Merge pull request #745 from Security-Onion-Solutions/dev

1.3.0

.gitignore

@@ -1,2 +1,59 @@
+
+# Created by https://www.gitignore.io/api/macos,windows
+# Edit at https://www.gitignore.io/?templates=macos,windows
+
+### macOS ###
+# General
 .DS_Store
-.idea
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# End of https://www.gitignore.io/api/macos,windows

README.md

@@ -1,40 +1,41 @@
-## Hybrid Hunter Alpha 1.1.3
-
-### ISO Download:
-
-[HH1.1.3-20.iso](https://github.com/Security-Onion-Solutions/securityonion-hh-iso/releases/download/HH1.1.3/HH-1.1.3-20.iso)  
-MD5: 5A97980365A2A63EBFABB8C1DEB32BB6  
-SHA1: 2A780B41903D907CED91D944569FD24FC131281F  
-SHA256: 56FA65EB5957903B967C16E792B17386848101CD058E0289878373110446C4B2
-
-```
-Default Username: onion
-Default Password: V@daL1aZ
-```
+## Hybrid Hunter Beta 1.3.0 - Beta 2
 
 ### Changes:
 
-- Overhaul of the setup script to support both ISO and network based setups.
-- ISO will now boot properly from a USB stick.
-- Python 3 is now default.
-- Fix Filebeat from restarting every check in due to x509 refresh issue. 
-- Cortex installed and integrated with TheHive. 
-- Switched to using vanilla Kolide Fleet and upgraded to latest version (2.4) .  
-- Playbook changes:
-  - Now preloaded with Plays generated from Sysmon Sigma signatures in the [Sigma community repo](https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon).  
-  - New update script that updates / pulls in new Sigma signatures from the community repo .
-  - Bulk enable / disable plays from the webui . 
-  - Updated sigmac mapping template & configuration (backend is now `elastalert`) . 
-  - Updated TheHive alerts formatting . 
-- OS patch scheduling:
-  - During setup, choose between auto, manual, or scheduled OS patch interval
-  - For scheduled, create a new or import an existing named schedule
-
+- New Feature: Codename: "Onion Hunt". Select Hunt from the menu and start hunting down your adversaries! 
+- Improved ECS support.
+- Complete refactor of the setup to make it easier to follow.
+- Improved setup script logging to better assist on any issues.
+- Setup now checks for minimal requirements during install.
+- Updated Cyberchef to version 9.20.3.
+- Updated Elastalert to version 0.2.4 and switched to alpine to reduce container size.
+- Updated Redis to 5.0.9 and switched to alpine to reduce container size.
+- Updated Salt to 2019.2.5
+- Updated Grafana to 6.7.3.
+- Zeek 3.0.6
+- Suricata 4.1.8
+- Fixes so-status to now display correct containers and status.
+- local.zeek is now controlled by a pillar instead of modifying the file directly.
+- Renamed so-core to so-nginx and switched to alpine to reduce container size.
+- Playbook now uses MySQL instead of SQLite.
+- Sigma rules have all been updated.
+- Kibana dashboard improvements for ECS.
+- Fixed an issue where geoip was not properly parsed.
+- ATT&CK Navigator is now it's own state.
+- Standlone mode is now supported.
+- Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards.
+ 
+### Known Issues:
 
+- The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
+- You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
+- Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them. 
+- Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
+- The osquery MacOS package does not install correctly.
 
 ### Warnings and Disclaimers
 
-- This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!  
+- This BETA release is BLEEDING EDGE and TOTALLY UNSUPPORTED!  
 - If this breaks your system, you get to keep both pieces!  
 - This script is a work in progress and is in constant flux.  
 - This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like.  This configuration will change drastically over time leading up to the final release.  
@@ -47,33 +48,36 @@ Default Password: V@daL1aZ
 
 Evaluation Mode:
 
-- ISO or a Single VM running Ubuntu 16.04 or CentOS 7
+- ISO or a Single VM running Ubuntu 18.04 or CentOS 7
 - Minimum 12GB of RAM
 - Minimum 4 CPU cores
 - Minimum 2 NICs
 
 Distributed:
 
-- 3 VMs running the ISO or Ubuntu 16.04 or CentOS 7 (You can mix and match)
+- 3 VMs running the ISO or Ubuntu 18.04 or CentOS 7 (You can mix and match)
 - Minimum 8GB of RAM per VM
 - Minimum 4 CPU cores per VM
 - Minimum 2 NICs for forward nodes
 
-### Prerequisites for Network Based Install
+### Installation
 
-Install git if using a Centos 7 Minimal install:
+For most users, we recommend installing using [our ISO image](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO).
+
+If instead you would like to try a manual installation (not using our ISO), you can build from CentOS 7 or Ubuntu 18.04.
+
+If using CentOS 7 Minimal, you will need to install git:
 
 ```sudo yum -y install git```
 
-### Installation
-
-Once you resolve those requirements or are using Ubuntu 16.04 do the following:
+Once you have git, then do the following:
 
