Update Validation

2025-12-19 23:43:07 +01:00 · 2025-12-15 09:57:42 -05:00 · 2025-12-15 09:47:57 -05:00 · 2025-12-15 09:42:38 -05:00 · 2025-12-14 15:35:24 -05:00 · 2025-12-14 12:03:44 -05:00
32 changed files with 1222 additions and 190 deletions
--- a/salt/common/tools/sbin_jinja/so-import-pcap
+++ b/salt/common/tools/sbin_jinja/so-import-pcap
@@ -85,7 +85,7 @@ function suricata() {
  docker run --rm \
    -v /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro \
    -v /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro \
-    -v /opt/so/conf/suricata/rules:/etc/suricata/rules:ro \
+    -v /opt/so/rules/suricata/:/etc/suricata/rules:ro \
    -v ${LOG_PATH}:/var/log/suricata/:rw \
    -v ${NSM_PATH}/:/nsm/:rw \
    -v "$PCAP:/input.pcap:ro" \
--- a/salt/elasticfleet/config.map.jinja
+++ b/salt/elasticfleet/config.map.jinja
@@ -0,0 +1,34 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+
+{# advanced config_yaml options for elasticfleet logstash output #}
+{% set ADV_OUTPUT_LOGSTASH_RAW = ELASTICFLEETMERGED.config.outputs.logstash %}
+{% set ADV_OUTPUT_LOGSTASH = {} %}
+{% for k, v in ADV_OUTPUT_LOGSTASH_RAW.items() %}
+{%   if v != "" and v is not none %}
+{%     if k == 'queue_mem_events' %}
+{#       rename queue_mem_events queue.mem.events #}
+{%       do ADV_OUTPUT_LOGSTASH.update({'queue.mem.events':v}) %}
+{%     elif k == 'loadbalance' %}
+{%       if v %}
+{#         only include loadbalance config when its True #}
+{%         do ADV_OUTPUT_LOGSTASH.update({k:v}) %}
+{%       endif %}
+{%     else %}
+{%       do ADV_OUTPUT_LOGSTASH.update({k:v}) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+
+{% set LOGSTASH_CONFIG_YAML_RAW = [] %}
+{% if ADV_OUTPUT_LOGSTASH %}
+{%   for k, v in ADV_OUTPUT_LOGSTASH.items() %}
+{%     do LOGSTASH_CONFIG_YAML_RAW.append(k ~ ': ' ~ v) %}
+{%   endfor %}
+{% endif %}
+
+{% set LOGSTASH_CONFIG_YAML = LOGSTASH_CONFIG_YAML_RAW | join('\\n') if LOGSTASH_CONFIG_YAML_RAW else '' %}
--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -10,6 +10,14 @@ elasticfleet:
      grid_enrollment: ''
    defend_filters:
      enable_auto_configuration: False
+    outputs:
+      logstash:
+        bulk_max_size: ''
+        worker: ''
+        queue_mem_events: ''
+        timeout: ''
+        loadbalance: False
+        compression_level: ''
    subscription_integrations: False
    auto_upgrade_integrations: False
  logging:
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -32,6 +32,17 @@ so-elastic-fleet-auto-configure-logstash-outputs:
    - retry:
        attempts: 4
        interval: 30
+
+{# Separate from above in order to catch elasticfleet-logstash.crt changes and force update to fleet output policy #}
+so-elastic-fleet-auto-configure-logstash-outputs-force:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-outputs-update --certs
+    - retry:
+        attempts: 4
+        interval: 30
+    - onchanges:
+        - x509: etc_elasticfleet_logstash_crt
+        - x509: elasticfleet_kafka_crt
 {% endif %}

