auth_request          /so-auth/api/auth/;
+	        rewrite /kibana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -125,8 +124,7 @@ http {
         }
 
         location /navigator/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
           proxy_pass http://{{ masterip }}:4200/navigator/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -151,9 +149,8 @@ http {
         }
 
         location /fleet/ {
-	  rewrite /fleet/(.*) /$1 break;
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+	        rewrite /fleet/(.*) /$1 break;
+          auth_request          /so-auth/api/auth/;
           proxy_pass https://{{ masterip }}:8080/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -188,18 +185,6 @@ http {
 
         }
 
-        location /cyberchef/ {
-          proxy_pass http://{{ masterip }}:9080/;
-          proxy_read_timeout    90;
-          proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
-          proxy_set_header      Host $host;
-          proxy_set_header      X-Real-IP $remote_addr;
-          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header      Proxy "";
-
-        }
-	
         location /soctopus/ {
           proxy_pass http://{{ masterip }}:7000/;
           proxy_read_timeout    90;
@@ -212,8 +197,7 @@ http {
         }
 
         location /sensoroni/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
           proxy_pass http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -250,6 +234,26 @@ http {
 
         }
 
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }

salt/common/nginx/nginx.conf.so-mastersearch

@@ -0,0 +1,278 @@
+{%- set masterip = salt['pillar.get']('master:mainip', '') %}
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    #server {
+    #    listen       80 default_server;
+    #    listen       [::]:80 default_server;
+    #    server_name  _;
+    #    root         /opt/socore/html;
+    #    index        index.html;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+    #    location / {
+    #    }
+
+    #    error_page 404 /404.html;
+    #        location = /40x.html {
+    #    }
+
+    #    error_page 500 502 503 504 /50x.html;
+    #        location = /50x.html {
+    #    }
+    #}
+    server {
+	      listen 80 default_server;
+	      server_name _;
+	      return 301 https://$host$request_uri;
+    }
+
+
+# Settings for a TLS enabled server.
+
+    server {
+        listen       443 ssl http2 default_server;
+        #listen       [::]:443 ssl http2 default_server;
+        server_name  _;
+        root         /opt/socore/html;
+        index        index.html;
+
+        ssl_certificate "/etc/pki/nginx/server.crt";
+        ssl_certificate_key "/etc/pki/nginx/server.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+
+        # Load configuration files for the default server block.
+        #include /etc/nginx/default.d/*.conf;
+
+        #location / {
+    #      try_files $uri $uri.html /index.html;
+    #    }
+
+        location /grafana/ {
+	        rewrite /grafana/(.*) /$1 break;
+          proxy_pass http://{{ masterip }}:3000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /kibana/ {
+          auth_request          /so-auth/api/auth/;
+	        rewrite /kibana/(.*) /$1 break;
+          proxy_pass http://{{ masterip }}:5601/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+       location /playbook/ {
+          proxy_pass http://{{ masterip }}:3200/playbook/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /navigator/ {
+          auth_request          /so-auth/api/auth/;
+          proxy_pass http://{{ masterip }}:4200/navigator/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /api/ {
+          proxy_pass https://{{ masterip }}:8080/api/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /fleet/ {
+	        rewrite /fleet/(.*) /$1 break;
+          auth_request          /so-auth/api/auth/;
+          proxy_pass https://{{ masterip }}:8080/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /thehive/ {
+          proxy_pass http://{{ masterip }}:9000/thehive/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /cortex/ {
+          proxy_pass http://{{ masterip }}:9001/cortex/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /cyberchef/ {
+          proxy_pass http://{{ masterip }}:9080/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+	
+        location /soctopus/ {
+          proxy_pass http://{{ masterip }}:7000/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /sensoroni/ {
+          auth_request          /so-auth/api/auth/;
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+
+        }
+
+        location /kibana/app/sensoroni/ {
+          rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
+        }
+
+        location /kibana/app/fleet/ {
+          rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
+        }
+
+        location /kibana/app/soctopus/ {
+          rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
+        }
+
+
+        location /sensoroniagents/ {
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/;Max-Age=60000";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+}

salt/common/telegraf/etc/telegraf.conf

@@ -15,6 +15,7 @@
 
 {%- set MASTER = grains['master'] %}
 {% set NODEIP = salt['pillar.get']('node:mainip', '') %}
+{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %}
 