 ```
 git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack
 cd securityonion-saltstack
-sudo bash so-setup-network.sh
+sudo bash so-setup-network
 ```
+
 Follow the prompts and reboot if asked to do so.
 
 Then proceed to the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide).

VERSION

@@ -1 +1 @@
-1.0.6
+1.3.0

exclude-list.txt

@@ -1,2 +0,0 @@
-salt/bro/files/local.bro
-salt/bro/files/local.bro.community

files/master

@@ -12,6 +12,7 @@
 # modified files cause conflicts, set verify_env to False.
 # user: socore
 
+log_file: /opt/so/log/salt/master
 
 #####      File Server settings      #####
 ##########################################
@@ -57,3 +58,7 @@ pillar_roots:
 peer:
   .*:
     - x509.sign_remote_certificate
+
+reactor:
+  - 'so/fleet':
+    - salt://reactor/fleet.sls

pillar/data/mastersearchtab.sls

@@ -0,0 +1 @@
+mastersearchtab:

pillar/docker/config.sls

@@ -0,0 +1,211 @@
+{%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
+{%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
+{% set WAZUH = salt['pillar.get']('master:wazuh', '0') %}
+{% set THEHIVE = salt['pillar.get']('master:thehive', '0') %}
+{% set PLAYBOOK = salt['pillar.get']('master:playbook', '0') %}
+{% set FREQSERVER = salt['pillar.get']('master:freq', '0') %}
+{% set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') %}
+{% set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+
+eval:
+  containers:
+    - so-nginx
+    - so-telegraf
+    {% if  GRAFANA == '1' %}
+    - so-influxdb
+    - so-grafana
+    {% endif %}
+    - so-dockerregistry
+    - so-soc
+    - so-kratos
+    - so-idstools
+    {% if FLEETMASTER %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-steno
+    - so-suricata
+    - so-zeek
+    - so-curator
+    - so-elastalert
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+heavy_node:
+  containers:
+    - so-nginx
+    - so-telegraf
+    - so-redis
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-steno
+    - so-suricata
+    - so-wazuh
+    - so-filebeat
+    {% if BROVER != 'SURICATA' %}
+    - so-zeek
+    {% endif %}
+helix:
+  containers:
+    - so-nginx
+    - so-telegraf
+    - so-idstools
+    - so-steno
+    - so-zeek
+    - so-redis
+    - so-logstash
+    - so-filebeat
+hot_node:
+  containers:
+    - so-nginx
+    - so-telegraf
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+master_search:
+  containers:
+    - so-nginx
+    - so-telegraf
+    - so-soc
+    - so-kratos
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-kibana
+    - so-elastalert
+    - so-filebeat
+    - so-soctopus
+    {% if FLEETMASTER %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+master:
+  containers:
+    - so-dockerregistry
+    - so-nginx
+    - so-telegraf
+    {% if  GRAFANA == '1' %}
+    - so-influxdb
+    - so-grafana
+    {% endif %}
+    - so-soc
+    - so-kratos
+    - so-acng
+    - so-idstools
+    - so-redis
+    - so-elasticsearch
+    - so-logstash
+    - so-kibana
+    - so-elastalert
+    - so-filebeat
+    {% if FLEETMASTER %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    {% endif %}
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+    - so-soctopus
+    {% if THEHIVE != '0' %}
+    - so-thehive
+    - so-thehive-es
+    - so-cortex
+    {% endif %}
+    {% if PLAYBOOK != '0' %}
+    - so-playbook
+    - so-navigator
+    {% endif %}
+    {% if FREQSERVER != '0' %}
+    - so-freqserver
+    {% endif %}
+    {% if DOMAINSTATS != '0' %}
+    - so-domainstats
+    {% endif %}
+parser_node:
+  containers:
+    - so-nginx
+    - so-telegraf
+    - so-logstash
+search_node:
+  containers:
+    - so-nginx
+    - so-telegraf
+    - so-logstash
+    - so-elasticsearch
+    - so-curator
+    - so-filebeat
+    {% if WAZUH != '0' %}
+    - so-wazuh
+    {% endif %}
+sensor:
+  containers:
+    - so-nginx
+    - so-telegraf
+    - so-steno
+    - so-suricata
+    {% if BROVER != 'SURICATA' %}
+    - so-zeek
+    {% endif %}
+    - so-wazuh
+    - so-filebeat
+warm_node:
+  containers:
+    - so-nginx
+    - so-telegraf
+    - so-elasticsearch
+fleet:
+  containers:
+    {% if FLEETNODE %}
+    - so-mysql
+    - so-fleet
+    - so-redis
+    - so-filebeat
+    - so-nginx
+    - so-telegraf
+    {% endif %}

pillar/firewall/analyst.sls

@@ -1,3 +0,0 @@
-analyst:
-  - 127.0.0.1
-  

pillar/firewall/beats_endpoint.sls

@@ -1,3 +0,0 @@
-beats_endpoint:
-  - 127.0.0.1
-  

pillar/firewall/forward_nodes.sls

@@ -1,3 +0,0 @@
-forward_nodes:
-  - 127.0.0.1
-  

pillar/firewall/masterfw.sls

@@ -1,2 +0,0 @@
-masterfw:
-  - 127.0.0.1

pillar/firewall/minions.sls

@@ -1,3 +0,0 @@
-minions:
-  - 127.0.0.1
-  

pillar/firewall/osquery_endpoint.sls

@@ -1,3 +0,0 @@
-osquery_endpoint:
-  - 127.0.0.1
-  

pillar/firewall/storage_nodes.sls

@@ -1,2 +0,0 @@
-storage_nodes:
-  - 127.0.0.1

pillar/firewall/wazuh_endpoint.sls

@@ -1,2 +0,0 @@
-wazuh_endpoint:
-  - 127.0.0.1

pillar/healthcheck/eval.sls

@@ -0,0 +1,5 @@
+healthcheck:
+  enabled: False
+  schedule: 300
+  checks:
+    - zeek

pillar/healthcheck/sensor.sls

@@ -0,0 +1,5 @@
+healthcheck:
+  enabled: False
+  schedule: 300
+  checks:
+    - zeek

pillar/healthcheck/standalone.sls

@@ -0,0 +1,5 @@
+healthcheck:
+  enabled: False
+  schedule: 300
+  checks:
+    - zeek

pillar/logstash/eval.sls

@@ -0,0 +1,21 @@
+logstash:
+  pipelines:
+    eval:
+      config:
+        - so/0800_input_eval.conf
+        - so/1002_preprocess_json.conf
+        - so/1033_preprocess_snort.conf
+        - so/7100_osquery_wel.conf
+        - so/8999_postprocess_rename_type.conf
+        - so/9000_output_bro.conf.jinja
+        - so/9002_output_import.conf.jinja
+        - so/9033_output_snort.conf.jinja
+        - so/9100_output_osquery.conf.jinja
+        - so/9400_output_suricata.conf.jinja
+        - so/9500_output_beats.conf.jinja
+        - so/9600_output_ossec.conf.jinja
+        - so/9700_output_strelka.conf.jinja
+  templates:
+    - so/so-beats-template.json
+    - so/so-common-template.json
+    - so/so-zeek-template.json

pillar/logstash/helix.sls

@@ -0,0 +1,42 @@
+logstash:
+  pipelines:
+    helix:
+      config:
+        - so/0010_input_hhbeats.conf
+        - so/1033_preprocess_snort.conf
+        - so/1100_preprocess_bro_conn.conf
+        - so/1101_preprocess_bro_dhcp.conf
+        - so/1102_preprocess_bro_dns.conf
+        - so/1103_preprocess_bro_dpd.conf
+        - so/1104_preprocess_bro_files.conf
+        - so/1105_preprocess_bro_ftp.conf
+        - so/1106_preprocess_bro_http.conf
+        - so/1107_preprocess_bro_irc.conf
+        - so/1108_preprocess_bro_kerberos.conf
+        - so/1109_preprocess_bro_notice.conf
+        - so/1110_preprocess_bro_rdp.conf
+        - so/1111_preprocess_bro_signatures.conf
+        - so/1112_preprocess_bro_smtp.conf
+        - so/1113_preprocess_bro_snmp.conf
+        - so/1114_preprocess_bro_software.conf
+        - so/1115_preprocess_bro_ssh.conf
+        - so/1116_preprocess_bro_ssl.conf
+        - so/1117_preprocess_bro_syslog.conf
+        - so/1118_preprocess_bro_tunnel.conf
+        - so/1119_preprocess_bro_weird.conf
+        - so/1121_preprocess_bro_mysql.conf
+        - so/1122_preprocess_bro_socks.conf
+        - so/1123_preprocess_bro_x509.conf
+        - so/1124_preprocess_bro_intel.conf
+        - so/1125_preprocess_bro_modbus.conf
+        - so/1126_preprocess_bro_sip.conf
+        - so/1127_preprocess_bro_radius.conf
