Merge pull request #909 from Security-Onion-Solutions/fix/1.4.1

Update to 1.4.1

.gitignore

@@ -1,2 +1,59 @@
+
+# Created by https://www.gitignore.io/api/macos,windows
+# Edit at https://www.gitignore.io/?templates=macos,windows
+
+### macOS ###
+# General
 .DS_Store
-.idea
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# End of https://www.gitignore.io/api/macos,windows

README.md

@@ -1,32 +1,73 @@
-## Hybrid Hunter Beta 1.2.1 - Beta 1
+## Hybrid Hunter Beta 1.4.1 - Beta 3
+
+- Fix install script to handle hostnames properly.
+
+
+## Hybrid Hunter Beta 1.4.0 - Beta 3
+
+- Complete overhaul of the way we handle custom and default settings and data. You will now see a default and local directory under the saltstack directory. All customizations are stored in local.
+- The way firewall rules are handled has been completely revamped. This will allow the user to customize firewall rules much easier. 
+- Users can now change their own password in SOC.
+- Hunt now allows users to enable auto-hunt. This is a toggle which, when enabled, automatically submits a new hunt when filtering, grouping, etc.
+- Title bar now reflects current Hunt query. This will assist users in locating a previous query from their browser history.
+- Zeek 3.0.7
+- Elastic 7.7.1
+- Suricata can now be used for meta data generation.
+- Suricata eve.json has been moved to `/nsm` to align with storage of other data.
+- Suricata will now properly rotate its logs.
+- Grafana dashboards now work properly in standalone mode.
+- Kibana Dashboard updates including osquery, community_id.  
+- New Elasticsearch Ingest processor to generate community_id from any log that includes the required fields.  
+- Community_id generated for additional logs: Zeek HTTP/SMTP/ , Sysmon shipped with Osquery or Winlogbeat.  
+- Major streamlining of Fleet setup & configuration - no need to run a secondary setup script anymore. 
+- Fleet Standalone node now includes the ability to set a FQDN to point osquery endpoints to. 
+- Distributed installs now support ingesting Windows Eventlogs via Winlogbeat - includes full parsing support for Sysmon.
+- SOC Downloads section now includes a link to the supported version of Winlogbeat.     
+- Basic syslog ingestion capability now included.
+- Elasticsearch index name transition fixes for various components.
+- Updated URLs for pivot fields in Kibana.
+- Instances of `hive` renamed to `thehive`. 
+ 
+### Known Issues:
+
+- The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
+- You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
+- Navigator is currently not working when using hostname to access SOC. IP mode works correctly.
+- Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
+- The osquery MacOS package does not install correctly.
+
+
+## Hybrid Hunter Beta 1.3.0 - Beta 2
 
 ### Changes:
 
-- Full support for Ubuntu 18.04. 16.04 is no longer supported for Hybrid Hunter.
-- Introduction of the Security Onion Console. Once logged in you are directly taken to the SOC.
-- New authentication using Kratos.
-- During install you must specify how you would like to access the SOC ui. This is for strict cookie security.
-- Ability to list and delete web users from the SOC ui.
-- The soremote account is now used to add nodes to the grid vs using socore. 
-- Community ID support for Zeek, osquery, and Suricata. You can now tie host events to connection logs!
-- Elastic 7.6.1 with ECS support.
-- New set of Kibana dashboards that align with ECS.
-- Eval mode no longer uses Logstash for parsing (Filebeat -> ES Ingest)
-- Ingest node parsing for osquery-shipped logs (osquery, WEL, Sysmon).
-- Fleet standalone mode with improved Web UI & API access control.
-- Improved Fleet integration support.
-- Playbook now has full Windows Sigma community ruleset builtin.
-- Automatic Sigma community rule updates.
-- Playbook stability enhancements.
-- Zeek health check. Zeek will now auto restart if a worker crashes.
-- zeekctl is now managed by salt.
-- Grafana dashboard improvements and cleanup.
-- Moved logstash configs to pillars.
-- Salt logs moved to /opt/so/log/salt.
-- Strelka integrated for file-oriented detection/analysis at scale
-
-### Known issues:
+- New Feature: Codename: "Onion Hunt". Select Hunt from the menu and start hunting down your adversaries! 
+- Improved ECS support.
+- Complete refactor of the setup to make it easier to follow.
+- Improved setup script logging to better assist on any issues.
+- Setup now checks for minimal requirements during install.
+- Updated Cyberchef to version 9.20.3.
+- Updated Elastalert to version 0.2.4 and switched to alpine to reduce container size.
+- Updated Redis to 5.0.9 and switched to alpine to reduce container size.
+- Updated Salt to 2019.2.5
+- Updated Grafana to 6.7.3.
+- Zeek 3.0.6
+- Suricata 4.1.8
+- Fixes so-status to now display correct containers and status.
+- local.zeek is now controlled by a pillar instead of modifying the file directly.
+- Renamed so-core to so-nginx and switched to alpine to reduce container size.
+- Playbook now uses MySQL instead of SQLite.
+- Sigma rules have all been updated.
+- Kibana dashboard improvements for ECS.
+- Fixed an issue where geoip was not properly parsed.
+- ATT&CK Navigator is now it's own state.
+- Standlone mode is now supported.
+- Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards.
+ 
+### Known Issues:
 
+- The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
+- You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
 - Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them. 
 - Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
 - The osquery MacOS package does not install correctly.

VERSION

@@ -1 +1 @@
-1.2.1
+1.4.1

files/firewall/assigned_hostgroups.local.map.yaml

@@ -0,0 +1,20 @@
+{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
+{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
+{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
+{% if local_portgroups.firewall.aliases.ports %}
+  {% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% else %}
+  {% set local_portgroups = {} %}
+{% endif %}
+{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
+
+role:
+  eval:
+  fleet:
+  heavynode:
+  helixsensor:
+  master:
+  mastersearch:
+  standalone:
+  searchnode:
+  sensor:

files/firewall/hostgroups.local.yaml

@@ -0,0 +1,62 @@
+firewall:
+  hostgroups:
+    analyst:
+      ips:
+        delete:
+        insert:
+    beats_endpoint:
+      ips:
+        delete:
+        insert:
+    beats_endpoint_ssl:
+      ips:
+        delete:
+        insert:
+    fleet:
+      ips:
+        delete:
+        insert:
+    heavy_node:
+      ips:
+        delete:
+        insert:
+    master:
+      ips:
+        delete:
+        insert:
+    minion:
+      ips:
+        delete:
+        insert:
+    node:
+      ips:
+        delete:
+        insert:
+    osquery_endpoint:
+      ips:
+        delete:
+        insert:
+    search_node:
+      ips:
+        delete:
+        insert:
+    sensor:
+      ips:
+        delete:
+        insert:
+    syslog:
+      ips:
+        delete:
+        insert:
+    wazuh_agent:
+      ips:
+        delete:
+        insert:
+    wazuh_api:
+      ips:
+        delete:
+        insert:
+    wazuh_authd:
+      ips:
+        delete:
+        insert:

files/firewall/portgroups.local.yaml

@@ -0,0 +1,3 @@
+firewall:
+  aliases:
+    ports:

files/master

@@ -37,7 +37,9 @@ log_file: /opt/so/log/salt/master
 #
 file_roots:
   base:
-    - /opt/so/saltstack/salt
+    - /opt/so/saltstack/local/salt
+    - /opt/so/saltstack/default/salt
+
 
 # The master_roots setting configures a master-only copy of the file_roots dictionary,
 # used by the state compiler.
@@ -53,7 +55,8 @@ file_roots:
 
 pillar_roots:
   base:
-    - /opt/so/saltstack/pillar
+    - /opt/so/saltstack/local/pillar
+    - /opt/so/saltstack/default/pillar
 
 peer:
   .*:

pillar/data/addtotab.sh

@@ -1,7 +1,8 @@
 #!/usr/bin/env bash
 
 # This script adds sensors/nodes/etc to the nodes tab
-
+default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local
 TYPE=$1
 NAME=$2
 IPADDRESS=$3
@@ -15,7 +16,7 @@ MONINT=$9
 #HOTNAME=$11
 
 echo "Seeing if this host is already in here. If so delete it"
-if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
+if grep -q $NAME "$local_salt_dir/pillar/data/$TYPE.sls"; then
   echo "Node Already Present - Let's re-add it"
   awk -v blah="  $NAME:" 'BEGIN{ print_flag=1 }
 {
@@ -31,27 +32,29 @@ if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
     if ( print_flag == 1 )
         print $0
 
-} ' /opt/so/saltstack/pillar/data/$TYPE.sls > /opt/so/saltstack/pillar/data/tmp.$TYPE.sls
-mv /opt/so/saltstack/pillar/data/tmp.$TYPE.sls /opt/so/saltstack/pillar/data/$TYPE.sls
+} ' $local_salt_dir/pillar/data/$TYPE.sls > $local_salt_dir/pillar/data/tmp.$TYPE.sls
+mv $local_salt_dir/pillar/data/tmp.$TYPE.sls $local_salt_dir/pillar/data/$TYPE.sls
 echo "Deleted $NAME from the tab. Now adding it in again with updated info"
 fi
-echo "  $NAME:" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    ip: $IPADDRESS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    manint: $MANINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    totalcpus: $CPUS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    guid: $GUID" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    rootfs: $ROOTFS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-echo "    nsmfs: $NSM" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "  $NAME:" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    ip: $IPADDRESS" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    manint: $MANINT" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    totalcpus: $CPUS" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    guid: $GUID" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls
 if [ $TYPE == 'sensorstab' ]; then
-  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-  salt-call state.apply common queue=True
+  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
+  salt-call state.apply grafana queue=True
 fi
-if [ $TYPE == 'evaltab' ]; then
-  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-  salt-call state.apply common queue=True
-  salt-call state.apply utility queue=True
+if [ $TYPE == 'evaltab' ] || [ $TYPE == 'standalonetab' ]; then
+  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
+  if [ ! $10 ]; then
+    salt-call state.apply grafana queue=True
+    salt-call state.apply utility queue=True
+  fi
 fi
 #if [ $TYPE == 'nodestab' ]; then
-#  echo "    nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls
-#  echo "    hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#  echo "    nodetype: $NODETYPE" >> $local_salt_dir/pillar/data/$TYPE.sls
+#  echo "    hotname: $HOTNAME" >> $local_salt_dir/pillar/data/$TYPE.sls
 #fi

pillar/data/evaltab.sls

@@ -1 +0,0 @@
-evaltab:

pillar/data/mastertab.sls

@@ -1 +0,0 @@
-mastertab:

pillar/data/nodestab.sls

@@ -1 +0,0 @@
-nodestab:

pillar/data/sensorstab.sls

@@ -1 +0,0 @@
-sensorstab:

pillar/docker/config.sls

@@ -10,7 +10,7 @@
 
 eval:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     {% if  GRAFANA == '1' %}
     - so-influxdb
@@ -54,7 +54,7 @@ eval:
     {% endif %}
 heavy_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-redis
     - so-logstash
@@ -69,7 +69,7 @@ heavy_node:
     {% endif %}
 helix:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-idstools
     - so-steno
@@ -79,14 +79,14 @@ helix:
     - so-filebeat
 hot_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-logstash
     - so-elasticsearch
     - so-curator
 master_search:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-soc
     - so-kratos
@@ -127,7 +127,7 @@ master_search:
 master:
   containers:
     - so-dockerregistry
-    - so-core
+    - so-nginx
     - so-telegraf
     {% if  GRAFANA == '1' %}
     - so-influxdb
@@ -169,12 +169,12 @@ master:
     {% endif %}
 parser_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-logstash
 search_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-logstash
     - so-elasticsearch
@@ -185,7 +185,7 @@ search_node:
     {% endif %}
 sensor:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-steno
     - so-suricata
@@ -196,7 +196,7 @@ sensor:
     - so-filebeat
 warm_node:
   containers:
-    - so-core
+    - so-nginx
     - so-telegraf
     - so-elasticsearch
 fleet:
@@ -206,6 +206,6 @@ fleet:
     - so-fleet
     - so-redis
     - so-filebeat
-    - so-core
+    - so-nginx
     - so-telegraf
     {% endif %}

pillar/firewall/addfirewall.sh

@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 
 # This script adds ip addresses to specific rule sets defined by the user
-
+local_salt_dir=/opt/so/saltstack/local
 POLICY=$1
 IPADDRESS=$2
 
-if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then
+if grep -q $2 "$local_salt_dir/pillar/firewall/$1.sls"; then
   echo "Firewall Rule Already There"
 else
-  echo "  - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
+  echo "  - $2" >> $local_salt_dir/pillar/firewall/$1.sls
   salt-call state.apply firewall queue=True
-fi
+fi

pillar/firewall/analyst.sls

@@ -1,3 +0,0 @@
-analyst:
-  - 127.0.0.1
-  

pillar/firewall/beats_endpoint.sls

@@ -1,3 +0,0 @@
-beats_endpoint:
-  - 127.0.0.1
-  

pillar/firewall/forward_nodes.sls

@@ -1,3 +0,0 @@
-forward_nodes:
-  - 127.0.0.1
-  

pillar/firewall/masterfw.sls

@@ -1,2 +0,0 @@
-masterfw:
-  - 127.0.0.1

pillar/firewall/minions.sls

@@ -1,3 +0,0 @@
-minions:
-  - 127.0.0.1
-  

pillar/firewall/osquery_endpoint.sls

@@ -1,3 +0,0 @@
-osquery_endpoint:
-  - 127.0.0.1
-  

pillar/firewall/ports.sls

@@ -0,0 +1,62 @@
+firewall:
+  analyst:
+    ports:
+      tcp:
+        - 80
+        - 443
+      udp:
+  beats_endpoint:
+    ports:
+      tcp:
+        - 5044
+  forward_nodes:
+    ports:
+      tcp:
+        - 443
+        - 5044
+        - 5644
+        - 9822
+      udp:
+  master:
+    ports:
+      tcp:
+        - 1514
+        - 3200
+        - 3306
+        - 4200
+        - 5601
+        - 6379
+        - 8086
+        - 8090
+        - 9001
+        - 9200
+        - 9300
+        - 9400  
+        - 9500
+      udp:
+        - 1514
+  minions:
+    ports:
+      tcp:
+        - 3142
+        - 4505
+        - 4506
+        - 5000
+        - 8080
+        - 8086
+        - 55000      
+  osquery_endpoint:
+    ports:
+      tcp:
+        - 8090
+  search_nodes:
+    ports:
+      tcp:
+        - 6379
+        - 9300
+  wazuh_endpoint:
+    ports:
+      tcp:
+        - 1514
+      udp: 
+        -1514

pillar/firewall/search_nodes.sls

@@ -1,2 +0,0 @@
-search_nodes:
-  - 127.0.0.1

pillar/firewall/wazuh_endpoint.sls

@@ -1,2 +0,0 @@
-wazuh_endpoint:
-  - 127.0.0.1

pillar/healthcheck/standalone.sls

@@ -0,0 +1,5 @@
+healthcheck:
+  enabled: False
+  schedule: 300
+  checks:
+    - zeek

pillar/logstash/master.sls

@@ -2,5 +2,6 @@ logstash:
   pipelines:
     master:
       config:
+        - so/0009_input_beats.conf      
         - so/0010_input_hhbeats.conf
         - so/9999_output_redis.conf.jinja

pillar/logstash/search.sls

@@ -5,12 +5,12 @@ logstash:
         - so/0900_input_redis.conf.jinja
         - so/9000_output_zeek.conf.jinja
         - so/9002_output_import.conf.jinja
+        - so/9034_output_syslog.conf.jinja
         - so/9100_output_osquery.conf.jinja
         - so/9400_output_suricata.conf.jinja
         - so/9500_output_beats.conf.jinja
         - so/9600_output_ossec.conf.jinja
         - so/9700_output_strelka.conf.jinja
   templates:
-    - so/so-beats-template.json
     - so/so-common-template.json
     - so/so-zeek-template.json

pillar/top.sls

@@ -1,7 +1,10 @@
 base:
   '*':
     - patch.needs_restarting
-    - docker.config
+
+  '*_eval or *_helix or *_heavynode or *_sensor or *_standalone':
+    - match: compound
+    - zeek
 
   '*_mastersearch or *_heavynode':
     - match: compound
@@ -11,7 +14,6 @@ base:
 
   '*_sensor':
     - static
-    - firewall.*
     - brologs
     - healthcheck.sensor
     - minions.{{ grains.id }}
@@ -19,7 +21,6 @@ base:
   '*_master or *_mastersearch':
     - match: compound
     - static
-    - firewall.*
     - data.*
     - secrets
     - minions.{{ grains.id }}
@@ -30,27 +31,34 @@ base:
 
   '*_eval':
     - static
-    - firewall.*
     - data.*
     - brologs
     - secrets
     - healthcheck.eval
     - minions.{{ grains.id }}
 
+  '*_standalone':
+    - logstash
+    - logstash.master
+    - logstash.search
+    - data.*
+    - brologs
+    - secrets
+    - healthcheck.standalone
+    - static
+    - minions.{{ grains.id }}
+
   '*_node':
     - static
-    - firewall.*
     - minions.{{ grains.id }}
 
   '*_heavynode':
     - static
-    - firewall.*
     - brologs
     - minions.{{ grains.id }}
 
   '*_helix':
     - static
-    - firewall.*
     - fireeye
     - brologs
     - logstash
@@ -59,14 +67,12 @@ base:
 
   '*_fleet':
     - static
-    - firewall.*
     - data.*
     - secrets
     - minions.{{ grains.id }}
 
   '*_searchnode':
     - static
-    - firewall.*
     - logstash
     - logstash.search
     - minions.{{ grains.id }}

pillar/zeek/init.sls

@@ -0,0 +1,55 @@
+zeek:
+  zeekctl:
+    MailTo: root@localhost
+    MailConnectionSummary: 1
+    MinDiskSpace: 5
+    MailHostUpDown: 1
+    LogRotationInterval: 3600
+    LogExpireInterval: 0
+    StatsLogEnable: 1
+    StatsLogExpireInterval: 0
+    StatusCmdShowAll: 0
+    CrashExpireInterval: 0
+    SitePolicyScripts: local.zeek
+    LogDir: /nsm/zeek/logs
+    SpoolDir: /nsm/zeek/spool
+    CfgDir: /opt/zeek/etc
+    CompressLogs: 1
+  local:
+    '@load':
+      - misc/loaded-scripts
+      - tuning/defaults
+      - misc/capture-loss
+      - misc/stats
+      - frameworks/software/vulnerable
+      - frameworks/software/version-changes
+      - protocols/ftp/software
+      - protocols/smtp/software
+      - protocols/ssh/software
+      - protocols/http/software
+      - protocols/dns/detect-external-names
+      - protocols/ftp/detect
+      - protocols/conn/known-hosts
+      - protocols/conn/known-services
+      - protocols/ssl/known-certs
+      - protocols/ssl/validate-certs
+      - protocols/ssl/log-hostcerts-only
+      - protocols/ssh/geo-data
+      - protocols/ssh/detect-bruteforcing
+      - protocols/ssh/interesting-hostnames
+      - protocols/http/detect-sqli
+      - frameworks/files/hash-all-files
+      - frameworks/files/detect-MHR
+      - policy/frameworks/notice/extend-email/hostnames
+      - ja3
+      - hassh
+      - intel
+      - cve-2020-0601
+      - securityonion/bpfconf
+      - securityonion/communityid
+      - securityonion/file-extraction
+    '@load-sigs':
+      - frameworks/signatures/detect-windows-shells
+    redef:
+      - LogAscii::use_json = T;
+      - LogAscii::json_timestamps = JSON::TS_ISO8601;

salt/ca/init.sls

@@ -44,5 +44,3 @@ send_x509_pem_entries_to_mine:
     - mine.send:
       - func: x509.get_pem_entries
       - glob_path: /etc/pki/ca.crt
-    - onchanges:
-      - x509: /etc/pki/ca.crt

salt/common/init.sls

@@ -1,8 +1,3 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
-{% set MASTER = salt['grains.get']('master') %}
-{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
-{% set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) %}
-{% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %}
 # Add socore Group
 socoregroup:
   group.present:
@@ -19,7 +14,6 @@ socore:
     - shell: /bin/bash
 
 # Create a state directory
-
 statedir:
   file.directory:
     - name: /opt/so/state
@@ -34,24 +28,85 @@ salttmp:
     - group: 939
     - makedirs: True
 