 
 # Global tags can be specified here in key="value" format.
@@ -86,6 +87,7 @@
 ###############################################################################
 
 # Configuration for sending metrics to InfluxDB
+{% if grains['role'] != 'so-helix' %}
 [[outputs.influxdb]]
   ## The full HTTP or UDP URL for your InfluxDB instance.
   ##
@@ -148,7 +150,52 @@
   ## integer values.  Enabling this option will result in field type errors if
   ## existing data has been written.
   # influx_uint_support = false
+{% else %}
+# A plugin that can transmit metrics over HTTP
+[[outputs.http]]
+  ## URL is the address to send metrics to
+  url = "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
 
+  ## Timeout for HTTP message
+  # timeout = "5s"
+
+  ## HTTP method, one of: "POST" or "PUT"
+   method = "POST"
+
+  ## HTTP Basic Auth credentials
+  # username = "username"
+  # password = "pa$$word"
+
+  ## OAuth2 Client Credentials Grant
+  # client_id = "clientid"
+  # client_secret = "secret"
+  # token_url = "https://indentityprovider/oauth2/v1/token"
+  # scopes = ["urn:opc:idm:__myscopes__"]
+
+  ## Optional TLS Config
+  # tls_ca = "/etc/telegraf/ca.pem"
+  # tls_cert = "/etc/telegraf/cert.pem"
+  # tls_key = "/etc/telegraf/key.pem"
+  ## Use TLS but skip chain & host verification
+  # insecure_skip_verify = false
+
+  ## Data format to output.
+  ## Each data format has it's own unique set of configuration options, read
+  ## more about them here:
+  ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md
+   data_format = "json"
+
+  ## HTTP Content-Encoding for write request body, can be set to "gzip" to
+  ## compress body or "identity" to apply no encoding.
+   content_encoding = "gzip"
+
+  ## Additional HTTP headers
+   [outputs.http.headers]
+  #   # Should be set manually to "application/json" for json data_format
+     Content-Type = "application/json; charset=utf-8"
+     Authorization = "{{ HELIX_API_KEY }}"
+
+{% endif %}
 ###############################################################################
 #                            PROCESSOR PLUGINS                                #
 ###############################################################################
@@ -647,6 +694,17 @@
      "/scripts/influxdbsize.sh"
    ]
    data_format = "influx"
+{% elif grains['role'] == 'so-helix' %}
+[[inputs.exec]]
+  commands = [
+    "/scripts/stenoloss.sh",
+    "/scripts/suriloss.sh",
+    "/scripts/checkfiles.sh",
+    "/scripts/broloss.sh",
+    "/scripts/oldpcap.sh",
+    "/scripts/helixeps.sh"
+  ]
+  data_format = "influx"
 {% endif %}
 
 #

salt/common/telegraf/scripts/broloss.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
-BROLOG=$(tac /host/nsm/bro/logs/packetloss.log | head -2)
-declare RESULT=($BROLOG)
+ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
+declare RESULT=($ZEEKLOG)
 CURRENTDROP=${RESULT[3]}
 PASTDROP=${RESULT[9]}
 DROPPED=$(($CURRENTDROP - $PASTDROP))

salt/common/telegraf/scripts/helixeps.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+PREVCOUNTFILE='/tmp/helixevents.txt'
+EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')"
+
+if [ ! -z "$EVENTCOUNTCURRENT" ]; then
+
+  if [ -f "$PREVCOUNTFILE" ]; then
+    EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE`
+  else
+    echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+    exit 0
+  fi
+
+  echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE
+  EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30))
+  if [ "$EVENTS" -lt 0 ]; then
+    EVENTS=0
+  fi
+
+  echo "helixeps eps=${EVENTS%%.*}"
+
+fi
+
+exit 0