+        - so/1128_preprocess_bro_pe.conf
+        - so/1129_preprocess_bro_rfb.conf
+        - so/1130_preprocess_bro_dnp3.conf
+        - so/1131_preprocess_bro_smb_files.conf
+        - so/1132_preprocess_bro_smb_mapping.conf
+        - so/1133_preprocess_bro_ntlm.conf
+        - so/1134_preprocess_bro_dce_rpc.conf
+        - so/8001_postprocess_common_ip_augmentation.conf
+        - so/9997_output_helix.conf.jinja

pillar/logstash/init.sls

@@ -0,0 +1,11 @@
+logstash:
+  docker_options:
+    port_bindings:
+      - 0.0.0.0:514:514
+      - 0.0.0.0:5044:5044
+      - 0.0.0.0:5644:5644
+      - 0.0.0.0:6050:6050
+      - 0.0.0.0:6051:6051
+      - 0.0.0.0:6052:6052
+      - 0.0.0.0:6053:6053
+      - 0.0.0.0:9600:9600

pillar/logstash/master.sls

@@ -0,0 +1,6 @@
+logstash:
+  pipelines:
+    master:
+      config:
+        - so/0010_input_hhbeats.conf
+        - so/9999_output_redis.conf.jinja

pillar/logstash/search.sls

@@ -0,0 +1,16 @@
+logstash:
+  pipelines:
+    search:
+      config:
+        - so/0900_input_redis.conf.jinja
+        - so/9000_output_zeek.conf.jinja
+        - so/9002_output_import.conf.jinja
+        - so/9100_output_osquery.conf.jinja
+        - so/9400_output_suricata.conf.jinja
+        - so/9500_output_beats.conf.jinja
+        - so/9600_output_ossec.conf.jinja
+        - so/9700_output_strelka.conf.jinja
+  templates:
+    - so/so-beats-template.json
+    - so/so-common-template.json
+    - so/so-zeek-template.json

pillar/masters/example.sls

@@ -1,10 +0,0 @@
-# Example Pillar file for a master
-master:
-  esaccessip: 127.0.0.1
-  esheap: CHANGEME
-  esclustername: {{ grains.host }}
-  freq: 0
-  domainstats: 0
-  lsheap: 1500m
-  lsaccessip: 127.0.0.1
-  elastalert: 1

pillar/nodes/example.sls

@@ -1,5 +0,0 @@
-# Example Pillar file for a sensor
-node:
-  ls_heapsize: CHANGEME
-  es_heapsize: CHANGEME
-  node_type: CHANGEME

pillar/sensors/example.sls

@@ -1,14 +0,0 @@
-# Example Pillar file for a sensor
-sensor:
-  interface: CHANGEME
-  bro_pins:
-    - 1
-    - 2
-    - 3
-    - 4
-  brobpf:
-  pcapbpf:
-  nidsbpf:
-  s3bucket:
-  s3key:
-

pillar/thresholding/pillar.example

@@ -0,0 +1,44 @@
+thresholding:
+  sids:
+    8675309:
+      - threshold:
+          gen_id: 1
+          type: threshold
+          track: by_src
+          count: 10
+          seconds: 10
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 100
+          seconds: 30
+      - rate_filter:
+          gen_id: 1
+          track: by_rule
+          count: 50
+          seconds: 30
+          new_action: alert
+          timeout: 30
+      - suppress:
+          gen_id: 1
+          track: by_either
+          ip: 10.10.3.7
+    11223344:
+      - threshold:
+          gen_id: 1
+          type: limit
+          track: by_dst
+          count: 10
+          seconds: 10
+      - rate_filter:
+          gen_id: 1
+          track: by_src
+          count: 50
+          seconds: 20
+          new_action: pass
+          timeout: 60
+      - suppress:
+          gen_id: 1
+          track: by_src
+          ip: 10.10.3.0/24

pillar/thresholding/pillar.usage

@@ -0,0 +1,20 @@
+thresholding:
+  sids:
+    <signature id>:
+      - threshold:
+          gen_id: <generator id>
+          type: <threshold | limit | both>
+          track: <by_src | by_dst>
+          count: <count>
+          seconds: <seconds>
+      - rate_filter:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_rule | by_both>
+          count: <count>
+          seconds: <seconds>
+          new_action: <alert | pass>
+          timeout: <seconds>
+      - suppress:
+          gen_id: <generator id>
+          track: <by_src | by_dst | by_either>
+          ip: <ip | subnet>

pillar/top.sls

@@ -2,37 +2,86 @@ base:
   '*':
     - patch.needs_restarting
 
-  'G@role:so-sensor':
-    - sensors.{{ grains.id }}
+  '*_eval or *_helix or *_heavynode or *_sensor or *_standalone':
+    - match: compound
+    - zeek
+
+  '*_mastersearch or *_heavynode':
+    - match: compound
+    - logstash
+    - logstash.master
+    - logstash.search
+
+  '*_sensor':
     - static
     - firewall.*
     - brologs
+    - healthcheck.sensor
+    - minions.{{ grains.id }}
 
-  'G@role:so-master':
-    - masters.{{ grains.id }}
+  '*_master or *_mastersearch':
+    - match: compound
     - static
     - firewall.*
     - data.*
-    - auth
+    - secrets
+    - minions.{{ grains.id }}
 
-  'G@role:so-eval':
-    - masters.{{ grains.id }}
+  '*_master':
+    - logstash
+    - logstash.master
+
+  '*_eval':
     - static
     - firewall.*
     - data.*
     - brologs
-    - auth
+    - secrets
+    - healthcheck.eval
+    - minions.{{ grains.id }}
 
-  'G@role:so-node':
-    - nodes.{{ grains.id }}
+  '*_standalone':
+    - logstash
+    - logstash.master
+    - logstash.search
+    - firewall.*
+    - data.*
+    - brologs
+    - secrets
+    - healthcheck.standalone
+    - static
+    - minions.{{ grains.id }}
+
+  '*_node':
     - static
     - firewall.*
+    - minions.{{ grains.id }}
 
-  'G@role:so-helix':
-    - masters.{{ grains.id }}
-    - sensors.{{ grains.id }}
+  '*_heavynode':
+    - static
+    - firewall.*
+    - brologs
+    - minions.{{ grains.id }}
+
+  '*_helix':
     - static
     - firewall.*
     - fireeye
-    - static
     - brologs
+    - logstash
+    - logstash.helix
+    - minions.{{ grains.id }}
+
+  '*_fleet':
+    - static
+    - firewall.*
+    - data.*
+    - secrets
+    - minions.{{ grains.id }}
+
+  '*_searchnode':
+    - static
+    - firewall.*
+    - logstash
+    - logstash.search
+    - minions.{{ grains.id }}

pillar/zeek/init.sls

@@ -0,0 +1,55 @@
+zeek:
+  zeekctl:
+    MailTo: root@localhost
+    MailConnectionSummary: 1
+    MinDiskSpace: 5
+    MailHostUpDown: 1
+    LogRotationInterval: 3600
+    LogExpireInterval: 0
+    StatsLogEnable: 1
+    StatsLogExpireInterval: 0
+    StatusCmdShowAll: 0
+    CrashExpireInterval: 0
+    SitePolicyScripts: local.zeek
+    LogDir: /nsm/zeek/logs
+    SpoolDir: /nsm/zeek/spool
+    CfgDir: /opt/zeek/etc
+    CompressLogs: 1
+  local:
+    '@load':
+      - misc/loaded-scripts
+      - tuning/defaults
+      - misc/capture-loss
+      - misc/stats
+      - frameworks/software/vulnerable
+      - frameworks/software/version-changes
+      - protocols/ftp/software
+      - protocols/smtp/software
+      - protocols/ssh/software
+      - protocols/http/software
+      - protocols/dns/detect-external-names
+      - protocols/ftp/detect
+      - protocols/conn/known-hosts
+      - protocols/conn/known-services
+      - protocols/ssl/known-certs
+      - protocols/ssl/validate-certs
+      - protocols/ssl/log-hostcerts-only
+      - protocols/ssh/geo-data
+      - protocols/ssh/detect-bruteforcing
+      - protocols/ssh/interesting-hostnames
+      - protocols/http/detect-sqli
+      - frameworks/files/hash-all-files
+      - frameworks/files/detect-MHR
+      - policy/frameworks/notice/extend-email/hostnames
+      - ja3
+      - hassh
+      - intel
+      - cve-2020-0601
+      - securityonion/bpfconf
+      - securityonion/communityid
+      - securityonion/file-extraction
+    '@load-sigs':
+      - frameworks/signatures/detect-windows-shells
+    redef:
+      - LogAscii::use_json = T;
+      - LogAscii::json_timestamps = JSON::TS_ISO8601;

salt/_beacons/zeek.py

@@ -0,0 +1,33 @@
+import logging
+
+