-# Install packages needed for the sensor
-
-sensorpkgs:
+# Install epel
+{% if grains['os'] == 'CentOS' %}
+epel:
   pkg.installed:
-    - skip_suggestions: False
+    - skip_suggestions: True
+    - pkgs:
+      - epel-release
+{% endif %}
+
+# Install common packages
+{% if grains['os'] != 'CentOS' %}     
+commonpkgs:
+  pkg.installed:
+    - skip_suggestions: True
     - pkgs:
-      - docker-ce
-      - wget
-      - jq
-      {% if grains['os'] != 'CentOS' %}
-      - python-docker
-      - python-m2crypto
       - apache2-utils
-      {% else %}
-      - net-tools
+      - wget
+      - ntpdate
+      - jq
+      - python3-docker
+      - docker-ce
+      - curl
+      - ca-certificates
+      - software-properties-common
+      - apt-transport-https
+      - openssl
+      - netcat
+      - python3-mysqldb
+      - sqlite3
+      - argon2
+      - libssl-dev
+      - python3-dateutil
+      - python3-m2crypto
+      - python3-mysqldb
+      - git
+heldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.2.13-2
+      - docker-ce: 5:19.03.9~3-0~ubuntu-bionic
+    - hold: True
+    - update_holds: True
+
+{% else %}
+commonpkgs:
+  pkg.installed:
+    - skip_suggestions: True
+    - pkgs:
+      - wget
+      - ntpdate
+      - bind-utils
+      - jq
       - tcpdump
       - httpd-tools
-      {% endif %}
+      - net-tools
+      - curl
+      - sqlite
+      - argon2
+      - mariadb-devel
+      - nmap-ncat
+      - python3
+      - python36-docker
+      - python36-dateutil
+      - python36-m2crypto
+      - python36-mysql
+      - yum-utils
+      - device-mapper-persistent-data
+      - lvm2
+      - openssl
+      - git
+
+heldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.2.13-3.2.el7
+      - docker-ce: 3:19.03.11-3.el7
+    - hold: True
+    - update_holds: True
+{% endif %}
 
 # Always keep these packages up to date
 
@@ -64,7 +119,6 @@ alwaysupdated:
     - skip_suggestions: True
 
 # Set time to UTC
-
 Etc/UTC:
   timezone.system
 
@@ -77,339 +131,3 @@ utilsyncscripts:
     - file_mode: 755
     - template: jinja
     - source: salt://common/tools/sbin
-
-# Make sure Docker is running!
-docker:
-  service.running:
-    - enable: True
-
-# Drop the correct nginx config based on role
-
-nginxconfdir:
-  file.directory:
-    - name: /opt/so/conf/nginx
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxconf:
-  file.managed:
-    - name: /opt/so/conf/nginx/nginx.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/nginx/nginx.conf.{{ grains.role }}
-
-nginxlogdir:
-  file.directory:
-    - name: /opt/so/log/nginx/
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxtmp:
-  file.directory:
-    - name: /opt/so/tmp/nginx/tmp
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-so-core:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
-    - hostname: so-core
-    - user: socore
-    - binds:
-      - /opt/so:/opt/so:rw
-      - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - /opt/so/log/nginx/:/var/log/nginx:rw
-      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
-      - /opt/so/tmp/nginx/:/run:rw
-      - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
-      - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
-      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
-    - cap_add: NET_BIND_SERVICE
-    - port_bindings:
-      - 80:80
-      - 443:443
-    {%- if FLEETMASTER or FLEETNODE %}
-      - 8090:8090
-    {%- endif %}
-    - watch:
-      - file: /opt/so/conf/nginx/nginx.conf
-
-# Add Telegraf to monitor all the things.
-tgraflogdir:
-  file.directory:
-    - name: /opt/so/log/telegraf
-    - makedirs: True
-
-tgrafetcdir:
-  file.directory:
-    - name: /opt/so/conf/telegraf/etc
-    - makedirs: True
-
-tgrafetsdir:
-  file.directory:
-    - name: /opt/so/conf/telegraf/scripts
-    - makedirs: True
-
-tgrafsyncscripts:
-  file.recurse:
-    - name: /opt/so/conf/telegraf/scripts
-    - user: 939
-    - group: 939
-    - file_mode: 755
-    - template: jinja
-    - source: salt://common/telegraf/scripts
-
-tgrafconf:
-  file.managed:
-    - name: /opt/so/conf/telegraf/etc/telegraf.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/telegraf/etc/telegraf.conf
-
-so-telegraf:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
-    - environment:
-      - HOST_PROC=/host/proc
-      - HOST_ETC=/host/etc
-      - HOST_SYS=/host/sys
-      - HOST_MOUNT_PREFIX=/host
-    - network_mode: host
-    - port_bindings:
-      - 127.0.0.1:8094:8094
-    - binds:
-      - /opt/so/log/telegraf:/var/log/telegraf:rw
-      - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro
-      - /var/run/utmp:/var/run/utmp:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /:/host/root:ro
-      - /sys:/host/sys:ro
-      - /proc:/host/proc:ro
-      - /nsm:/host/nsm:ro
-      - /etc:/host/etc:ro
-      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
-      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
-      {% else %}
-      - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro
-      {% endif %}
-      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
-      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
-      - /opt/so/conf/telegraf/scripts:/scripts:ro
-      - /opt/so/log/stenographer:/var/log/stenographer:ro
-      - /opt/so/log/suricata:/var/log/suricata:ro
-    - watch:
-      - /opt/so/conf/telegraf/etc/telegraf.conf
-      - /opt/so/conf/telegraf/scripts
-
-# If its a master or eval lets install the back end for now
-{% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval'] and GRAFANA == 1 %}
-
-# Influx DB
-influxconfdir:
-  file.directory:
-    - name: /opt/so/conf/influxdb/etc
-    - makedirs: True
-
-influxdbdir:
-  file.directory:
-    - name: /nsm/influxdb
-    - makedirs: True
-
-influxdbconf:
-  file.managed:
-    - name: /opt/so/conf/influxdb/etc/influxdb.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/influxdb/etc/influxdb.conf
-
-so-influxdb:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
-    - hostname: influxdb
-    - environment:
-      - INFLUXDB_HTTP_LOG_ENABLED=false
-    - binds:
-      - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro
-      - /nsm/influxdb:/var/lib/influxdb:rw
-      - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro
-      - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
-    - port_bindings:
-      - 0.0.0.0:8086:8086
-    - watch:
-      - file: /opt/so/conf/influxdb/etc/influxdb.conf
-
-# Grafana all the things
-grafanadir:
-  file.directory:
-    - name: /nsm/grafana
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanaconfdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/etc
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashmdir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/master
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashevaldir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/eval
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashfndir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanadashsndir:
-  file.directory:
-    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-grafanaconf:
-  file.recurse:
-    - name: /opt/so/conf/grafana/etc
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/etc
-
-{% if salt['pillar.get']('mastertab', False) %}
-{% for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %}
-{% set NODETYPE = SN.split('_')|last %}
-{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
-dashboard-master:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/master/master.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('sensorstab', False) %}
-{% for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %}
-{% set NODETYPE = SN.split('_')|last %}
-{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
-dashboard-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes/{{ SN }}-Sensor.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/sensor_nodes/sensor.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MONINT: {{ SNDATA.monint }}
-      MANINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('nodestab', False) %}
-{% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-{% set NODETYPE = SN.split('_')|last %}
-{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
-dashboardsearch-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.manint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-{% if salt['pillar.get']('evaltab', False) %}
-{% for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %}
-{% set NODETYPE = SN.split('_')|last %}
-{% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
-dashboard-{{ SN }}:
-  file.managed:
-    - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/grafana/grafana_dashboards/eval/eval.json
-    - defaults:
-      SERVERNAME: {{ SN }}
-      MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.monint }}
-      CPUS: {{ SNDATA.totalcpus }}
-      UID: {{ SNDATA.guid }}
-      ROOTFS: {{ SNDATA.rootfs }}
-      NSMFS: {{ SNDATA.nsmfs }}
-
-{% endfor %}
-{% endif %}
-
-so-grafana:
-  docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
-    - hostname: grafana
-    - user: socore
-    - binds:
-      - /nsm/grafana:/var/lib/grafana:rw
-      - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro
-      - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw
-      - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw
-      - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw
-    - environment:
-      - GF_SECURITY_ADMIN_PASSWORD=augusta
-    - port_bindings:
-      - 0.0.0.0:3000:3000
-    - watch:
-      - file: /opt/so/conf/grafana/*
-
-{% endif %}

salt/common/maps/broversion.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-zeek'
+  ]
+} %}

salt/common/maps/domainstats.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-domainstats'
+  ]
+} %}

salt/common/maps/eval.map.jinja

@@ -0,0 +1,19 @@
+{% set docker = {
+  'containers': [
+    'so-filebeat',
+    'so-nginx',
+    'so-telegraf',
+    'so-dockerregistry',
+    'so-soc',
+    'so-kratos',
+    'so-idstools',
+    'so-elasticsearch',
+    'so-kibana',
+    'so-steno',
+    'so-suricata',
+    'so-zeek',
+    'so-curator',
+    'so-elastalert',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/fleet.map.jinja

@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis',
+    'so-filebeat',
+    'so-nginx',
+    'so-telegraf'
+  ]
+} %}

salt/common/maps/fleet_master.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-mysql',
+    'so-fleet',
+    'so-redis'
+  ]
+} %}

salt/common/maps/freq.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-freqserver'
+  ]
+} %}

salt/common/maps/grafana.map.jinja

@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-influxdb',
+    'so-grafana'
+  ]
+} %}

salt/common/maps/heavynode.map.jinja

@@ -0,0 +1,14 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-steno',
+    'so-suricata',
+    'so-wazuh',
+    'so-filebeat
+  ]
+} %}

salt/common/maps/helixsensor.map.jinja

@@ -0,0 +1,12 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-idstools',
+    'so-steno',
+    'so-zeek',
+    'so-redis',
+    'so-logstash',
+    'so-filebeat
+  ]
+} %}

salt/common/maps/hotnode.map.jinja

@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+     'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+   ]
+} %}

salt/common/maps/master.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-dockerregistry',
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-aptcacherng',
+    'so-idstools',
+    'so-redis',
+    'so-elasticsearch',
+    'so-logstash',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/mastersearch.map.jinja

@@ -0,0 +1,18 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-aptcacherng',
+    'so-idstools',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/playbook.map.jinja