salt/common/tools/sbin/so-allow

@@ -1,42 +1,101 @@
 #!/bin/bash
-got_root() {
 
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-}
+. /usr/sbin/so-common
 
-got_root
+SKIP=0
 
-echo "This program allows you to add a firewall rule to allow connections from a new IP address."
-echo ""
-echo "Choose the role for the IP or Range you would like to add"
-echo ""
-echo "[a] - Analyst - ports 80/tcp and 443/tcp"
-echo "[b] - Logstash Beat - port 5044/tcp"
-echo "[o] - Osquery endpoint - port 8080/tcp"
-echo "[w] - Wazuh endpoint - port 1514"
-echo ""
-echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
-read ROLE
-echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
-read IP
+while getopts "abowi:" OPTION
+do
+    case $OPTION in
+
+        h)
+            usage
+            exit 0
+            ;;
+        a)
+            FULLROLE="analyst"
+            SKIP=1
+            ;;
+        b)
+            FULLROLE="beats_endpoint"
+            SKIP=1
+            ;;
+        i)  IP=$OPTARG
+            ;;
+        o)
+            FULLROLE="osquery_endpoint"
+            SKIP=1
+            ;;
+        w)
+            FULLROLE="wazuh_endpoint"
+            SKIP=1
+            ;;
+    esac
+done
+
+if [ "$SKIP" -eq 0 ]; then
+
+    echo "This program allows you to add a firewall rule to allow connections from a new IP address."
+    echo ""
+    echo "Choose the role for the IP or Range you would like to add"
+    echo ""
+    echo "[a] - Analyst - ports 80/tcp and 443/tcp"
+    echo "[b] - Logstash Beat - port 5044/tcp"
+    echo "[o] - Osquery endpoint - port 8080/tcp"
+    echo "[w] - Wazuh endpoint - port 1514"
+    echo ""
+    echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
+    read ROLE
+    echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
+    read IP
+
+    if [ "$ROLE" == "a" ]; then
+        FULLROLE=analyst
+    elif [ "$ROLE" == "b" ]; then
+        FULLROLE=beats_endpoint
+    elif [ "$ROLE" == "o" ]; then
+        FULLROLE=osquery_endpoint
+    elif [ "$ROLE" == "w" ]; then
+        FULLROLE=wazuh_endpoint
+    else
+        echo "I don't recognize that role"
+        exit 1
+    fi
 
-if [ "$ROLE" == "a" ]; then
-  FULLROLE=analyst
-elif [ "$ROLE" == "b" ]; then
-  FULLROLE=beats_endpoint
-elif [ "$ROLE" == "o" ]; then
-  FULLROLE=osquery_endpoint
-elif [ "$ROLE" == "w" ]; then
-  FULLROLE=wazuh_endpoint
-else
-  echo "I don't recognize that role"
-  exit 1
 fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
 /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+
+# Check if Wazuh enabled
+if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+    # If analyst, add to Wazuh AR whitelist
+    if [ "$FULLROLE" == "analyst" ]; then
+          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+          if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
+                  DATE=`date`
+                  sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+                  sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+                  echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+                  echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+		  echo
+                  echo "Restarting OSSEC Server..."
+                  /usr/sbin/so-wazuh-restart
+          fi
+     fi
+fi

salt/common/tools/sbin/so-auth-restart

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart auth $1
+

salt/common/tools/sbin/so-auth-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start auth $1

salt/common/tools/sbin/so-auth-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop auth $1