+def status():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
+
+ return retval
+
+
+def beacon(config):
+
+  retval = []
+
+  is_enabled = __salt__['healthcheck.is_enabled']()
+  logging.info('zeek_beacon: healthcheck_is_enabled: %s' % is_enabled)
+
+  if is_enabled:
+    zeekstatus = status().lower().split(' ')
+    logging.info('zeek_beacon: zeekctl.status: %s' % str(zeekstatus))
+    if 'stopped' in zeekstatus or 'crashed' in zeekstatus or 'error' in zeekstatus or 'error:' in zeekstatus:
+     zeek_restart = True
+    else:
+     zeek_restart = False
+
+    __salt__['telegraf.send']('healthcheck zeek_restart=%s' % str(zeek_restart))
+    retval.append({'zeek_restart': zeek_restart})
+    logging.info('zeek_beacon: retval: %s' % str(retval))
+
+  return retval
+

salt/_modules/healthcheck.py

@@ -0,0 +1,96 @@
+#!py
+
+import logging
+import sys
+
+allowed_functions = ['is_enabled', 'zeek']
+states_to_apply = []
+
+
+def apply_states(states=''):
+
+  calling_func = sys._getframe().f_back.f_code.co_name
+  logging.debug('healthcheck_module: apply_states function caller: %s' % calling_func)
+
+  if not states:
+    states = ','.join(states_to_apply)
+ 
+  if states: 
+    logging.info('healthcheck_module: apply_states states: %s' % str(states))
+    __salt__['state.apply'](states)
+
+
+def docker_stop(container):
+  
+  try:
+    stopdocker = __salt__['docker.rm'](container, 'stop=True')
+  except Exception as e:
+    logging.error('healthcheck_module: %s' % e)
+
+
+def is_enabled():
+  
+  if __salt__['pillar.get']('healthcheck:enabled', 'False'):
+    retval = True
+  else:
+    retval = False
+  
+  return retval
+  
+
+def run(checks=''):
+  
+  retval = []
+  calling_func = sys._getframe().f_back.f_code.co_name
+  logging.debug('healthcheck_module: run function caller: %s' % calling_func)
+  
+  if checks:
+    checks = checks.split(',')
+  else:  
+    checks = __salt__['pillar.get']('healthcheck:checks', {})
+  
+  logging.debug('healthcheck_module: run checks to be run: %s' % str(checks))
+  for check in checks:
+    if check in allowed_functions:
+      retval.append(check)
+      check = getattr(sys.modules[__name__], check)
+      check()
+    else:
+      logging.warning('healthcheck_module: attempted to run function %s' % check)
+
+  # If you want to apply states at the end of the run,
+  # be sure to append the state name to states_to_apply[]
+  apply_states()
+
+  return retval
+
+
+def send_event(tag, eventdata):
+  __salt__['event.send'](tag, eventdata[0])
+
+
+def zeek():
+
+  calling_func = sys._getframe().f_back.f_code.co_name
+  logging.debug('healthcheck_module: zeek function caller: %s' % calling_func)
+  retval = []
+
+  retcode = __salt__['zeekctl.status'](verbose=False)
+  logging.debug('healthcheck_module: zeekctl.status retcode: %i' % retcode)
+  if retcode:
+    zeek_restart = 1
+    if calling_func != 'beacon':
+      docker_stop('so-zeek')
+      states_to_apply.append('zeek')
+  else:
+    zeek_restart = 0
+
+  __salt__['telegraf.send']('healthcheck zeek_restart=%i' % zeek_restart)
+  
+  if calling_func == 'execute' and zeek_restart:
+    apply_states()
+  
+  retval.append({'zeek_restart': zeek_restart})
+
+  send_event('so/healthcheck/zeek', retval)
+  return retval

salt/_modules/telegraf.py

@@ -0,0 +1,16 @@
+#!py
+
+import logging
+import socket
+
+
+def send(data):
+
+  mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('master:mainint'))
+  mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0]
+  dstport = 8094
+
+  sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+  sent = sock.sendto(data.encode('utf-8'), (mainip, dstport))
+
+  return sent

salt/_modules/zeekctl.py

@@ -0,0 +1,160 @@
+#!py
+
+import logging
+
+
+def capstats(interval=10):
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats %i'" % interval
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ 
+ return retval
+
+
+def check():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl check'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ 
+ return retval
+
+
+def cleanup(all=''):
+
+ retval = ''
+
+ if all: 
+   if all == 'all':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl cleanup --all'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options'
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl cleanup'"
+
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def config():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl config'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def deploy():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl deploy'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def df():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl df'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def diag():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl diag'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def install(local=''):
+
+ retval = ''
+
+ if local:
+   if local == 'local':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl install --local'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options' 
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl install'"
+ 
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def netstats():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def nodes():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl nodes'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def restart(clean=''):
+
+ retval = ''
+
+ if clean:
+   if clean == 'clean':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl restart --clean'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options'
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl restart'"
+ 
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def scripts(c=''):
+
+ retval = ''
+
+ if c:
+   if c == 'c':
+     cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl scripts -c'"
+   else:
+     retval = 'Invalid option. zeekctl.help for options'
+ else:
+   cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl scripts'"
+
+ if not retval:
+   retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def start():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl start'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def status(verbose=True):
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl status'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ if not verbose:
+   retval = __context__['retcode']
+ logging.info('zeekctl_module: zeekctl.status retval: %s' % retval)
+ return retval
+
+
+def stop():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl stop'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval
+
+
+def top():
+
+ cmd = "runuser -l zeek -c '/opt/zeek/bin/zeekctl top'"
+ retval = __salt__['docker.run']('so-zeek', cmd)
+ return retval

salt/common/init.sls

@@ -1,4 +1,3 @@
-{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
   group.present:
@@ -15,7 +14,6 @@ socore:
     - shell: /bin/bash
 
 # Create a state directory
-
 statedir:
   file.directory:
     - name: /opt/so/state
@@ -31,17 +29,13 @@ salttmp:
     - makedirs: True
 
 # Install packages needed for the sensor
-
 sensorpkgs:
   pkg.installed:
     - skip_suggestions: False
     - pkgs:
-      - docker-ce
       - wget
       - jq
       {% if grains['os'] != 'CentOS' %}
-      - python-docker
-      - python-m2crypto
       - apache2-utils
       {% else %}
       - net-tools
@@ -60,7 +54,6 @@ alwaysupdated:
     - skip_suggestions: True
 
 # Set time to UTC
-
 Etc/UTC:
   timezone.system
 
@@ -72,355 +65,4 @@ utilsyncscripts:
     - group: 0
     - file_mode: 755
     - template: jinja
-    - source: salt://common/tools/sbin
-
-# Make sure Docker is running!
-docker:
-  service.running:
-    - enable: True
-
-salt-minion:
-  service.running:
-    - enable: True
-
-# Drop the correct nginx config based on role
-
-nginxconfdir:
-  file.directory:
-    - name: /opt/so/conf/nginx
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxconf:
-  file.managed:
-    - name: /opt/so/conf/nginx/nginx.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/nginx/nginx.conf.{{ grains.role }}
-
-nginxlogdir:
-  file.directory:
-    - name: /opt/so/log/nginx/
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxtmp:
-  file.directory:
-    - name: /opt/so/tmp/nginx/tmp
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-# Start the core docker
-so-coreimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
-
-so-core:
-  docker_container.running:
-    - require:
-      - so-coreimage
-    - image: docker.io/soshybridhunter/so-core:HH1.1.3
-    - hostname: so-core
-    - user: socore
-    - binds:
-      - /opt/so:/opt/so:rw
-      - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - /opt/so/log/nginx/:/var/log/nginx:rw
-      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
-      - /opt/so/tmp/nginx/:/run:rw
-      - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
-      - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
-      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
-    - cap_add: NET_BIND_SERVICE
-    - port_bindings:
-      - 80:80
-      - 443:443
-    - watch:
-      - file: /opt/so/conf/nginx/nginx.conf
-
-# Add Telegraf to monitor all the things.
-tgraflogdir:
-  file.directory:
-    - name: /opt/so/log/telegraf
-    - makedirs: True
-
-tgrafetcdir:
-  file.directory:
-    - name: /opt/so/conf/telegraf/etc
-    - makedirs: True
-
-tgrafetsdir:
-  file.directory:
-    - name: /opt/so/conf/telegraf/scripts
-    - makedirs: True
-
-tgrafsyncscripts:
-  file.recurse:
-    - name: /opt/so/conf/telegraf/scripts
-    - user: 939
-    - group: 939
-    - file_mode: 755
-    - template: jinja
-    - source: salt://common/telegraf/scripts
-
-tgrafconf:
-  file.managed:
-    - name: /opt/so/conf/telegraf/etc/telegraf.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/telegraf/etc/telegraf.conf
-
-so-telegrafimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-telegraf:HH1.1.0
-
-so-telegraf:
-  docker_container.running:
-    - require:
-      - so-telegrafimage
-    - image: docker.io/soshybridhunter/so-telegraf:HH1.1.0
-    - environment:
-      - HOST_PROC=/host/proc
-      - HOST_ETC=/host/etc
-      - HOST_SYS=/host/sys
-      - HOST_MOUNT_PREFIX=/host
-    - network_mode: host
-    - binds:
-      - /opt/so/log/telegraf:/var/log/telegraf:rw
-      - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro
-      - /var/run/utmp:/var/run/utmp:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /:/host/root:ro
-      - /sys:/host/sys:ro
-      - /proc:/host/proc:ro
-      - /nsm:/host/nsm:ro
-      - /etc:/host/etc:ro
-      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
-      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
-      {% else %}
-      - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro
-      {% endif %}
-      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
-      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
-      - /opt/so/conf/telegraf/scripts:/scripts:ro
-      - /opt/so/log/stenographer:/var/log/stenographer:ro
-      - /opt/so/log/suricata:/var/log/suricata:ro
-    - watch:
-      - /opt/so/conf/telegraf/etc/telegraf.conf
-      - /opt/so/conf/telegraf/scripts
-
-# If its a master or eval lets install the back end for now		
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' and GRAFANA == 1 %}
-
-# Influx DB
-influxconfdir:
-  file.directory:
-    - name: /opt/so/conf/influxdb/etc
-    - makedirs: True
-
-influxdbdir:
-  file.directory:
-    - name: /nsm/influxdb
-    - makedirs: True
-
-influxdbconf:
-  file.managed:
-    - name: /opt/so/conf/influxdb/etc/influxdb.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/influxdb/etc/influxdb.conf
-
-so-influximage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-influxdb:HH1.1.0
-
-so-influxdb:
-  docker_container.running:
-    - require:
-      - so-influximage
-    - image: docker.io/soshybridhunter/so-influxdb:HH1.1.0
-    - hostname: influxdb
-    - environment:
-      - INFLUXDB_HTTP_LOG_ENABLED=false
-    - binds:
-      - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro
-      - /nsm/influxdb:/var/lib/influxdb:rw
-      - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro
-      - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
-    - port_bindings:
-      - 0.0.0.0:8086:8086
-    - watch:
-      - file: /opt/so/conf/influxdb/etc/influxdb.conf
-
-# Grafana all the things
-grafanadir:
-  file.directory:
-    - name: /nsm/grafana
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanaconfdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/etc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashmdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/master
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashevaldir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/eval
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashfndir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/forward_nodes
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashsndir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanaconf:
-  file.recurse:
-    - name: /opt/so/conf/grafana/etc
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/etc
-
-{% if salt['pillar.get']('mastertab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %}
-dashboard-master:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/master/master.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{%- endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('sensorstab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %}
-dashboard-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/forward_nodes/{{ SN }}-Sensor.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/forward_nodes/sensor.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MONINT: {{ SNDATA.monint }}
-      MANINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('nodestab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-dashboard-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/storage_nodes/{{ SN }}-Node.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/storage_nodes/storage.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('evaltab', False) %}
-{%- for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %}
-dashboard-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/eval/eval.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.monint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-# Install the docker. This needs to be behind nginx at some point
-so-grafanaimage:
- cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-grafana:HH1.1.0
-
-so-grafana:
-  docker_container.running:
-    - image: docker.io/soshybridhunter/so-grafana:HH1.1.0
-    - hostname: grafana
-    - user: socore
-    - binds:
-      - /nsm/grafana:/var/lib/grafana:rw