@@ -0,0 +1,6 @@
+{% set docker = {
+  'containers': [
+    'so-playbook',
+    'so-navigator'
+  ]
+} %}

salt/common/maps/searchnode.map.jinja

@@ -0,0 +1,10 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-filebeat'
+  ]
+} %}

salt/common/maps/sensor.map.jinja

@@ -0,0 +1,8 @@
+{% set docker = {
+  'containers': [
+    'so-telegraf',
+    'so-steno',
+    'so-suricata',
+    'so-filebeat'
+  ]
+} %}

salt/common/maps/so-status.map.jinja

@@ -0,0 +1,45 @@
+{% set role = grains.id.split('_') | last %}
+{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
+
+# Check if the service is enabled and append it's required containers
+# to the list predefined by the role / minion id affix
+{% macro append_containers(pillar_name, k, compare )%}
+  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
+    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
+    {% for li in d['containers'] %}
+      {{ docker['containers'].append(li) }}
+    {% endfor %}
+  {% endif %}
+{% endmacro %}
+
+{% set docker = salt['grains.filter_by']({
+  '*_'~role: {
+    'containers': docker['containers']
+  } 
+},grain='id', merge=salt['pillar.get']('docker')) %}
+
+{% if role in ['eval', 'mastersearch', 'master', 'standalone'] %}
+  {{ append_containers('master', 'grafana', 0) }}
+  {{ append_containers('static', 'fleet_master', 0) }}
+  {{ append_containers('master', 'wazuh', 0) }}
+  {{ append_containers('master', 'thehive', 0) }}
+  {{ append_containers('master', 'playbook', 0) }}
+  {{ append_containers('master', 'freq', 0) }}
+  {{ append_containers('master', 'domainstats', 0) }}
+{% endif %}
+
+{% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
+  {{ append_containers('static', 'strelka', 0) }}
+{% endif %}
+
+{% if role in ['heavynode', 'standalone'] %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}
+
+{% if role == 'searchnode' %}
+  {{ append_containers('master', 'wazuh', 0) }}
+{% endif %}
+
+{% if role == 'sensor' %}
+  {{ append_containers('static', 'broversion', 'SURICATA') }}
+{% endif %}

salt/common/maps/standalone.map.jinja

@@ -0,0 +1,21 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-soc',
+    'so-kratos',
+    'so-aptcacherng',
+    'so-idstools',
+    'so-redis',
+    'so-logstash',
+    'so-elasticsearch',
+    'so-curator',
+    'so-kibana',
+    'so-elastalert',
+    'so-filebeat',
+    'so-suricata',
+    'so-steno',
+    'so-dockerregistry',
+    'so-soctopus'
+  ]
+} %}

salt/common/maps/strelka.map.jinja

@@ -0,0 +1,9 @@
+{% set docker = {
+  'containers': [
+    'so-strelka-coordinator',
+    'so-strelka-gatekeeper',
+    'so-strelka-manager',
+    'so-strelka-frontend',
+    'so-strelka-filestream'
+  ]
+} %}

salt/common/maps/thehive.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-thehive',
+    'so-thehive-es',
+    'so-cortex'
+  ]
+} %}

salt/common/maps/warmnode.map.jinja

@@ -0,0 +1,7 @@
+{% set docker = {
+  'containers': [
+    'so-nginx',
+    'so-telegraf',
+    'so-elasticsearch'
+  ]
+} %}

salt/common/maps/wazuh.map.jinja

@@ -0,0 +1,5 @@
+{% set docker = {
+  'containers': [
+    'so-wazuh'
+  ]
+} %}

salt/common/tools/sbin/so-allow

@@ -17,6 +17,9 @@
 
 . /usr/sbin/so-common
 
+default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local
+
 SKIP=0
 
 while getopts "abowi:" OPTION
@@ -42,9 +45,22 @@ do
             SKIP=1
             ;;
         w)
-            FULLROLE="wazuh_endpoint"
+            FULLROLE="wazuh_agent"
             SKIP=1
             ;;
+        s)
+            FULLROLE="syslog"
+            SKIP=1
+            ;;
+        p)
+            FULLROLE="wazuh_api"
+            SKIP=1
+            ;;
+        r)
+            FULLROLE="wazuh_authd"
+            SKIP=1
+            ;;
+
     esac
 done
 
@@ -57,8 +73,10 @@ if [ "$SKIP" -eq 0 ]; then
     echo "[a] - Analyst - ports 80/tcp and 443/tcp"
     echo "[b] - Logstash Beat - port 5044/tcp"
     echo "[o] - Osquery endpoint - port 8090/tcp"
-    echo "[w] - Wazuh endpoint - port 1514"
-    echo ""
+    echo "[s] - Syslog device - 514/tcp/udp"
+    echo "[w] - Wazuh agent - port 1514/tcp/udp"
+    echo "[p] - Wazuh API - port 55000/tcp"
+    echo "[r] - Wazuh registration service - 1515/tcp"
     echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
     read ROLE
     echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
@@ -71,7 +89,13 @@ if [ "$SKIP" -eq 0 ]; then
     elif [ "$ROLE" == "o" ]; then
         FULLROLE=osquery_endpoint
     elif [ "$ROLE" == "w" ]; then
-        FULLROLE=wazuh_endpoint
+        FULLROLE=wazuh_agent
+    elif [ "$ROLE" == "s" ]; then
+        FULLROLE=syslog
+    elif [ "$ROLE" == "p" ]; then
+        FULLROLE=wazuh_api
+    elif [ "$ROLE" == "r" ]; then
+        FULLROLE=wazuh_authd
     else
         echo "I don't recognize that role"
         exit 1
@@ -80,10 +104,11 @@ if [ "$SKIP" -eq 0 ]; then
 fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
-/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+/usr/sbin/so-firewall includehost $FULLROLE $IP
+salt-call state.apply firewall queue=True
 
 # Check if Wazuh enabled
-if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then
     # If analyst, add to Wazuh AR whitelist
     if [ "$FULLROLE" == "analyst" ]; then
           WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"

salt/common/tools/sbin/so-bro-logs

@@ -1,11 +1,12 @@
 #!/bin/bash
+local_salt_dir=/opt/so/saltstack/local
 
 bro_logs_enabled() {
 
-  echo "brologs:" > /opt/so/saltstack/pillar/brologs.sls
-  echo "  enabled:" >> /opt/so/saltstack/pillar/brologs.sls
+  echo "brologs:" > $local_salt_dir/pillar/brologs.sls
+  echo "  enabled:" >> $local_salt_dir/pillar/brologs.sls
   for BLOG in ${BLOGS[@]}; do
-    echo "    - $BLOG" | tr -d '"' >> /opt/so/saltstack/pillar/brologs.sls
+    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls
   done
 
 }

salt/common/tools/sbin/so-cortex-restart

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
@@ -17,4 +17,5 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-restart cortex $1
+/usr/sbin/so-stop cortex $1
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-cortex-start

@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-start cortex $1
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-cortex-stop

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify

salt/common/tools/sbin/so-docker-refresh

@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+got_root(){
+    if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+    fi
+}
+
+master_check() {
+  # Check to see if this is a master
+  MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+  if [ $MASTERCHECK == 'so-eval' ] || [ $MASTERCHECK == 'so-master' ] || [ $MASTERCHECK == 'so-mastersearch' ] || [ $MASTERCHECK == 'so-standalone' ] || [ $MASTERCHECK == 'so-helix' ]; then
+    echo "This is a master. We can proceed"
+  else
+    echo "Please run soup on the master. The master controls all updates."
+    exit 1
+  fi
+}
+
+update_docker_containers() {
+  
+  # Download the containers from the interwebs
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
+    # Tag it with the new registry destination
+    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
+    docker push $HOSTNAME:5000/soshybridhunter/$i
+  done
+  
+}
+
+version_check() {
+  if [ -f /etc/soversion ]; then
+    VERSION=$(cat /etc/soversion)
+  else
+    echo "Unable to detect version. I will now terminate."
+    exit 1
+  fi
+}
+got_root
+master_check
+version_check
+
+# Use the hostname
+HOSTNAME=$(hostname)
+BUILD=HH
+# List all the containers
+if [ $MASTERCHECK != 'so-helix' ]; then
+    TRUSTED_CONTAINERS=( \
+    "so-acng:$BUILD$VERSION" \
+    "so-thehive-cortex:$BUILD$VERSION" \
+    "so-curator:$BUILD$VERSION" \
+    "so-domainstats:$BUILD$VERSION" \
+    "so-elastalert:$BUILD$VERSION" \
+    "so-elasticsearch:$BUILD$VERSION" \
+    "so-filebeat:$BUILD$VERSION" \
+    "so-fleet:$BUILD$VERSION" \
+    "so-fleet-launcher:$BUILD$VERSION" \
+    "so-freqserver:$BUILD$VERSION" \
+    "so-grafana:$BUILD$VERSION" \
+    "so-idstools:$BUILD$VERSION" \
+    "so-influxdb:$BUILD$VERSION" \
+    "so-kibana:$BUILD$VERSION" \
+    "so-kratos:$BUILD$VERSION" \
+    "so-logstash:$BUILD$VERSION" \
+    "so-mysql:$BUILD$VERSION" \
+    "so-navigator:$BUILD$VERSION" \
+    "so-nginx:$BUILD$VERSION" \
+    "so-playbook:$BUILD$VERSION" \
+    "so-redis:$BUILD$VERSION" \
+    "so-soc:$BUILD$VERSION" \
+    "so-soctopus:$BUILD$VERSION" \
+    "so-steno:$BUILD$VERSION" \
+    "so-strelka:$BUILD$VERSION" \
+    "so-suricata:$BUILD$VERSION" \
+    "so-telegraf:$BUILD$VERSION" \
+    "so-thehive:$BUILD$VERSION" \
+    "so-thehive-es:$BUILD$VERSION" \
+    "so-wazuh:$BUILD$VERSION" \
+    "so-zeek:$BUILD$VERSION" )
+  else
+    TRUSTED_CONTAINERS=( \
+    "so-filebeat:$BUILD$VERSION" \
+    "so-idstools:$BUILD$VERSION" \
+    "so-logstash:$BUILD$VERSION" \
+    "so-nginx:$BUILD$VERSION" \
+    "so-redis:$BUILD$VERSION" \
+    "so-steno:$BUILD$VERSION" \
+    "so-suricata:$BUILD$VERSION" \
+    "so-telegraf:$BUILD$VERSION" \
+    "so-zeek:$BUILD$VERSION" )
+  fi
+
+update_docker_containers

salt/common/tools/sbin/so-elastalert-create

@@ -166,8 +166,7 @@ cat << EOF
 What elasticsearch index do you want to use?
 Below are the default Index Patterns used in Security Onion:
 
-*:logstash-*
-*:logstash-beats-*
+*:so-ids-*
 *:elastalert_status*
 
 EOF

salt/common/tools/sbin/so-elastic-download

@@ -2,7 +2,7 @@
 MASTER=MASTER
 VERSION="HH1.1.4"
 TRUSTED_CONTAINERS=( \
-"so-core:$VERSION" \
+"so-nginx:$VERSION" \
 "so-thehive-cortex:$VERSION" \
 "so-curator:$VERSION" \
 "so-domainstats:$VERSION" \

salt/common/tools/sbin/so-elasticsearch-templates

@@ -15,12 +15,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+default_salt_dir=/opt/so/saltstack/default
 ELASTICSEARCH_HOST="{{ MASTERIP}}"
 ELASTICSEARCH_PORT=9200
 #ELASTICSEARCH_AUTH=""
 