 # If enabled, automatically update Fleet Server URLs & ES Connection
--- a/salt/elasticfleet/integration-defaults.map.jinja
+++ b/salt/elasticfleet/integration-defaults.map.jinja
@@ -121,6 +121,9 @@
                 "phases": {
                   "cold": {
                     "actions": {
+                        "allocate":{
+                          "number_of_replicas": ""
+                        },
                       "set_priority": {"priority": 0}
                     },
                     "min_age": "60d"
@@ -137,12 +140,31 @@
                         "max_age": "30d",
                         "max_primary_shard_size": "50gb"
                       },
+                       "forcemerge":{
+                         "max_num_segments": ""
+                       },
+                       "shrink":{
+                         "max_primary_shard_size": "",
+                         "method": "COUNT",
+                         "number_of_shards": ""
+                       },
                       "set_priority": {"priority": 100}
                      },
                      "min_age": "0ms"
                   },
                   "warm": {
                     "actions": {
+                        "allocate": {
+                          "number_of_replicas": ""
+                        },
+                        "forcemerge": {
+                          "max_num_segments": ""
+                        },
+                        "shrink":{
+                          "max_primary_shard_size": "",
+                          "method": "COUNT",
+                          "number_of_shards": ""
+                        },
                       "set_priority": {"priority": 50}
                     },
                     "min_age": "30d"
--- a/salt/elasticfleet/soc_elasticfleet.yaml
+++ b/salt/elasticfleet/soc_elasticfleet.yaml
@@ -50,6 +50,46 @@ elasticfleet:
      global: True
      forcedType: bool
      helpLink: elastic-fleet.html
+    outputs:
+      logstash:
+        bulk_max_size:
+          description: The maximum number of events to bulk in a single Logstash request.
+          global: True
+          forcedType: int
+          advanced: True
+          helpLink: elastic-fleet.html
+        worker:
+          description: The number of workers per configured host publishing events.
+          global: True
+          forcedType: int
+          advanced: true
+          helpLink: elastic-fleet.html
+        queue_mem_events:
+          title: queued events
+          description: The number of events the queue can store. This value should be evenly divisible by the smaller of 'bulk_max_size' to avoid sending partial batches to the output.
+          global: True
+          forcedType: int
+          advanced: True
+          helpLink: elastic-fleet.html
+        timeout:
+          description: The number of seconds to wait for responses from the Logstash server before timing out. Eg 30s
+          regex: ^[0-9]+s$
+          advanced: True
+          global: True
+          helpLink: elastic-fleet.html
+        loadbalance:
+          description: If true and multiple Logstash hosts are configured, the output plugin load balances published events onto all Logstash hosts. If false, the output plugin sends all events to one host (determined at random) and switches to another host if the selected one becomes unresponsive.
+          forcedType: bool
+          advanced: True
+          global: True
+          helpLink: elastic-fleet.html
+        compression_level:
+          description: The gzip compression level. The compression level must be in the range of 1 (best speed) to 9 (best compression).
+          regex: ^[1-9]$
+          forcedType: int
+          advanced: True
+          global: True
+          helpLink: elastic-fleet.html
    server:
      custom_fqdn:
        description: Custom FQDN for Agents to connect to. One per line.
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
@@ -3,11 +3,36 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+{%- from 'vars/globals.map.jinja' import GLOBALS %}
+{%- from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+{%- from 'elasticfleet/config.map.jinja' import LOGSTASH_CONFIG_YAML %}