-      - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro
-      - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw
-      - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw
-      - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw
-    - environment:
-      - GF_SECURITY_ADMIN_PASSWORD=augusta
-    - port_bindings:
-      - 0.0.0.0:3000:3000
-    - watch:
-      - file: /opt/so/conf/grafana/*
-
-{% endif %}
+    - source: salt://common/tools/sbin

salt/common/maps/broversion.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-zeek'
+  ]
+} %}

salt/common/maps/domainstats.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-domainstats'
+  ]
+} %}

salt/common/maps/eval.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-dockerregistry',
+    'so-soc',
+    'so-kratos',
+    'so-idstools',
+    'so-elasticsearch',
+    'so-kibana',
+    'so-steno',
+    'so-suricata',
+    'so-zeek',
+    'so-curator',
+    'so-elastalert',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/fleet.map.jinja

@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis',
+    'so-filebeat',
+    'so-nginx',
+    'so-telegraf'
+  ]
+} %}

salt/common/maps/fleet_master.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis'
+  ]
+} %}

salt/common/maps/freq.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-freqserver'
+  ]
+} %}

salt/common/maps/grafana.map.jinja

@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-influxdb',
+    'so-grafana'
+  ]
+} %}

salt/common/maps/heavynode.map.jinja

@@ -0,0 +1,14 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-steno',
+    'so-suricata',
+    'so-wazuh',
+    'so-filebeat
+  ]
+} %}

salt/common/maps/helixsensor.map.jinja

@@ -0,0 +1,12 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-idstools',
+    'so-steno',
+    'so-zeek',
+    'so-redis',
+    'so-logstash',
+    'so-filebeat
+  ]
+} %}

salt/common/maps/hotnode.map.jinja

@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+     'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+   ]
+} %}

salt/common/maps/master.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-dockerregistry',
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-aptcacherng',
+    'so-idstools',
+    'so-redis',
+    'so-elasticsearch',
+    'so-logstash',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/mastersearch.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-aptcacherng',
+    'so-idstools',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/playbook.map.jinja

@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-playbook',
+    'so-navigator'
+  ]
+} %}

salt/common/maps/searchnode.map.jinja

@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-filebeat'
+  ]
+} %}

salt/common/maps/sensor.map.jinja

@@ -0,0 +1,8 @@
+{% set docker = {
+  'containers': [
+    'so-telegraf',
+    'so-steno',
+    'so-suricata',
+    'so-filebeat'
+  ]
+} %}

salt/common/maps/so-status.map.jinja

@@ -0,0 +1,45 @@
+{% set role = grains.id.split('_') | last %}
+{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
+
+# Check if the service is enabled and append it's required containers
+# to the list predefined by the role / minion id affix
+{% macro append_containers(pillar_name, k, compare )%}
+  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
+    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
+    {% for li in d['containers'] %}
+      {{ docker['containers'].append(li) }}
+    {% endfor %}
+  {% endif %}
+{% endmacro %}
+
+{% set docker = salt['grains.filter_by']({
+  '*_'~role: {
+    'containers': docker['containers']
+  } 
+},grain='id', merge=salt['pillar.get']('docker')) %}
+
+{% if role in ['eval', 'mastersearch', 'master', 'standalone'] %}
+  {{ append_containers('master', 'grafana', 0) }}
+  {{ append_containers('static', 'fleet_master', 0) }}
+  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('master', 'thehive', 0) }}
+  {{ append_containers('master', 'playbook', 0) }}
+  {{ append_containers('master', 'freq', 0) }}
+  {{ append_containers('master', 'domainstats', 0) }}
+{% endif %}
+
+{% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
+  {{ append_containers('static', 'strelka', 0) }}
+{% endif %}
+
+{% if role in ['heavynode', 'standalone'] %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}
+
+{% if role == 'searchnode' %}
+  {{ append_containers('master', 'wazuh', 0) }}
+{% endif %}
+
+{% if role == 'sensor' %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}

salt/common/maps/standalone.map.jinja

@@ -0,0 +1,21 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-aptcacherng',
+    'so-idstools',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-suricata',
+    'so-steno',
+    'so-dockerregistry',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/strelka.map.jinja

@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-strelka-coordinator',
+    'so-strelka-gatekeeper',
+    'so-strelka-manager',
+    'so-strelka-frontend',
+    'so-strelka-filestream'
+  ]
+} %}

salt/common/maps/thehive.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-thehive',
+    'so-thehive-es',
+    'so-cortex'
+  ]
+} %}

salt/common/maps/warmnode.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-elasticsearch'
+  ]
+} %}

salt/common/maps/wazuh.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-wazuh'
+  ]
+} %}

salt/common/telegraf/scripts/influxdbsize.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-INFLUXSIZE=$(du -s -B1 /host/nsm/influxdb | awk {'print $1'}
-
-echo "influxsize bytes=$INFLUXSIZE"

salt/common/tools/sbin/so-allow

@@ -1,42 +1,101 @@
 #!/bin/bash
-got_root() {
 
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-}
+. /usr/sbin/so-common
 
-got_root
+SKIP=0
 
-echo "This program allows you to add a firewall rule to allow connections from a new IP address."
-echo ""
-echo "Choose the role for the IP or Range you would like to add"
-echo ""
-echo "[a] - Analyst - ports 80/tcp and 443/tcp"
-echo "[b] - Logstash Beat - port 5044/tcp"
-echo "[o] - Osquery endpoint - port 8080/tcp"
-echo "[w] - Wazuh endpoint - port 1514"
-echo ""
-echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
-read ROLE
-echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
-read IP
+while getopts "abowi:" OPTION
+do
+    case $OPTION in
+
+        h)
+            usage
+            exit 0
+            ;;
+        a)
+            FULLROLE="analyst"
+            SKIP=1
+            ;;
+        b)
+            FULLROLE="beats_endpoint"
+            SKIP=1
+            ;;
+        i)  IP=$OPTARG
+            ;;
+        o)
+            FULLROLE="osquery_endpoint"
+            SKIP=1
+            ;;
+        w)
+            FULLROLE="wazuh_endpoint"
+            SKIP=1
+            ;;
+    esac
+done
+
+if [ "$SKIP" -eq 0 ]; then
+
+    echo "This program allows you to add a firewall rule to allow connections from a new IP address."
+    echo ""
+    echo "Choose the role for the IP or Range you would like to add"
+    echo ""
+    echo "[a] - Analyst - ports 80/tcp and 443/tcp"
+    echo "[b] - Logstash Beat - port 5044/tcp"
+    echo "[o] - Osquery endpoint - port 8090/tcp"
+    echo "[w] - Wazuh endpoint - port 1514"
+    echo ""
+    echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
+    read ROLE
+    echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
+    read IP
+
+    if [ "$ROLE" == "a" ]; then