 # Define a default directory to load pipelines from
-ELASTICSEARCH_TEMPLATES="/opt/so/saltstack/salt/logstash/pipelines/templates/so/"
+ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/"
 
 # Wait for ElasticSearch to initialize
 echo -n "Waiting for ElasticSearch..."

salt/common/tools/sbin/so-features-enable

@@ -15,10 +15,11 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 . /usr/sbin/so-common
+local_salt_dir=/opt/so/saltstack/local
 
-VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
 # Modify static.sls to enable Features
-sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
   "so-elasticsearch:$VERSION$SUFFIX" \

salt/common/tools/sbin/so-firewall

@@ -0,0 +1,305 @@
+#!/usr/bin/env python3
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import subprocess
+import sys
+import yaml
+
+hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml"
+portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml"
+supportedProtocols = ['tcp', 'udp']
+
+def showUsage(args):
+  print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
+  print('  Options:')
+  print('   --apply       - After updating the firewall configuration files, apply the new firewall state')
+  print('')
+  print('  Available commands:')
+  print('   help          - Prints this usage information.')
+  print('   includedhosts - Lists the IPs included in the given group. Args: <GROUP_NAME>')
+  print('   excludedhosts - Lists the IPs excluded from the given group. Args: <GROUP_NAME>')
+  print('   includehost   - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
+  print('   excludehost   - Excludes the given IP from the given group. Args: <GROUP_NAME> <IP>')
+  print('   removehost    - Removes an excluded IP from the given group. Args: <GROUP_NAME> <IP>')
+  print('   addhostgroup  - Adds a new, custom host group. Args: <GROUP_NAME>')
+  print('   listports     - Lists ports in the given group and protocol. Args: <GROUP_NAME> <PORT_PROTOCOL>')
+  print('   addport       - Adds a PORT to the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
+  print('   removeport    - Removes a PORT from the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
+  print('   addportgroup  - Adds a new, custom port group. Args: <GROUP_NAME>')
+  print('')
+  print('  Where:')
+  print('   GROUP_NAME    - The name of an alias group (Ex: analyst)')
+  print('   IP            - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).')
+  print('   PORT_PROTOCOL - Must be one of the following: ' + str(supportedProtocols))
+  print('   PORT          - Either a single numeric port (Ex: 443), or a port range (Ex: 8000:8002).')
+  sys.exit(1)
+
+def loadYaml(filename):
+  file = open(filename, "r")
+  return yaml.load(file.read())
+
+def writeYaml(filename, content):
+  file = open(filename, "w")
+  return yaml.dump(content, file)
+
+def listIps(name, mode):
+  content = loadYaml(hostgroupsFilename)
+  if name not in content['firewall']['hostgroups']:
+    print('Host group does not exist', file=sys.stderr)
+    return 4
+  hostgroup = content['firewall']['hostgroups'][name]
+  ips = hostgroup['ips'][mode]
+  if ips is not None:
+    for ip in ips:
+      print(ip)
+  return 0
+
+def addIp(name, ip, mode):
+  content = loadYaml(hostgroupsFilename)
+  if name not in content['firewall']['hostgroups']:
+    print('Host group does not exist', file=sys.stderr)
+    return 4
+  hostgroup = content['firewall']['hostgroups'][name]
+  ips = hostgroup['ips'][mode]
+  if ips is None:
+    ips = []
+    hostgroup['ips'][mode] = ips
+  if ip not in ips:
+    ips.append(ip)
+  else:
+    print('Already exists', file=sys.stderr)
+    return 3
+  writeYaml(hostgroupsFilename, content)
+  return 0
+
+def removeIp(name, ip, mode, silence = False):
+  content = loadYaml(hostgroupsFilename)
+  if name not in content['firewall']['hostgroups']:
+    print('Host group does not exist', file=sys.stderr)
+    return 4
+  hostgroup = content['firewall']['hostgroups'][name]
+  ips = hostgroup['ips'][mode]
+  if ips is None:
+    ips = []
+    hostgroup['ips'][mode] = ips
+  if ip in ips:
+    ips.remove(ip)
+  else:
+    if not silence:
+      print('IP does not exist', file=sys.stderr)
+      return 3
+  writeYaml(hostgroupsFilename, content)
+  return 0
+
+def createProtocolMap():
+  map = {}
+  for protocol in supportedProtocols:
+    map[protocol] = []
+  return map
+
+def addhostgroup(args):
+  if len(args) != 1:
+    print('Missing host group name argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[1]
+  content = loadYaml(hostgroupsFilename)
+  if name in content['firewall']['hostgroups']:
+    print('Already exists', file=sys.stderr)
+    return 3
+  content['firewall']['hostgroups'][name] = { 'ips': { 'insert': [], 'delete': [] }}
+  writeYaml(hostgroupsFilename, content)
+  return 0
+
+def addportgroup(args):
+  if len(args) != 1:
+    print('Missing port group name argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name in ports:
+    print('Already exists', file=sys.stderr)
+    return 3
+  ports[name] = createProtocolMap()
+  writeYaml(portgroupsFilename, content)
+  return 0
+
+def listports(args):
+  if len(args) != 2:
+    print('Missing port group name or port protocol', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  protocol = args[1]
+  if protocol not in supportedProtocols:
+    print('Port protocol is not supported', file=sys.stderr)
+    return 5
+
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name not in ports:
+    print('Port group does not exist', file=sys.stderr)
+    return 3
+  ports = ports[name][protocol]
+  if ports is not None:
+    for port in ports:
+      print(port)
+  return 0
+
+def addport(args):
+  if len(args) != 3:
+    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  protocol = args[1]
+  port = args[2]
+  if protocol not in supportedProtocols:
+    print('Port protocol is not supported', file=sys.stderr)
+    return 5
+
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name not in ports:
+    print('Port group does not exist', file=sys.stderr)
+    return 3
+  ports = ports[name][protocol]
+  if ports is None:
+    ports = []
+    content['firewall']['aliases']['ports'][name][protocol] = ports
+  if port in ports:
+    print('Already exists', file=sys.stderr)
+    return 3
+  ports.append(port)
+  writeYaml(portgroupsFilename, content)
+  return 0
+
+def removeport(args):
+  if len(args) != 3:
+    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  protocol = args[1]
+  port = args[2]
+  if protocol not in supportedProtocols:
+    print('Port protocol is not supported', file=sys.stderr)
+    return 5
+
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name not in ports:
+    print('Port group does not exist', file=sys.stderr)
+    return 3
+  ports = ports[name][protocol]
+  if ports is None or port not in ports:
+    print('Port does not exist', file=sys.stderr)
+    return 3
+  ports.remove(port)
+  writeYaml(portgroupsFilename, content)
+  return 0
+
+def includedhosts(args):
+  if len(args) != 1:
+    print('Missing host group name argument', file=sys.stderr)
+    showUsage(args)
+  return listIps(args[0], 'insert')
+
+def excludedhosts(args):
+  if len(args) != 1:
+    print('Missing host group name argument', file=sys.stderr)
+    showUsage(args)
+  return listIps(args[0], 'delete')
+
+def includehost(args):
+  if len(args) != 2:
+    print('Missing host group name or ip argument', file=sys.stderr)
+    showUsage(args)
+  result = addIp(args[0], args[1], 'insert')
+  if result == 0:
+    removeIp(args[0], args[1], 'delete', True)
+  return result
+
+def excludehost(args):
+  if len(args) != 2:
+    print('Missing host group name or ip argument', file=sys.stderr)
+    showUsage(args)
+  result = addIp(args[0], args[1], 'delete')
+  if result == 0:
+    removeIp(args[0], args[1], 'insert', True)
+  return result
+
+def removehost(args):
+  if len(args) != 2:
+    print('Missing host group name or ip argument', file=sys.stderr)
+    showUsage(args)
+  return removeIp(args[0], args[1], 'delete')
+
+def apply():
+  proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
+  return proc.returncode
+
+def main():
+  options = []
+  args = sys.argv[1:]
+  for option in args:
+    if option.startswith("--"):
+      options.append(option)
+      args.remove(option)
+
+  if len(args) == 0:
+    showUsage(None)
+
+  commands = {
+    "help": showUsage,
+    "includedhosts": includedhosts,
+    "excludedhosts": excludedhosts,
+    "includehost": includehost,
+    "excludehost": excludehost,
+    "removehost": removehost,
+    "listports": listports,
+    "addport": addport,
+    "removeport": removeport,
+    "addhostgroup": addhostgroup,
+    "addportgroup": addportgroup
+  }
+  
+  cmd = commands.get(args[0], showUsage)
+  code = cmd(args[1:])
+
+
+  if code == 0 and "--apply" in options:
+    code = apply()
+
+  sys.exit(code)
+
+if __name__ == "__main__":
+  main()

salt/common/tools/sbin/so-fleet-setup

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+#so-fleet-setup $FleetEmail $FleetPassword 
+
+if [[ $# -ne 2 ]] ; then
+      echo "Username or Password was not set - exiting now."
+      exit 1
+fi
+
+# Checking to see if required containers are started...
+if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
+        echo "Starting Docker Containers..."
+        salt-call state.apply mysql queue=True >> /root/fleet-setup.log
+        salt-call state.apply fleet queue=True >> /root/fleet-setup.log
+        salt-call state.apply redis queue=True >> /root/fleet-setup.log
+fi
+
+docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet
+docker exec so-fleet fleetctl setup --email $1 --password $2
+
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
+docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml
+docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
+docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf
+
+
+# Enable Fleet
+echo "Enabling Fleet..."
+salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log
+salt-call state.apply nginx queue=True >> /root/fleet-setup.log
+
+# Generate osquery install packages
+echo "Generating osquery install packages - this will take some time..."
+salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
+sleep 120
+
+echo "Installing launcher via salt..."
+salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
+salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
+docker stop so-nginx
+salt-call state.apply nginx queue=True >> /root/fleet-setup.log
+
+echo "Fleet Setup Complete - Login with the username and password you ran the script with."

salt/common/tools/sbin/so-helix-apikey

@@ -1,4 +1,7 @@
 #!/bin/bash
+
+local_salt_dir=/opt/so/saltstack/local
+
 got_root() {
 