salt/common/tools/sbin/so-bpf-compile

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ "$#" -lt 2 ]; then
+  cat 1>&2 <<EOF
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
+Its first argument is the interface (link type is required) and all other arguments
+are passed to TCPDump.
+
+Examples:
+ $0 eth0 dst port 80
+ $0 eth0 udp port 53
+EOF
+  exit 1
+fi
+
+interface="$1"
+shift
+sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
+while read line; do
+  cols=( $line )
+  printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
+done
+echo ""

salt/common/tools/sbin/so-checkin

@@ -1 +1,20 @@
-sudo salt-call state.highstate
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+salt-call state.highstate

salt/common/tools/sbin/so-common

@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Check for prerequisites
+if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+fi
+
+# Define a banner to separate sections
+banner="========================================================================="
+
+header() {
+        echo
+        printf '%s\n' "$banner" "$*" "$banner"
+}

salt/common/tools/sbin/so-cortex-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart cortex $1

salt/common/tools/sbin/so-cortex-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start cortex $1

salt/common/tools/sbin/so-cortex-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop cortex $1

salt/common/tools/sbin/so-curator-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart curator $1

salt/common/tools/sbin/so-curator-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start curator $1

salt/common/tools/sbin/so-curator-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop curator $1

salt/common/tools/sbin/so-elastalert-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elastalert $1

salt/common/tools/sbin/so-elastalert-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elastalert $1

salt/common/tools/sbin/so-elastalert-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elastalert $1

salt/common/tools/sbin/so-elastalert-test

@@ -0,0 +1,142 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# Originally written by Bryant Treacle
+# https://raw.githubusercontent.com/bryant-treacle/so-elastalert-test-rule/master/so-elastalert-test
+# Modified by Doug Burks and Wes Lambert
+#
+# Purpose:  This script will allow you to test your elastalert rule without entering the Docker container.
+
+. /usr/sbin/so-elastic-common
+
+OPTIONS=""
+SKIP=0
+RESULTS_TO_LOG="n"
+RULE_NAME=""
+FILE_SAVE_LOCATION=""
+
+usage()
+{
+cat <<EOF
+
+Test Elastalert Rule
+  Options:
+  -h         		This message
+  -a         		Trigger real alerts instead of the debug alert
+  -l <path_to_file>     Write results to specified log file
+  -o '<options>'	Specify Elastalert options ( Ex. --schema-only , --count-only, --days N ) 
+  -r <rule_name>        Specify path/name of rule to test
+
+EOF
+}
+
+while getopts "hal:o:r:" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                a)
+                        OPTIONS="--alert"
+                        ;;
+                l)
+                        RESULTS_TO_LOG="y"
+                        FILE_SAVE_LOCATION=$OPTARG
+                        ;;
+                
+                o)
+			OPTIONS=$OPTARG
+                        ;;  
+                
+                r)
+                        RULE_NAME=$OPTARG
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+
+docker_exec(){
+	if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
+	else
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
+	fi	
+}
+
+rule_prompt(){
+	CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
+        echo
+        echo "This script will allow you to test an Elastalert rule."
+        echo
+        echo "Below is a list of active Elastalert rules:"
+        echo
+	echo "-----------------------------------"
+        echo
+        echo "$CURRENT_RULES"
+        echo
+	echo "-----------------------------------"
+	echo 
+        echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
+        echo
+        echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
+        echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
+        echo
+        while [ -z $RULE_NAME ]; do
+		echo "Please enter the file path and rule name you want to test."
+		read -e RULE_NAME
+	done
+}
+
+log_save_prompt(){
+	RESULTS_TO_LOG=""
+        while [ -z $RESULTS_TO_LOG ]; do
+		echo "The results can be rather long.  Would you like to write the results to a file? (Y/N)"
+		read RESULTS_TO_LOG
+	done
+}
+
+log_path_prompt(){
+        while [ -z $FILE_SAVE_LOCATION ]; do
+		echo "Please enter the file path and file name."
+		read -e FILE_SAVE_LOCATION
+        done
+		echo "Depending on the rule this may take a while."
+}
+
+if [ $SKIP -eq 0 ]; then
+	rule_prompt
+	log_save_prompt
+        if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	log_path_prompt
+        fi
+fi
+
+docker_exec
+
+if [ $? -eq 0 ]; then
+	echo "Test completed successfully!"
+else
+	echo "Something went wrong..."
+fi
+
+echo
+
+
+