+        FULLROLE=analyst
+    elif [ "$ROLE" == "b" ]; then
+        FULLROLE=beats_endpoint
+    elif [ "$ROLE" == "o" ]; then
+        FULLROLE=osquery_endpoint
+    elif [ "$ROLE" == "w" ]; then
+        FULLROLE=wazuh_endpoint
+    else
+        echo "I don't recognize that role"
+        exit 1
+    fi
 
-if [ "$ROLE" == "a" ]; then
-  FULLROLE=analyst
-elif [ "$ROLE" == "b" ]; then
-  FULLROLE=beats_endpoint
-elif [ "$ROLE" == "o" ]; then
-  FULLROLE=osquery_endpoint
-elif [ "$ROLE" == "w" ]; then
-  FULLROLE=wazuh_endpoint
-else
-  echo "I don't recognize that role"
-  exit 1
 fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
 /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+
+# Check if Wazuh enabled
+if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+    # If analyst, add to Wazuh AR whitelist
+    if [ "$FULLROLE" == "analyst" ]; then
+          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+          if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
+                  DATE=`date`
+                  sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+                  sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+                  echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+                  echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+		  echo
+                  echo "Restarting OSSEC Server..."
+                  /usr/sbin/so-wazuh-restart
+          fi
+     fi
+fi

salt/common/tools/sbin/so-bpf-compile

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ "$#" -lt 2 ]; then
+  cat 1>&2 <<EOF
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
+Its first argument is the interface (link type is required) and all other arguments
+are passed to TCPDump.
+
+Examples:
+ $0 eth0 dst port 80
+ $0 eth0 udp port 53
+EOF
+  exit 1
+fi
+
+interface="$1"
+shift
+sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
+while read line; do
+  cols=( $line )
+  printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
+done
+echo ""

salt/common/tools/sbin/so-checkin

@@ -1 +1,20 @@
-sudo salt-call state.highstate
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+salt-call state.highstate

salt/common/tools/sbin/so-common

@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Check for prerequisites
+if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+fi
+
+# Define a banner to separate sections
+banner="========================================================================="
+
+header() {
+        echo
+        printf '%s\n' "$banner" "$*" "$banner"
+}

salt/common/tools/sbin/so-cortex-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart cortex $1

salt/common/tools/sbin/so-cortex-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start cortex $1

salt/common/tools/sbin/so-cortex-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop cortex $1

salt/common/tools/sbin/so-curator-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart curator $1

salt/common/tools/sbin/so-curator-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start curator $1

salt/common/tools/sbin/so-curator-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop curator $1

salt/common/tools/sbin/so-elastalert-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elastalert $1

salt/common/tools/sbin/so-elastalert-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elastalert $1

salt/common/tools/sbin/so-elastalert-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elastalert $1

salt/common/tools/sbin/so-elastalert-test

@@ -0,0 +1,142 @@
+#!/bin/bash
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# Originally written by Bryant Treacle
+# https://raw.githubusercontent.com/bryant-treacle/so-elastalert-test-rule/master/so-elastalert-test
+# Modified by Doug Burks and Wes Lambert
+#
+# Purpose:  This script will allow you to test your elastalert rule without entering the Docker container.
+
+. /usr/sbin/so-elastic-common
+
+OPTIONS=""
+SKIP=0
+RESULTS_TO_LOG="n"
+RULE_NAME=""
+FILE_SAVE_LOCATION=""
+
+usage()
+{
+cat <<EOF
+
+Test Elastalert Rule
+  Options:
+  -h         		This message
+  -a         		Trigger real alerts instead of the debug alert
+  -l <path_to_file>     Write results to specified log file
+  -o '<options>'	Specify Elastalert options ( Ex. --schema-only , --count-only, --days N ) 
+  -r <rule_name>        Specify path/name of rule to test
+
+EOF
+}
+
+while getopts "hal:o:r:" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                a)
+                        OPTIONS="--alert"
+                        ;;
+                l)
+                        RESULTS_TO_LOG="y"
+                        FILE_SAVE_LOCATION=$OPTARG
+                        ;;
+                
+                o)
+			OPTIONS=$OPTARG
+                        ;;  
+                
+                r)
+                        RULE_NAME=$OPTARG
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+
+docker_exec(){
+	if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
+	else
+        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
+	fi	
+}
+
+rule_prompt(){
+	CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
+        echo
+        echo "This script will allow you to test an Elastalert rule."
+        echo
+        echo "Below is a list of active Elastalert rules:"
+        echo
+	echo "-----------------------------------"
+        echo
+        echo "$CURRENT_RULES"
+        echo
+	echo "-----------------------------------"
+	echo 
+        echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
+        echo
+        echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
+        echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
+        echo
+        while [ -z $RULE_NAME ]; do
+		echo "Please enter the file path and rule name you want to test."
+		read -e RULE_NAME
+	done
+}
+
+log_save_prompt(){
+	RESULTS_TO_LOG=""
+        while [ -z $RESULTS_TO_LOG ]; do
+		echo "The results can be rather long.  Would you like to write the results to a file? (Y/N)"
+		read RESULTS_TO_LOG
+	done
+}
+
+log_path_prompt(){
+        while [ -z $FILE_SAVE_LOCATION ]; do
+		echo "Please enter the file path and file name."
+		read -e FILE_SAVE_LOCATION
+        done
+		echo "Depending on the rule this may take a while."
+}
+
+if [ $SKIP -eq 0 ]; then
+	rule_prompt
+	log_save_prompt
+        if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+        	log_path_prompt
+        fi
+fi
+
+docker_exec
+
+if [ $? -eq 0 ]; then
+	echo "Test completed successfully!"
+else
+	echo "Something went wrong..."
+fi
+
+echo
+
+
+

salt/common/tools/sbin/so-elastic-clear

@@ -0,0 +1,80 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+. /usr/sbin/so-common
+
+SKIP=0
+#########################################
+# Options
+#########################################
+usage()
+{
+cat <<EOF
+Security Onion Elastic Clear
+  Options:
+  -h         This message
+  -y         Skip interactive mode
+EOF
+}
+while getopts "h:y" OPTION
+do
+        case $OPTION in
+                h)
+                        usage
+                        exit 0
+                        ;;
+                
+                y)
+                        SKIP=1
+                        ;;
+                *)
+                        usage
+                        exit 0
+                        ;;
+        esac
+done