   # Make sure you are root
@@ -10,13 +13,13 @@ got_root() {
 }
 
 got_root
-if [ ! -f /opt/so/saltstack/pillar/fireeye/init.sls ]; then
+if [ ! -f $local_salt_dir/pillar/fireeye/init.sls ]; then
   echo "This is nto configured for Helix Mode. Please re-install."
   exit
 else
   echo "Enter your Helix API Key: "
   read APIKEY
-  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" /opt/so/saltstack/pillar/fireeye/init.sls
+  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $local_salt_dir/pillar/fireeye/init.sls
   docker stop so-logstash
   docker rm so-logstash
   echo "Restarting Logstash for updated key"

salt/common/tools/sbin/so-kibana-config-export

@@ -1,6 +1,35 @@
-
 #!/bin/bash
-KIBANA_HOST=10.66.166.141
+#
+# {%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master', False) -%}
+# {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node', False) -%}
+# {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', '') %}
+# {%- set MASTER = salt['pillar.get']('master:url_base', '') %}
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+KIBANA_HOST={{ MASTER }}
 KSO_PORT=5601
-OUTFILE="saved_objects.json"
-curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": "index-pattern", "type": "config", "type": "dashboard", "type": "query", "type": "search", "type": "url", "type": "visualization" }' -o $OUTFILE
+OUTFILE="saved_objects.ndjson"
+curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
+
+# Clean up using PLACEHOLDER
+sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE
+
+# Clean up for Fleet, if applicable
+# {% if FLEET_NODE or FLEET_MASTER %}
+# Fleet IP
+sed -i "s/{{ MASTER }}/FLEETPLACEHOLDER/g" $OUTFILE
+# {% endif %}

salt/common/tools/sbin/so-saltstack-update

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+default_salt_dir=/opt/so/saltstack/default
+clone_to_tmp() {
+
+  # TODO Need to add a air gap option
+  # Make a temp location for the files
+  mkdir /tmp/sogh
+  cd /tmp/sogh
+  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
+  cd /tmp
+
+}
+
+copy_new_files() {
+
+  # Copy new files over to the salt dir
+  cd /tmp/sogh/securityonion-saltstack
+  git checkout $BRANCH
+  rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/
+  rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/
+  chown -R socore:socore $default_salt_dir/salt
+  chown -R socore:socore $default_salt_dir/pillar
+  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
+  rm -rf /tmp/sogh
+}
+
+got_root(){
+    if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+    fi
+}
+
+got_root
+if [ $# -ne 1 ] ; then
+  BRANCH=master
+else
+  BRANCH=$1
+fi
+clone_to_tmp
+copy_new_files

salt/common/tools/sbin/so-start

@@ -32,5 +32,5 @@ fi
 case $1 in
    "all") salt-call state.highstate queue=True;;
    "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
-   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
+   *) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 esac

salt/common/tools/sbin/so-status

@@ -14,35 +14,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-{%- set pillar_suffix = ':containers' -%}
-{%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
-    {%- set pillar_val = 'master_search' -%}
-{%- elif (salt['grains.get']('role') == 'so-master') -%}
-    {%- set pillar_val = 'master' -%}
-{%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
-    {%- set pillar_val = 'heavy_node' -%}
-{%- elif (salt['grains.get']('role') == 'so-sensor') -%}
-    {%- set pillar_val = 'sensor' -%}
-{%- elif (salt['grains.get']('role') == 'so-eval') -%}
-    {%- set pillar_val = 'eval' -%}
-{%- elif (salt['grains.get']('role') == 'so-fleet') -%}
-    {%- set pillar_val = 'fleet' -%}
-{%- elif (salt['grains.get']('role') == 'so-helix') -%}
-    {%- set pillar_val = 'helix' -%}
-{%- elif (salt['grains.get']('role') == 'so-node') -%}
-    {%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
-        {%- set pillar_val = 'parser_node' -%}
-    {%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
-        {%- set pillar_val = 'hot_node' -%}
-    {%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
-        {%- set pillar_val = 'warm_node' -%}
-    {%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
-        {%- set pillar_val = 'search_node' -%}
-    {%- endif -%}
-{%- endif -%}
-{%- set pillar_name = pillar_val ~ pillar_suffix -%}
-{%- set container_list = salt['pillar.get'](pillar_name) %}
+{%- from 'common/maps/so-status.map.jinja' import docker with context %}
+{%- set container_list = docker['containers'] | sort %}
 
 if ! [ "$(id -u)" = 0 ]; then
    echo "This command must be run as root"

salt/common/tools/sbin/so-thehive-es-restart

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop thehive-es $1
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-thehive-es-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start thehive $1

salt/common/tools/sbin/so-thehive-es-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop thehive-es $1

salt/common/tools/sbin/so-thehive-restart

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify

salt/common/tools/sbin/so-thehive-stop

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify

salt/common/tools/sbin/so-zeek-stats

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Show Zeek stats (capstats, netstats)
+
+show_stats() {
+  echo '##############'
+  echo '# Zeek Stats #'
+  echo '##############'
+  echo
+  echo "Average throughput:"
+  echo
+  docker exec -it so-zeek /opt/zeek/bin/zeekctl capstats
+  echo
+  echo "Average packet loss:"
+  echo
+  docker exec -it so-zeek /opt/zeek/bin/zeekctl netstats
+  echo
+}
+
+if docker ps | grep -q zeek; then
+  show_stats
+else
+  echo "Zeek is not running! Try starting it with 'so-zeek-start'." && exit 1;
+fi

salt/curator/files/action/close.yml

@@ -1,12 +1,8 @@
-{% if grains['role'] == 'so-node' %}
-
-{%- set cur_close_days = salt['pillar.get']('node:cur_close_days', '') -%}
-
-{% elif grains['role'] == 'so-eval' %}
-
-{%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%}
-
-{%- endif %}
+{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
+  {%- set cur_close_days = salt['pillar.get']('node:cur_close_days', '') -%}
+{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
+  {%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%}
+{%- endif -%}
 
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
@@ -28,9 +24,8 @@ actions:
       disable_action: False
     filters:
     - filtertype: pattern
-      kind: prefix
-      value: logstash-
-      exclude:
+      kind: regex 
+      value: '^(logstash-.*|so-.*)$'
     - filtertype: age
       source: name
       direction: older

salt/curator/files/action/delete.yml

@@ -1,11 +1,7 @@
-{% if grains['role'] == 'so-node' %}
-
-{%- set log_size_limit = salt['pillar.get']('node:log_size_limit', '') -%}
-
-{% elif grains['role'] == 'so-eval' %}
-
-{%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%}
-
+{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
+  {%- set log_size_limit = salt['pillar.get']('node:log_size_limit', '') -%}
+{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
+  {%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%}
 {%- endif %}
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
@@ -24,8 +20,8 @@ actions:
       disable_action: False
     filters:
     - filtertype: pattern
-      kind: prefix
-      value: logstash-
+      kind: regex
+      value: '^(logstash-.*|so-.*)$'
     - filtertype: space
       source: creation_date
       use_age: True

salt/curator/files/bin/so-curator-closed-delete-delete

@@ -1,17 +1,13 @@
 
-{% if grains['role'] == 'so-node' %}
-
-{%- set ELASTICSEARCH_HOST = salt['pillar.get']('node:mainip', '') -%}
-{%- set ELASTICSEARCH_PORT = salt['pillar.get']('node:es_port', '') -%}
-{%- set LOG_SIZE_LIMIT = salt['pillar.get']('node:log_size_limit', '') -%}
-
-{% elif grains['role'] == 'so-eval' %}
-
-{%- set ELASTICSEARCH_HOST = salt['pillar.get']('master:mainip', '') -%}
-{%- set ELASTICSEARCH_PORT = salt['pillar.get']('master:es_port', '') -%}
-{%- set LOG_SIZE_LIMIT = salt['pillar.get']('master:log_size_limit', '') -%}
-
-{%- endif %}
+{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
+  {%- set ELASTICSEARCH_HOST = salt['pillar.get']('node:mainip', '') -%}  
+  {%- set ELASTICSEARCH_PORT = salt['pillar.get']('node:es_port', '') -%}
+  {%- set LOG_SIZE_LIMIT = salt['pillar.get']('node:log_size_limit', '') -%}
+{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
+  {%- set ELASTICSEARCH_HOST = salt['pillar.get']('master:mainip', '') -%}
+  {%- set ELASTICSEARCH_PORT = salt['pillar.get']('master:es_port', '') -%}
+  {%- set LOG_SIZE_LIMIT = salt['pillar.get']('master:log_size_limit', '') -%}
+{%- endif -%}
 
 #!/bin/bash
 #
@@ -37,17 +33,17 @@ LOG="/opt/so/log/curator/so-curator-closed-delete.log"
 
 # Check for 2 conditions:
 # 1. Are Elasticsearch indices using more disk space than LOG_SIZE_LIMIT?
-# 2. Are there any closed logstash- indices that we can delete?
+# 2. Are there any closed logstash-, or so- indices that we can delete?
 # If both conditions are true, keep on looping until one of the conditions is false.
 while [[ $(du -hs --block-size=1GB /nsm/elasticsearch/nodes | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]] &&
-curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep "^      close logstash-" > /dev/null; do
+curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E "^      close (logstash-|so-)" > /dev/null; do
 
 	# We need to determine OLDEST_INDEX.
-	# First, get the list of closed indices that are prefixed with "logstash-".
+	# First, get the list of closed indices that are prefixed with "logstash-" or "so-".
 	# For example: logstash-ids-YYYY.MM.DD
 	# Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field.
 	# Finally, select the first entry in that sorted list.
-	OLDEST_INDEX=$(curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep "^      close logstash-" | awk '{print $2}' | sort -t- -k3 | head -1)
+	OLDEST_INDEX=$(curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E "^      close (logstash-|so-)" | awk '{print $2}' | sort -t- -k3 | head -1)
 
 	# Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it.
 	curl -XDELETE {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX}

salt/curator/files/curator.yml

@@ -1,11 +1,7 @@
-{% if grains['role'] == 'so-node' %}
-
-{%- set elasticsearch = salt['pillar.get']('node:mainip', '') -%}
-
-{% elif grains['role'] == 'so-eval' %}
-
-{%- set elasticsearch = salt['pillar.get']('master:mainip', '') -%}
-
+{% if grains['role'] in ['so-node', 'so-heavynode'] %}
+  {%- set elasticsearch = salt['pillar.get']('node:mainip', '') -%}
+{% elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
+  {%- set elasticsearch = salt['pillar.get']('master:mainip', '') -%}
 {%- endif %}
 