salt/common/tools/sbin/so-elastic-clear

@@ -0,0 +1,80 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion Elastic Clear
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # List indices
+        echo 
+        curl {{ MASTERIP }}:9200/_cat/indices?v&pretty
+        echo
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
+        echo
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+/usr/sbin/so-filebeat-stop
+/usr/sbin/so-logstash-stop
+
+# Delete data
+echo "Deleting data..."
+
+INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }')
+for INDX in ${INDXS}
+do
+    curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1
+done
+
+/usr/sbin/so-logstash-start
+/usr/sbin/so-filebeat-start
+

salt/common/tools/sbin/so-elastic-diagnose

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Source common settings
+. /usr/sbin/so-common
+
+# Check for log files
+for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
+
+# If file exists, then look for errors or warnings 
+if [ -f $FILE ]; then
+	MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE` 
+	if [ ! -z "$MESSAGE" ]; then
+		header $FILE
+		echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
+		echo
+	fi
+fi
+done

salt/common/tools/sbin/so-elastic-download

@@ -0,0 +1,46 @@
+#!/bin/bash
+MASTER=MASTER
+VERSION="HH1.1.4"
+TRUSTED_CONTAINERS=( \
+"so-auth-api:$VERSION" \
+"so-auth-ui:$VERSION" \
+"so-core:$VERSION" \
+"so-thehive-cortex:$VERSION" \
+"so-curator:$VERSION" \
+"so-domainstats:$VERSION" \
+"so-elastalert:$VERSION" \
+"so-elasticsearch:$VERSION" \
+"so-filebeat:$VERSION" \
+"so-fleet:$VERSION" \
+"so-fleet-launcher:$VERSION" \
+"so-freqserver:$VERSION" \
+"so-grafana:$VERSION" \
+"so-idstools:$VERSION" \
+"so-influxdb:$VERSION" \
+"so-kibana:$VERSION" \
+"so-logstash:$VERSION" \
+"so-mysql:$VERSION" \
+"so-navigator:$VERSION" \
+"so-playbook:$VERSION" \
+"so-redis:$VERSION" \
+"so-sensoroni:$VERSION" \
+"so-soctopus:$VERSION" \
+"so-steno:$VERSION" \
+#"so-strelka:$VERSION" \
+"so-suricata:$VERSION" \
+"so-telegraf:$VERSION" \
+"so-thehive:$VERSION" \
+"so-thehive-es:$VERSION" \
+"so-wazuh:$VERSION" \
+"so-zeek:$VERSION" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+  # Pull down the trusted docker image
+  echo "Downloading $i"
+  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+  # Tag it with the new registry destination
+  docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
+  docker push $MASTER:5000/soshybridhunter/$i
+  docker rmi soshybridhunter/$i
+done

salt/common/tools/sbin/so-elasticsearch-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elasticsearch $1

salt/common/tools/sbin/so-elasticsearch-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elasticsearch $1

salt/common/tools/sbin/so-elasticsearch-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elasticsearch $1

salt/common/tools/sbin/so-features-enable

@@ -0,0 +1,42 @@
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+# Modify static.sls to enable Features
+sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+SUFFIX="-features"
+TRUSTED_CONTAINERS=( \
+  "so-elasticsearch:$VERSION$SUFFIX" \
+  "so-filebeat:$VERSION$SUFFIX" \
+  "so-kibana:$VERSION$SUFFIX" \
+  "so-logstash:$VERSION$SUFFIX" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+done
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+done

