Merge pull request #15289 from Security-Onion-Solutions/TOoSmOotH-patch-3

Update Assistant Models
Merge branch '2.4/dev' into TOoSmOotH-patch-3
2025-12-11 11:42:50 +01:00 · 2025-12-10 17:22:13 -05:00 · 2025-12-10 17:19:32 -05:00 · 2025-12-10 17:18:59 -05:00 · 2025-12-10 17:16:35 -05:00 · 2025-12-10 15:23:12 -05:00
5 changed files with 43 additions and 18 deletions
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -1113,7 +1113,7 @@ suricata_idstools_removal_pre() {
 install -d -o 939 -g 939 -m 755 /opt/so/conf/soc/fingerprints
 install -o 939 -g 939 -m 644 /dev/null /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
 cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
-Suricata ruleset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs
+Suricata ruleset sync is blocked until this file is removed. **CRITICAL** Make sure that you have manually added any custom Suricata rulesets via SOC config before removing this file - review the documentation for more details: https://docs.securityonion.net/en/2.4/nids.html#sync-block
 EOF

 # Remove possible symlink & create salt local rules dir
@@ -1131,6 +1131,7 @@ if [[ -f /opt/so/conf/soc/so-detections-backup.py ]]; then
    # Verify backup by comparing counts
    echo "Verifying detection overrides backup..."
    es_override_count=$(/sbin/so-elasticsearch-query 'so-detection/_count' \
+       --retry 5 --retry-delay 10 --retry-all-errors \
       -d '{"query": {"bool": {"must": [{"exists": {"field": "so_detection.overrides"}}]}}}' | jq -r '.count') || {
        echo "  Error: Failed to query Elasticsearch for override count"
        exit 1
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2653,19 +2653,15 @@ soc:
          thresholdColorRatioMax: 1
          availableModels:
            - id: sonnet-4.5
-              displayName: Claude Sonnet 4.5
+              displayName: Claude Sonnet 4.5 ($$$)
+              origin: USA
              contextLimitSmall: 200000
              contextLimitLarge: 1000000
              lowBalanceColorAlert: 500000
              enabled: true
-            - id: gptoss-120b
-              displayName: GPT-OSS 120B
-              contextLimitSmall: 128000
-              contextLimitLarge: 128000
-              lowBalanceColorAlert: 500000
-              enabled: true
            - id: qwen-235b
-              displayName: QWEN 235B
+              displayName: QWEN 235B ($)
+              origin: China
              contextLimitSmall: 256000
              contextLimitLarge: 256000
              lowBalanceColorAlert: 500000
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -608,6 +608,18 @@ soc:
                label: Delete Unreferenced (Deletes rules that are no longer referenced by ruleset source)
                forcedType: bool
                required: False
+              - field: proxyURL
+                label: HTTP/HTTPS proxy URL for downloading the ruleset.
+                required: False
+              - field: proxyUsername
+                label: Proxy authentication username.
+                required: False
+              - field: proxyPassword
+                label: Proxy authentication password.
+                required: False
+              - field: proxyCACert
+                label: Path to CA certificate file for MITM proxy verification.
+                required: False
            airgap: *serulesetSources
        navigator:
          intervalMinutes:
@@ -696,6 +708,9 @@ soc:
            - field: displayName
              label: Display Name
              required: True
+            - field: origin
+              label: Country of Origin for the Model Training
+              required: false
            - field: contextLimitSmall
              label: Context Limit (Small)
              forcedType: int
--- a/salt/suricata/cron/so-suricata-rulestats
+++ b/salt/suricata/cron/so-suricata-rulestats
@@ -17,14 +17,23 @@ query() {

 STATS=$(query "ruleset-stats")
 RELOAD=$(query "ruleset-reload-time")
+[ -z "$RELOAD" ] && RELOAD='{}'