 ---

salt/curator/init.sls

@@ -1,6 +1,6 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
-{% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %}
+{% if grains['role'] in ['so-eval', 'so-node', 'so-mastersearch', 'so-heavynode', 'so-standalone'] %}
 # Curator
 # Create the group
 curatorgroup:
@@ -89,7 +89,7 @@ curdel:
 
 so-curatorcloseddeletecron:
  cron.present:
-   - name: /usr/sbin/so-curator-closed-delete
+   - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
    - user: root
    - minute: '*'
    - hour: '*'
@@ -99,7 +99,7 @@ so-curatorcloseddeletecron:
 
 so-curatorclosecron:
  cron.present:
-   - name: /usr/sbin/so-curator-close
+   - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1
    - user: root
    - minute: '*'
    - hour: '*'
@@ -109,7 +109,7 @@ so-curatorclosecron:
 
 so-curatordeletecron:
  cron.present:
-   - name: /usr/sbin/so-curator-delete
+   - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1
    - user: root
    - minute: '*'
    - hour: '*'

salt/docker/init.sls

@@ -0,0 +1,8 @@
+installdocker:
+  pkg.installed:
+    - name: docker-ce
+
+# Make sure Docker is running!
+docker:
+  service.running:
+    - enable: True

salt/elastalert/files/elastalert_config.yaml

@@ -2,7 +2,7 @@
 {% set esport = salt['pillar.get']('master:es_port', '') %}
 # This is the folder that contains the rule yaml files
 # Any .yaml file will be loaded as a rule
-rules_folder: /etc/elastalert/rules/
+rules_folder: /opt/elastalert/rules/
 
 # Sets whether or not ElastAlert should recursively descend
 # the rules directory - true or false

salt/elastalert/files/modules/so/thehive.py

@@ -1,107 +0,0 @@
-# -*- coding: utf-8 -*-
-# HiveAlerter modified from original at: https://raw.githubusercontent.com/Nclose-ZA/elastalert_hive_alerter/master/elastalert_hive_alerter/hive_alerter.py
-
-import uuid
-
-from elastalert.alerts import Alerter
-from thehive4py.api import TheHiveApi
-from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper
-
-
-class TheHiveAlerter(Alerter):
-    """
-    Use matched data to create alerts containing observables in an instance of TheHive
-    """
-
-    required_options = set(['hive_connection', 'hive_alert_config'])
-
-    def get_aggregation_summary_text(self, matches):
-        text = super(TheHiveAlerter, self).get_aggregation_summary_text(matches)
-        if text:
-            text = '```\n{0}```\n'.format(text)
-        return text
-
-    def create_artifacts(self, match):
-        artifacts = []
-        context = {'rule': self.rule, 'match': match}
-        for mapping in self.rule.get('hive_observable_data_mapping', []):
-            for observable_type, match_data_key in mapping.items():
-                try:
-                    artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
-                except KeyError as e:
-                    print(('format string {} fail cause no key {} in {}'.format(e, match_data_key, context)))
-        return artifacts
-
-    def create_alert_config(self, match):
-        context = {'rule': self.rule, 'match': match}
-        alert_config = {
-            'artifacts': self.create_artifacts(match),
-            'sourceRef': str(uuid.uuid4())[0:6],
-            'title': '{rule[name]}'.format(**context)
-        }
-
-        alert_config.update(self.rule.get('hive_alert_config', {}))
-
-        for alert_config_field, alert_config_value in alert_config.items():
-            if alert_config_field == 'customFields':
-                custom_fields = CustomFieldHelper()
-                for cf_key, cf_value in alert_config_value.items():
-                    try:
-                        func = getattr(custom_fields, 'add_{}'.format(cf_value['type']))
-                    except AttributeError:
-                        raise Exception('unsupported custom field type {}'.format(cf_value['type']))
-                    value = cf_value['value'].format(**context)
-                    func(cf_key, value)
-                alert_config[alert_config_field] = custom_fields.build()
-            elif isinstance(alert_config_value, str):
-                alert_config[alert_config_field] = alert_config_value.format(**context)
-            elif isinstance(alert_config_value, (list, tuple)):
-                formatted_list = []
-                for element in alert_config_value:
-                    try:
-                        formatted_list.append(element.format(**context))
-                    except (AttributeError, KeyError, IndexError):
-                        formatted_list.append(element)
-                alert_config[alert_config_field] = formatted_list
-
-        return alert_config
-
-    def send_to_thehive(self, alert_config):
-        connection_details = self.rule['hive_connection']
-        api = TheHiveApi(
-            connection_details.get('hive_host', ''),
-            connection_details.get('hive_apikey', ''),
-            proxies=connection_details.get('hive_proxies', {'http': '', 'https': ''}),
-            cert=connection_details.get('hive_verify', False))
-
-        alert = Alert(**alert_config)
-        response = api.create_alert(alert)
-
-        if response.status_code != 201:
-            raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
-
-    def alert(self, matches):
-        if self.rule.get('hive_alert_config_type', 'custom') != 'classic':
-            for match in matches:
-                alert_config = self.create_alert_config(match)
-                self.send_to_thehive(alert_config)
-        else:
-            alert_config = self.create_alert_config(matches[0])
-            artifacts = []
-            for match in matches:
-                artifacts += self.create_artifacts(match)
-                if 'related_events' in match:
-                    for related_event in match['related_events']:
-                        artifacts += self.create_artifacts(related_event)
-
-            alert_config['artifacts'] = artifacts
-            alert_config['title'] = self.create_title(matches)
-            alert_config['description'] = self.create_alert_body(matches)
-            self.send_to_thehive(alert_config)
-
-    def get_info(self):
-
-        return {
-            'type': 'hivealerter',
-            'hive_host': self.rule.get('hive_connection', {}).get('hive_host', '')
-        }

salt/elastalert/files/rules/so/nids2hive.yaml

@@ -1,6 +1,8 @@
 {% set es = salt['pillar.get']('static:masterip', '') %}
 {% set hivehost = salt['pillar.get']('static:masterip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+{% set MASTER = salt['pillar.get']('master:url_base', '') %}
+
 # hive.yaml
 # Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance.
 #
@@ -15,7 +17,7 @@ timeframe:
 buffer_time:
     minutes: 10
 allow_buffer_time_overlap: true
-query_key: ["rule.signature_id"]
+query_key: ["rule.uuid"]
 realert:
     days: 1
 filter:
@@ -23,12 +25,13 @@ filter:
    query_string:
       query: "event.module: suricata"
 
-alert: modules.so.thehive.TheHiveAlerter
+alert: hivealerter
 
 hive_connection:
-  hive_host: https://{{hivehost}}/thehive/
+  hive_host: http://{{hivehost}}
+  hive_port: 9000/thehive
   hive_apikey: {{hivekey}}
-
+  
 hive_proxies:
   http: ''
   https: ''
@@ -37,9 +40,9 @@ hive_alert_config:
   title: '{match[rule][name]}'
   type: 'NIDS'
   source: 'SecurityOnion'
-  description: "`NIDS Dashboard:` \n\n <https://{{es}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))> \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
+  description: "`Hunting Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=event.module%3A%20suricata%20AND%20rule.uuid%3A{match[rule][uuid]}%20%7C%20groupby%20source.ip%20destination.ip%20rule.name>  \n\n `Kibana Dashboard - Signature Drilldown:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))> \n\n `Kibana Dashboard - Community_ID:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
   severity: 2
-  tags: ['{match[rule][signature_id]}','{match[source][ip]}','{match[destination][ip]}']
+  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
   tlp: 3
   status: 'New'
   follow: True

salt/elastalert/init.sls

@@ -12,26 +12,15 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
-{% if grains['role'] == 'so-master' %}
-
-{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
-{% set esip = salt['pillar.get']('master:mainip', '') %}
-{% set esport = salt['pillar.get']('master:es_port', '') %}
-
-
-{% elif grains['role'] in ['so-eval','so-mastersearch'] %}
-
-{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
-{% set esip = salt['pillar.get']('master:mainip', '') %}
-{% set esport = salt['pillar.get']('master:es_port', '') %}
-
 
+{% if grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %}
+  {% set esalert = salt['pillar.get']('master:elastalert', '1') %}
+  {% set esip = salt['pillar.get']('master:mainip', '') %}
+  {% set esport = salt['pillar.get']('master:es_port', '') %}
 {% elif grains['role'] == 'so-node' %}
-
-{% set esalert = salt['pillar.get']('node:elastalert', '0') %}
-
+  {% set esalert = salt['pillar.get']('node:elastalert', '0') %}
 {% endif %}
 
 # Elastalert
@@ -55,35 +44,35 @@ elastalogdir:
   file.directory:
     - name: /opt/so/log/elastalert
     - user: 933
-    - group: 939
+    - group: 933
     - makedirs: True
 
 elastarules:
   file.directory:
     - name: /opt/so/rules/elastalert
     - user: 933
-    - group: 939
+    - group: 933
     - makedirs: True
 
 elastaconfdir:
   file.directory:
     - name: /opt/so/conf/elastalert
     - user: 933
-    - group: 939
+    - group: 933
     - makedirs: True
 
 elastasomodulesdir:
   file.directory:
     - name: /opt/so/conf/elastalert/modules/so
     - user: 933
-    - group: 939
+    - group: 933
     - makedirs: True
 
 elastacustmodulesdir:
   file.directory:
     - name: /opt/so/conf/elastalert/modules/custom
     - user: 933
-    - group: 939
+    - group: 933
     - makedirs: True
 
 elastasomodulesync:
@@ -91,7 +80,7 @@ elastasomodulesync:
     - name: /opt/so/conf/elastalert/modules/so
     - source: salt://elastalert/files/modules/so
     - user: 933
-    - group: 939
+    - group: 933
     - makedirs: True
 
 elastarulesync:
@@ -99,7 +88,7 @@ elastarulesync:
     - name: /opt/so/rules/elastalert
     - source: salt://elastalert/files/rules/so
     - user: 933
-    - group: 939
+    - group: 933
     - template: jinja
 
 elastaconf:
@@ -107,7 +96,7 @@ elastaconf:
     - name: /opt/so/conf/elastalert/elastalert_config.yaml
     - source: salt://elastalert/files/elastalert_config.yaml
     - user: 933
-    - group: 939
+    - group: 933
     - template: jinja
 
 so-elastalert:
@@ -118,16 +107,9 @@ so-elastalert:
     - user: elastalert
     - detach: True
     - binds:
-      - /opt/so/rules/elastalert:/etc/elastalert/rules/:ro
+      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
       - /opt/so/log/elastalert:/var/log/elastalert:rw
       - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
-      - /opt/so/conf/elastalert/elastalert_config.yaml:/etc/elastalert/conf/elastalert_config.yaml:ro
-    - environment:
-      - ELASTICSEARCH_HOST: {{ esip }}
-      - ELASTICSEARCH_PORT: {{ esport }}
-      - ELASTALERT_CONFIG: /etc/elastalert/conf/elastalert_config.yaml
-      - ELASTALERT_SUPERVISOR_CONF: /etc/elastalert/conf/elastalert_supervisord.conf
-      - RULES_DIRECTORY: /etc/elastalert/rules/
-      - LOG_DIR: /var/log/elastalert
+      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro
 