salt/common/tools/sbin/so-filebeat-restart

@@ -1,17 +1,20 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-filebeat && sudo docker rm so-filebeat && salt-call state.apply filebeat
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart filebeat $1

salt/common/tools/sbin/so-filebeat-start

@@ -1,17 +1,20 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker rm so-filebeat && salt-call state.apply filebeat
+. /usr/sbin/so-common
+
+/usr/sbin/so-start filebeat $1

salt/common/tools/sbin/so-filebeat-stop

@@ -1,17 +1,20 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-filebeat
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop filebeat $1

salt/common/tools/sbin/so-fleet-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart fleet $1

salt/common/tools/sbin/so-fleet-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start fleet $1

salt/common/tools/sbin/so-fleet-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop fleet $1

salt/common/tools/sbin/so-get-parsed

@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed

salt/common/tools/sbin/so-get-unparsed

@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed

salt/common/tools/sbin/so-grafana-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart grafana $1

salt/common/tools/sbin/so-grafana-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start grafana $1

salt/common/tools/sbin/so-grafana-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop grafana $1

salt/common/tools/sbin/so-index-list

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+curl -X GET "localhost:9200/_cat/indices?v"

salt/common/tools/sbin/so-kibana-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart kibana $1

salt/common/tools/sbin/so-kibana-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start kibana $1

salt/common/tools/sbin/so-kibana-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop kibana $1

salt/common/tools/sbin/so-list-index

@@ -1 +0,0 @@
-curl -X GET "localhost:9200/_cat/indices?v"

salt/common/tools/sbin/so-logstash-get-parsed

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec -it so-redis redis-cli llen logstash:unparsed

salt/common/tools/sbin/so-logstash-get-unparsed

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec -it so-redis redis-cli llen logstash:unparsed

salt/common/tools/sbin/so-logstash-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart logstash $1

salt/common/tools/sbin/so-logstash-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start logstash $1

salt/common/tools/sbin/so-logstash-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop logstash $1

salt/common/tools/sbin/so-mysql-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart mysql $1

salt/common/tools/sbin/so-mysql-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start mysql $1

salt/common/tools/sbin/so-mysql-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop mysql $1

salt/common/tools/sbin/so-nsm-clear

@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion NSM Data Deletion
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)" 
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+delete_pcap() {
+  PCAP_DATA="/nsm/pcap/"
+  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
+}
+delete_suricata() {
+  SURI_LOG="/opt/so/log/suricata/eve.json"
+  [ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
+}
+delete_zeek() {
+  ZEEK_LOG="/nsm/zeek/logs/"
+  [ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
+}
+
+delete_pcap
+delete_suricata
+delete_zeek
+

salt/common/tools/sbin/so-pcap-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart steno $1

salt/common/tools/sbin/so-pcap-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start steno $1

salt/common/tools/sbin/so-pcap-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop steno $1

salt/common/tools/sbin/so-playbook-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart playbook $1

salt/common/tools/sbin/so-playbook-ruleupdate

@@ -1 +1,20 @@
-sudo docker exec so-soctopus python3 playbook_bulk-update.py
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec so-soctopus python3 playbook_bulk-update.py

salt/common/tools/sbin/so-playbook-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start playbook $1

salt/common/tools/sbin/so-playbook-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop playbook $1

salt/common/tools/sbin/so-playbook-sync

@@ -1 +1,20 @@
-sudo docker exec so-soctopus python3 playbook_play-sync.py
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec so-soctopus python3 playbook_play-sync.py

salt/common/tools/sbin/so-redis-count

@@ -1 +1,20 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec -it so-redis redis-cli llen logstash:unparsed

salt/common/tools/sbin/so-redis-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart redis $1

salt/common/tools/sbin/so-redis-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start redis $1

salt/common/tools/sbin/so-redis-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop redis $1