+if [ $SKIP -ne 1 ]; then
+        # List indices
+        echo 
+        curl {{ MASTERIP }}:9200/_cat/indices?v&pretty
+        echo
+        # Inform user we are about to delete all data
+        echo
+        echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
+        echo
+        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
+        # Read user input
+        read INPUT
+        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
+fi
+
+/usr/sbin/so-filebeat-stop
+/usr/sbin/so-logstash-stop
+
+# Delete data
+echo "Deleting data..."
+
+INDXS=$(curl -s -XGET {{ MASTERIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert' | awk '{ print $3 }')
+for INDX in ${INDXS}
+do
+    curl -XDELETE "{{ MASTERIP }}:9200/${INDX}" > /dev/null 2>&1
+done
+
+/usr/sbin/so-logstash-start
+/usr/sbin/so-filebeat-start
+

salt/common/tools/sbin/so-elastic-diagnose

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Source common settings
+. /usr/sbin/so-common
+
+# Check for log files
+for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
+
+# If file exists, then look for errors or warnings 
+if [ -f $FILE ]; then
+	MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE` 
+	if [ ! -z "$MESSAGE" ]; then
+		header $FILE
+		echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
+		echo
+	fi
+fi
+done

salt/common/tools/sbin/so-elastic-download

@@ -0,0 +1,44 @@
+#!/bin/bash
+MASTER=MASTER
+VERSION="HH1.1.4"
+TRUSTED_CONTAINERS=( \
+"so-nginx:$VERSION" \
+"so-thehive-cortex:$VERSION" \
+"so-curator:$VERSION" \
+"so-domainstats:$VERSION" \
+"so-elastalert:$VERSION" \
+"so-elasticsearch:$VERSION" \
+"so-filebeat:$VERSION" \
+"so-fleet:$VERSION" \
+"so-fleet-launcher:$VERSION" \
+"so-freqserver:$VERSION" \
+"so-grafana:$VERSION" \
+"so-idstools:$VERSION" \
+"so-influxdb:$VERSION" \
+"so-kibana:$VERSION" \
+"so-logstash:$VERSION" \
+"so-mysql:$VERSION" \
+"so-navigator:$VERSION" \
+"so-playbook:$VERSION" \
+"so-redis:$VERSION" \
+"so-sensoroni:$VERSION" \
+"so-soctopus:$VERSION" \
+"so-steno:$VERSION" \
+#"so-strelka:$VERSION" \
+"so-suricata:$VERSION" \
+"so-telegraf:$VERSION" \
+"so-thehive:$VERSION" \
+"so-thehive-es:$VERSION" \
+"so-wazuh:$VERSION" \
+"so-zeek:$VERSION" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+  # Pull down the trusted docker image
+  echo "Downloading $i"
+  docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+  # Tag it with the new registry destination
+  docker tag soshybridhunter/$i $MASTER:5000/soshybridhunter/$i
+  docker push $MASTER:5000/soshybridhunter/$i
+  docker rmi soshybridhunter/$i
+done

salt/common/tools/sbin/so-elasticsearch-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart elasticsearch $1

salt/common/tools/sbin/so-elasticsearch-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start elasticsearch $1

salt/common/tools/sbin/so-elasticsearch-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop elasticsearch $1

salt/common/tools/sbin/so-elasticsearch-templates

@@ -0,0 +1,54 @@
+{% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ELASTICSEARCH_HOST="{{ MASTERIP}}"
+ELASTICSEARCH_PORT=9200
+#ELASTICSEARCH_AUTH=""
+
+# Define a default directory to load pipelines from
+ELASTICSEARCH_TEMPLATES="/opt/so/saltstack/salt/logstash/pipelines/templates/so/"
+
+# Wait for ElasticSearch to initialize
+echo -n "Waiting for ElasticSearch..."
+COUNT=0
+ELASTICSEARCH_CONNECTED="no"
+while [[ "$COUNT" -le 240 ]]; do
+	curl --output /dev/null --silent --head --fail http://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
+	if [ $? -eq 0 ]; then
+		ELASTICSEARCH_CONNECTED="yes"
+		echo "connected!"
+		break
+	else
+		((COUNT+=1))
+		sleep 1
+		echo -n "."
+	fi
+done
+if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
+	echo
+	echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+	echo
+fi
+
+cd ${ELASTICSEARCH_TEMPLATES}
+
+
+echo "Loading templates..."
+for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl ${ELASTICSEARCH_AUTH} -s -XPUT http://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done
+echo
+
+cd - >/dev/null

salt/common/tools/sbin/so-features-enable

@@ -0,0 +1,42 @@
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+# Modify static.sls to enable Features
+sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+SUFFIX="-features"
+TRUSTED_CONTAINERS=( \
+  "so-elasticsearch:$VERSION$SUFFIX" \
+  "so-filebeat:$VERSION$SUFFIX" \
+  "so-kibana:$VERSION$SUFFIX" \
+  "so-logstash:$VERSION$SUFFIX" )
+
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+done
+for i in "${TRUSTED_CONTAINERS[@]}"
+do
+    echo "Removing $i locally"
+    docker rmi soshybridhunter/$i
+done

salt/common/tools/sbin/so-filebeat-restart

@@ -1,17 +1,20 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-filebeat && sudo docker rm so-filebeat && salt-call state.apply filebeat
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart filebeat $1

salt/common/tools/sbin/so-filebeat-start

@@ -1,17 +1,20 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker rm so-filebeat && salt-call state.apply filebeat
+. /usr/sbin/so-common
+
+/usr/sbin/so-start filebeat $1

salt/common/tools/sbin/so-filebeat-stop

@@ -1,17 +1,20 @@
 #!/bin/bash
 
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-filebeat
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop filebeat $1

salt/common/tools/sbin/so-fleet-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart fleet $1

salt/common/tools/sbin/so-fleet-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start fleet $1

salt/common/tools/sbin/so-fleet-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop fleet $1

salt/common/tools/sbin/so-get-parsed

@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed

salt/common/tools/sbin/so-get-unparsed

@@ -1 +0,0 @@
-sudo docker exec -it so-redis redis-cli llen logstash:unparsed

salt/common/tools/sbin/so-grafana-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart grafana $1

salt/common/tools/sbin/so-grafana-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start grafana $1

salt/common/tools/sbin/so-grafana-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop grafana $1

salt/common/tools/sbin/so-index-list

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+curl -X GET "localhost:9200/_cat/indices?v"

salt/common/tools/sbin/so-kibana-config-export

@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# {%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master', False) -%}
+# {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node', False) -%}
+# {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', '') %}
+# {%- set MASTER = salt['pillar.get']('master:url_base', '') %}
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+KIBANA_HOST={{ MASTER }}
+KSO_PORT=5601
+OUTFILE="saved_objects.ndjson"
+curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
+
+# Clean up using PLACEHOLDER
+sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE
+
+# Clean up for Fleet, if applicable
+# {% if FLEET_NODE or FLEET_MASTER %}
+# Fleet IP
+sed -i "s/{{ FLEET_IP }}/FLEETPLACEHOLDER/g" $OUTFILE
+# {% endif %}

salt/common/tools/sbin/so-kibana-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart kibana $1

salt/common/tools/sbin/so-kibana-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start kibana $1

salt/common/tools/sbin/so-kibana-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop kibana $1