 {% endif %}

salt/elasticsearch/files/elasticsearch.yml

@@ -22,3 +22,7 @@ transport.bind_host: 0.0.0.0
 transport.publish_host: {{ nodeip }}
 transport.publish_port: 9300
 {%- endif %}
+cluster.routing.allocation.disk.threshold_enabled: true
+cluster.routing.allocation.disk.watermark.low: 95%
+cluster.routing.allocation.disk.watermark.high: 98%
+cluster.routing.allocation.disk.watermark.flood_stage: 98%

salt/elasticsearch/files/ingest/beats.common

@@ -0,0 +1,35 @@
+{
+  "description" : "beats.common",
+  "processors" : [
+    {"community_id":   {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}},    
+    { "set":           { "if": "ctx.winlog?.channel != null",   "field": "dataset", "value": "wel-{{winlog.channel}}", "override": true }  },
+    { "set":           { "if": "ctx.agent?.type != null",   "field": "module", "value": "{{agent.type}}", "override": true }  },   
+    { "set":           { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3",   "field": "event.category", "value": "host,process,network", "override": true }  },
+    { "set":           { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1",   "field": "event.category", "value": "host,process", "override": true }  },
+    { "rename": 	   { "field": "agent.hostname", 			            "target_field": "agent.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SubjectUserName", 			  "target_field": "user.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.DestinationHostname", 	  "target_field": "destination.hostname",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.DestinationIp", 		      "target_field": "destination.ip",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.DestinationPort", 	      "target_field": "destination.port",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Image", 			            "target_field": "process.executable",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ProcessID", 			        "target_field": "process.pid",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ProcessGuid", 			      "target_field": "process.entity_id",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.CommandLine", 			      "target_field": "process.command_line",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.CurrentDirectory", 			"target_field": "process.working_directory",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Description", 			      "target_field": "process.pe.description",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Product", 			          "target_field": "process.pe.product",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.OriginalFileName", 			"target_field": "process.pe.original_file_name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.FileVersion", 			      "target_field": "process.pe.file_version",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentCommandLine", 			"target_field": "process.parent.command_line",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentImage", 			      "target_field": "process.parent.executable",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentProcessGuid", 			"target_field": "process.parent.entity_id",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.ParentProcessId", 			  "target_field": "process.ppid",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.Protocol", 	              "target_field": "network.transport",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.User", 			            "target_field": "user.name",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SourceHostname", 	      "target_field": "source.hostname",	"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SourceIp", 		          "target_field": "source.ip",		"ignore_missing": true 	} },
+    { "rename": 	   { "field": "winlog.event_data.SourcePort", 		        "target_field": "source.port",		"ignore_missing": true 	} },   
+    { "rename": 	   { "field": "winlog.event_data.targetFilename",		      "target_field": "file.target",	"ignore_missing": true 	} },
+    { "pipeline":    { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/common

@@ -4,7 +4,7 @@
     { 	
 	"geoip":  { 
 		"field": "destination.ip",
-		"target_field": "geo",
+		"target_field": "destination.geo",
 		"database_file": "GeoLite2-City.mmdb",
 		"ignore_missing": true, 
 		"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
@@ -13,7 +13,7 @@
     { 
 	"geoip":  {
 		"field": "source.ip",
-		"target_field": "geo",
+		"target_field": "source.geo",
 		"database_file": "GeoLite2-City.mmdb",
 		"ignore_missing": true,
 		"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
@@ -38,12 +38,15 @@
     { "rename":         { "field": "module",              "target_field": "event.module",                  "ignore_missing": true  } },
     { "rename":         { "field": "dataset",              "target_field": "event.dataset",                  "ignore_missing": true  } },
     { "rename":         { "field": "category",              "target_field": "event.category",                  "ignore_missing": true  } },
-    { "rename":         { "field": "message2.community_id",              "target_field": "network.community_id",                  "ignore_missing": true  } },
+    { "rename":         { "field": "message2.community_id", "target_field": "network.community_id",  "ignore_failure": true,  "ignore_missing": true  } },
+    { "convert":         { "field": "destination.port", "type": "integer",  "ignore_failure": true,  "ignore_missing": true  } },
+    { "convert":         { "field": "source.port", "type": "integer",  "ignore_failure": true,  "ignore_missing": true  } },
+    { "convert":         { "field": "log.id.uid", "type": "string",  "ignore_failure": true,  "ignore_missing": true  } },
     { 
-	"remove": {
-		"field": [ "index_name_prefix", "message2"],
-		"ignore_failure": false
-	}
+        "remove": {
+                "field": [ "index_name_prefix", "message2", "type" ],
+                "ignore_failure": true
+        }
     }
   ]
 }

salt/elasticsearch/files/ingest/osquery.query_result

@@ -24,8 +24,14 @@
     { "rename":      { "field": "message3.columns.pid",                                     "target_field": "process.pid",              "ignore_missing": true  } },
     { "rename":      { "field": "message3.columns.parent",                                  "target_field": "process.ppid",              "ignore_missing": true  } },
     { "rename":      { "field": "message3.columns.cwd",                                     "target_field": "process.working_directory",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.community_id",                            "target_field": "network.community_id",   "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.local_address",                           "target_field": "local.ip",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.local_port",                              "target_field": "local.port",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.remote_address",                          "target_field": "remote.ip",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.remote_port",                             "target_field": "remote.port",              "ignore_missing": true  } },
+    { "rename":      { "field": "message3.columns.process_name",                            "target_field": "process.name",              "ignore_missing": true  } },
     { "rename": 	   { "field": "message3.columns.eventid", 			                          "target_field": "event.code",		"ignore_missing": true 	} },
-    { "set":         { "if": "ctx.message3.columns.data != null",   "field": "dataset", "value": "wel-{{message3.columns.source}}", "override": true }  },
+    { "set":         { "if": "ctx.message3.columns?.data != null",   "field": "dataset", "value": "wel-{{message3.columns.source}}", "override": true }  },
     { "rename": 	   { "field": "message3.columns.winlog.EventData.SubjectUserName", 			  "target_field": "user.name",		"ignore_missing": true 	} },
     { "rename": 	   { "field": "message3.columns.winlog.EventData.destinationHostname", 	  "target_field": "destination.hostname",	"ignore_missing": true 	} },
     { "rename": 	   { "field": "message3.columns.winlog.EventData.destinationIp", 		      "target_field": "destination.ip",	"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/suricata.alert

@@ -1,11 +1,12 @@
 {
   "description" : "suricata.alert",
   "processors" : [
-    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
-    { "rename":{ "field": "message2.comunity_id",       "target_field": "network.comunity_id",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.alert",	"target_field": "rule",	"ignore_failure": true 	} },
     { "rename":{ "field": "rule.signature",     "target_field": "rule.name", "ignore_failure": true  } },
     { "rename":{ "field": "rule.ref",     "target_field": "rule.version", "ignore_failure": true  } },
-    { "pipeline": { "name": "suricata.common" } }
+    { "rename":{ "field": "rule.signature_id",     "target_field": "rule.uuid", "ignore_failure": true  } },
+    { "rename":{ "field": "rule.signature_id",     "target_field": "rule.signature", "ignore_failure": true  } },
+    { "rename":{ "field": "message2.payload_printable",     "target_field": "network.data.decoded", "ignore_failure": true  } },
+    { "pipeline": { "name": "common" } }
   ]
 }

salt/elasticsearch/files/ingest/suricata.common

@@ -1,15 +1,18 @@
 {
   "description" : "suricata.common",
   "processors" : [
+    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
     { "rename":{ "field": "message2.proto",		"target_field": "network.transport",		"ignore_failure": true 	} },
-    { "rename":{ "field": "message2.flow_id",		"target_field": "event.id",		"ignore_failure": true 	} },
+    { "rename":{ "field": "message2.flow_id",		"target_field": "log.id.uid",		"ignore_failure": true 	} },
     { "rename":{ "field": "message2.src_ip",       "target_field": "source.ip",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.src_port",       "target_field": "source.port",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.dest_ip",       "target_field": "destination.ip",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.dest_port",       "target_field": "destination.port",  "ignore_failure": true  } },
     { "rename":         { "field": "message2.community_id",        "target_field": "network.community_id",     "ignore_missing": true  } },
+    { "remove":{ "field": "dataset", 						"ignore_failure": true	} },
+    { "rename":{ "field": "message2.event_type",		"target_field": "dataset",		"ignore_failure": true 	} },
     { "set":         { "field": "observer.name",        "value": "{{agent.name}}"  } },
-    { "remove":         { "field": ["agent"],     "ignore_failure": true                                                                  } },
-    { "pipeline": { "name": "common" } }
+    { "remove":{ "field": "agent", 						"ignore_failure": true	} },
+    { "pipeline": { "name": "suricata.{{dataset}}" } }
   ]
 }

salt/elasticsearch/files/ingest/suricata.dhcp

@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.dhcp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.client_mac", 		"target_field": "host.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 		"target_field": "dhcp.message_types",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.type", 		"target_field": "dhcp.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.dnp3

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.dnp3",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.dns

@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.dns",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.type", 		"target_field": "dns.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.tx_id",		"target_field": "dns.id",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.version", 		"target_field": "dns.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rrname", 		"target_field": "dns.query.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.grouped.A", 		"target_field": "dns.answers",			"ignore_missing": true 	} },
+
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.fileinfo

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.fileinfo",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.flow

@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.flow",
+  "processors" : [
+    { "set":      { "field": "dataset",        "value": "conn"  } },
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.flow.state", 		"target_field": "connection.state",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.flow.bytes_toclient", 		"target_field": "server.ip_bytes",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.flow.bytes_toserver", 		"target_field": "client.ip_bytes",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.flow.start", 		"target_field": "connection.start",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.flow.end", 		"target_field": "connection.end",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.ftp

@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.ftp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply", 		"target_field": "server.reply_message",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.completion_code", 		"target_field": "server.reply_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply_received", 		"target_field": "server.reply_received",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command", 		"target_field": "ftp.command",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command_data", 		"target_field": "ftp.command_data",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.dynamic_port", 		"target_field": "ftp.data_channel_destination.port",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.http

@@ -0,0 +1,17 @@
+{
+  "description" : "suricata.http",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.hostname", 		"target_field": "http.virtual_host",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_user_agent", 		"target_field": "http.useragent",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.url", 		"target_field": "http.uri",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_content_type", 		"target_field": "file.resp_mime_types",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_refer", 		"target_field": "http.referrer",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_method", 		"target_field": "http.method",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.protocol", 		"target_field": "http.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.status", 		"target_field": "http.status_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.length", 		"target_field": "http.request.body.length",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.ikev2

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.ikev2",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.krb5

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.krb5",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.nfs

@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.nfs",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}