salt/common/tools/sbin/so-restart

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-restart  filebeat | kibana | playbook | thehive
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
+echo $banner
+
+if [ "$2" = "--force" ]
+then
+   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+   salt-call saltutil.kill_all_jobs
+fi
+
+case $1 in
+   "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
+   "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
+   "auth") docker stop so-auth-api; docker stop so-auth-ui; salt-call state.apply auth queue=True;;
+   *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
+esac

salt/common/tools/sbin/so-salt-start

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Starting local Salt Minion...\n"
+echo $banner
+
+service salt-minion start
+service salt-minion status

salt/common/tools/sbin/so-salt-stop

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Stopping local Salt Minion...\n"
+echo $banner
+
+service salt-minion stop
+service salt-minion status

salt/common/tools/sbin/so-soctopus-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart soctopus $1

salt/common/tools/sbin/so-soctopus-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start soctopus $1

salt/common/tools/sbin/so-soctopus-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop soctopus $1

salt/common/tools/sbin/so-start

@@ -1 +1,47 @@
-sudo salt-call state.highstate
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-start  all | filebeat | kibana | playbook | thehive
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
+echo $banner
+
+if [ "$2" = "--force" ]
+then
+   printf "\nForce-stopping all Salt jobs before proceeding\n\n"
+   salt-call saltutil.kill_all_jobs
+fi
+
+case $1 in
+   "all") salt-call state.highstate queue=True;;
+   "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
+   "auth") 
+      if docker ps | grep -q so-auth-api; then
+         if docker ps | grep -q so-auth-ui; then
+            printf "\n$1 is already running!\n\n"
+         else
+            docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
+         fi
+      else
+         docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
+      fi
+      ;;
+   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
+esac