-if echo "$STATS" | jq -e '.return == "OK"' > /dev/null 2>&1; then
-    LOADED=$(echo "$STATS" | jq -r '.message[0].rules_loaded')
-    FAILED=$(echo "$STATS" | jq -r '.message[0].rules_failed')
-    LAST_RELOAD=$(echo "$RELOAD" | jq -r '.message[0].last_reload')
+# Outputs valid JSON on success, empty on failure
+OUTPUT=$(jq -n \
+    --argjson stats "$STATS" \
+    --argjson reload "$RELOAD" \
+    'if $stats.return == "OK" and ($stats.message[0].rules_loaded | type) == "number" and ($stats.message[0].rules_failed | type) == "number" then
+        {
+            rules_loaded: $stats.message[0].rules_loaded,
+            rules_failed: $stats.message[0].rules_failed,
+            last_reload: ($reload.message[0].last_reload // ""),
+            return: "OK"
+        }
+    else empty end' 2>/dev/null)

-    jq -n --argjson loaded "$LOADED" --argjson failed "$FAILED" --arg reload "$LAST_RELOAD" \
-        '{rules_loaded: $loaded, rules_failed: $failed, last_reload: $reload, return: "OK"}' > "$OUTFILE"
+if [ -n "$OUTPUT" ]; then
+    echo "$OUTPUT" > "$OUTFILE"
 else
    echo '{"return":"FAIL"}' > "$OUTFILE"
 fi
--- a/salt/telegraf/scripts/surirules.sh
+++ b/salt/telegraf/scripts/surirules.sh
@@ -18,11 +18,15 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
    if [ -f "$STATSFILE" ] && [ $(($(date +%s) - $(stat -c %Y "$STATSFILE"))) -lt 90 ] && jq -e '.return == "OK" and .rules_loaded != null and .rules_failed != null' "$STATSFILE" > /dev/null 2>&1; then
        LOADED=$(jq -r '.rules_loaded' "$STATSFILE")
        FAILED=$(jq -r '.rules_failed' "$STATSFILE")
-        RELOAD_TIME=$(jq -r '.last_reload // ""' "$STATSFILE")
+        RELOAD_TIME=$(jq -r 'if .last_reload then .last_reload else "" end' "$STATSFILE")

-        echo "surirules loaded=${LOADED}i,failed=${FAILED}i,reload_time=\"${RELOAD_TIME}\",status=\"ok\""
+        if [ -n "$RELOAD_TIME" ]; then
+            echo "surirules loaded=${LOADED}i,failed=${FAILED}i,reload_time=\"${RELOAD_TIME}\",status=\"ok\""
+        else
+            echo "surirules loaded=${LOADED}i,failed=${FAILED}i,status=\"ok\""
+        fi
    else
-        echo "surirules loaded=0i,failed=0i,reload_time=\"\",status=\"unknown\""
+        echo "surirules loaded=0i,failed=0i,status=\"unknown\""
    fi

 fi
Author	SHA1	Message	Date
Mike Reeves	c6646e3821	Merge pull request #15289 from Security-Onion-Solutions/TOoSmOotH-patch-3 Update Assistant Models	2025-12-10 17:22:13 -05:00
Mike Reeves	99dc72cece	Merge branch '2.4/dev' into TOoSmOotH-patch-3	2025-12-10 17:19:32 -05:00
Josh Brower	04d6cca204	Merge pull request #15298 from Security-Onion-Solutions/idstools-refactor Fixup logic	2025-12-10 17:18:59 -05:00
DefensiveDepth	5ab6bda639	Fixup logic	2025-12-10 17:16:35 -05:00
Josh Brower	f433de7e12	Merge pull request #15297 from Security-Onion-Solutions/idstools-refactor small fixes	2025-12-10 15:23:12 -05:00
DefensiveDepth	8ef6c2f91d	small fixes	2025-12-10 15:19:44 -05:00
Mike Reeves	7575218697	Merge pull request #15293 from Security-Onion-Solutions/TOoSmOotH-patch-4 Remove Claude Sonnet 4 model configuration	2025-12-09 11:04:38 -05:00
Mike Reeves	94694d394e	Add origin field to model training configuration	2025-12-08 16:36:09 -05:00
Mike Reeves	03dd746601	Add origin field to model configurations	2025-12-08 16:34:19 -05:00
Mike Reeves	eec3373ae7	Update display name for Claude Sonnet 4	2025-12-08 16:30:50 -05:00
Mike Reeves	db45ce07ed	Modify model display names and remove GPT-OSS 120B Updated display names for models and removed GPT-OSS 120B.	2025-12-08 16:26:45 -05:00