salt/common/tools/sbin/so-status

@@ -0,0 +1,206 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+{%- set pillar_suffix = ':containers' -%}
+{%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
+    {%- set pillar_val = 'master_search' -%}
+{%- elif (salt['grains.get']('role') == 'so-master') -%}
+    {%- set pillar_val = 'master' -%}
+{%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
+    {%- set pillar_val = 'heavy_node' -%}
+{%- elif (salt['grains.get']('role') == 'so-sensor') -%}
+    {%- set pillar_val = 'sensor' -%}
+{%- elif (salt['grains.get']('role') == 'so-eval') -%}
+    {%- set pillar_val = 'eval' -%}
+{%- elif (salt['grains.get']('role') == 'so-helix') -%}
+    {%- set pillar_val = 'helix' -%}
+{%- elif (salt['grains.get']('role') == 'so-node') -%}
+    {%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
+        {%- set pillar_val = 'parser_node' -%}
+    {%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
+        {%- set pillar_val = 'hot_node' -%}
+    {%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
+        {%- set pillar_val = 'warm_node' -%}
+    {%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
+        {%- set pillar_val = 'search_node' -%}
+    {%- endif -%}
+{%- endif -%}
+{%- set pillar_name = pillar_val ~ pillar_suffix -%}
+{%- set container_list = salt['pillar.get'](pillar_name) %}
+
+if ! [ "$(id -u)" = 0 ]; then
+   echo "This command must be run as root"
+   exit 1
+fi
+
+# Constants
+ERROR_STRING="ERROR"
+SUCCESS_STRING="OK"
+PENDING_STRING="PENDING"
+MISSING_STRING='MISSING'
+declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
+declare -a PENDING_STATUSES=("paused" "created" "restarting")
+declare -a GOOD_STATUSES=("running")
+
+declare -a temp_container_name_list=()
+declare -a temp_container_state_list=()
+
+declare -a container_name_list=()
+declare -a container_state_list=()
+
+declare -a expected_container_list=()
+
+# {% raw %}
+
+compare_lists() {
+    local found=0
+
+    create_expected_container_list
+
+    if [[ ${#expected_container_list[@]} = 0 ]]; then
+        container_name_list="${temp_container_name_list[*]}"
+        container_state_list="${temp_container_state_list[*]}"
+        return 1
+    fi
+
+    for intended_item in "${expected_container_list[@]}"; do
+        found=0
+        for i in "${!temp_container_name_list[@]}"; do
+            [[ ${temp_container_name_list[$i]} = "$intended_item" ]] \
+                && found=1 \
+                && container_name_list+=("${temp_container_name_list[$i]}") \
+                && container_state_list+=("${temp_container_state_list[$i]}") \
+                && break
+        done
+        if [[ $found = 0 ]]; then
+            container_name_list+=("$intended_item")
+            container_state_list+=("missing")
+        fi
+    done
+}
+
+# {% endraw %}
+
+create_expected_container_list() {
+    {% for item in container_list%}
+        expected_container_list+=("{{ item }}")
+    {% endfor %}
+}
+
+populate_container_lists() {
+    systemctl is-active --quiet docker
+
+    if [[ $? = 0 ]]; then
+        mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/containers/json?all=1 \
+            | jq -c '.[] | { Name: .Names[0], State: .State }' \
+            | tr -d '/{"}')
+    else
+        exit 1
+    fi
+
+    local container_name=""
+    local container_state=""
+
+    for line in "${docker_raw_list[@]}"; do
+        container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names)
+        container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states)
+        
+        temp_container_name_list+=( "${container_name}" )
+        temp_container_state_list+=( "${container_state}" )
+    done
+
+    compare_lists
+}
+
+parse_status() {
+    local container_state=${1}
+
+    [[ $container_state = "missing" ]] && printf $MISSING_STRING && return 1
+
+    for state in "${GOOD_STATUSES[@]}"; do
+        [[ $container_state = "$state" ]] && printf $SUCCESS_STRING && return 0
+    done
+
+    for state in "${PENDING_STATUSES[@]}"; do
+        [[ $container_state = "$state" ]] && printf $PENDING_STRING && return 0
+    done
+
+    # This is technically not needed since the default is error state
+    for state in "${BAD_STATUSES[@]}"; do
+        [[ $container_state = "$state" ]] && printf $ERROR_STRING && return 1
+    done
+
+    printf $ERROR_STRING && return 1
+}
+
+# {% raw %}
+
+print_line() {
+    local service_name=${1}
+    local service_state="$( parse_status ${2} )"
+    local columns=$(tput cols)
+    local state_color="\e[0m"
+
+    local PADDING_CONSTANT=14
+
+    if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
+        state_color="\e[1;31m"
+    elif [[ $service_state = "$SUCCESS_STRING" ]]; then
+        state_color="\e[1;32m"
+    elif [[ $service_state = "$PENDING_STRING" ]]; then
+        state_color="\e[1;33m"
+    fi
+
+    printf "    $service_name "
+    for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
+        printf "-"
+    done
+    printf " [ "
+    printf "${state_color}%b\e[0m" "$service_state"
+    printf "%s    \n" " ]"
+}
+
+main() {
+    local focus_color="\e[1;34m"
+    printf "\n"
+    printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
+
+    systemctl is-active --quiet docker
+    if [[ $? = 0 ]]; then
+        print_line "Docker" "running"
+    else
+        print_line "Docker" "exited"
+    fi
+
+    populate_container_lists
+
+    printf "\n"
+    printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
+
+    local num_containers=${#container_name_list[@]}
+
+    for i in $(seq 0 $(($num_containers - 1 ))); do
+        print_line ${container_name_list[$i]} ${container_state_list[$i]}
+    done
+
+    printf "\n"
+}
+
+# {% endraw %}
+
+
+main

salt/common/tools/sbin/so-stop

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Usage: so-stop  filebeat | kibana | playbook | thehive
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Stopping $1...\n"
+echo $banner
+
+case $1 in
+    "auth") docker stop so-auth-api; docker rm so-auth-api; docker stop so-auth-ui; docker rm so-auth-ui ;;
+    *) docker stop so-$1 ; docker rm so-$1 ;;
+esac
+