 . /usr/sbin/so-common

+FORCE_UPDATE=false
+UPDATE_CERTS=false
+LOGSTASH_PILLAR_CONFIG_YAML="{{ LOGSTASH_CONFIG_YAML }}"
+LOGSTASH_PILLAR_STATE_FILE="/opt/so/state/esfleet_logstash_config_pillar"
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -f|--force)
+      FORCE_UPDATE=true
+      shift
+      ;;
+    -c| --certs)
+      UPDATE_CERTS=true
+      FORCE_UPDATE=true
+      shift
+      ;;
+    *)
+      echo "Unknown option $1"
+      echo "Usage: $0 [-f|--force] [-c|--certs]"
+      exit 1
+      ;;
+  esac
+done
+
 # Only run on Managers
 if ! is_manager_node; then
    printf "Not a Manager Node... Exiting"
@@ -17,17 +42,49 @@ fi
 function update_logstash_outputs() {
    if logstash_policy=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs/so-manager_logstash" --retry 3 --retry-delay 10 --fail 2>/dev/null); then
        SSL_CONFIG=$(echo "$logstash_policy" | jq -r '.item.ssl')
+        LOGSTASHKEY=$(openssl rsa -in  /etc/pki/elasticfleet-logstash.key)
+        LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt)
+        LOGSTASHCA=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)
+        # Revert escaped \\n to \n for jq
+        LOGSTASH_PILLAR_CONFIG_YAML=$(printf '%b' "$LOGSTASH_PILLAR_CONFIG_YAML")
+
        if SECRETS=$(echo "$logstash_policy" | jq -er '.item.secrets' 2>/dev/null); then
-            JSON_STRING=$(jq -n \
-                --arg UPDATEDLIST "$NEW_LIST_JSON" \
-                --argjson SECRETS "$SECRETS" \
-                --argjson SSL_CONFIG "$SSL_CONFIG" \
-                '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": $SSL_CONFIG,"secrets": $SECRETS}')
+            if [[ "$UPDATE_CERTS" != "true"  ]]; then
+                # Reuse existing secret
+                JSON_STRING=$(jq -n \
+                    --arg UPDATEDLIST "$NEW_LIST_JSON" \
+                    --arg CONFIG_YAML "$LOGSTASH_PILLAR_CONFIG_YAML" \
+                    --argjson SECRETS "$SECRETS" \
+                    --argjson SSL_CONFIG "$SSL_CONFIG" \
+                    '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":$CONFIG_YAML,"ssl": $SSL_CONFIG,"secrets": $SECRETS}')
+            else
+                # Update certs, creating new secret
+                JSON_STRING=$(jq -n \
+                    --arg UPDATEDLIST "$NEW_LIST_JSON" \
+                    --arg CONFIG_YAML "$LOGSTASH_PILLAR_CONFIG_YAML" \
+                    --arg LOGSTASHKEY "$LOGSTASHKEY" \
+                    --arg LOGSTASHCRT "$LOGSTASHCRT" \
+                    --arg LOGSTASHCA "$LOGSTASHCA" \
+                    '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":$CONFIG_YAML,"ssl": {"certificate": $LOGSTASHCRT,"certificate_authorities":[ $LOGSTASHCA ]},"secrets": {"ssl":{"key": $LOGSTASHKEY }}}')
+            fi
        else
-            JSON_STRING=$(jq -n \
-                --arg UPDATEDLIST "$NEW_LIST_JSON" \
-                --argjson SSL_CONFIG "$SSL_CONFIG" \
-                '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": $SSL_CONFIG}')
+            if [[ "$UPDATE_CERTS" != "true" ]]; then
+                # Reuse existing ssl config
+                JSON_STRING=$(jq -n \
+                    --arg UPDATEDLIST "$NEW_LIST_JSON" \
+                    --arg CONFIG_YAML "$LOGSTASH_PILLAR_CONFIG_YAML" \
+                    --argjson SSL_CONFIG "$SSL_CONFIG" \
+                    '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":$CONFIG_YAML,"ssl": $SSL_CONFIG}')
+            else
+                # Update ssl config
+                JSON_STRING=$(jq -n \
+                    --arg UPDATEDLIST "$NEW_LIST_JSON" \
+                    --arg CONFIG_YAML "$LOGSTASH_PILLAR_CONFIG_YAML" \
+                    --arg LOGSTASHKEY "$LOGSTASHKEY" \
+                    --arg LOGSTASHCRT "$LOGSTASHCRT" \
+                    --arg LOGSTASHCA "$LOGSTASHCA" \
+                    '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":$CONFIG_YAML,"ssl": {"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}')
+            fi
        fi
    fi

@@ -38,19 +95,42 @@ function update_kafka_outputs() {
  # Make sure SSL configuration is included in policy updates for Kafka output. SSL is configured in so-elastic-fleet-setup
  if kafka_policy=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs/so-manager_kafka" --fail 2>/dev/null); then
    SSL_CONFIG=$(echo "$kafka_policy" | jq -r '.item.ssl')
+    KAFKAKEY=$(openssl rsa -in  /etc/pki/elasticfleet-kafka.key)
+    KAFKACRT=$(openssl x509 -in /etc/pki/elasticfleet-kafka.crt)
+    KAFKACA=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)
    if SECRETS=$(echo "$kafka_policy" | jq -er '.item.secrets' 2>/dev/null); then
-      # Update policy when fleet has secrets enabled
-      JSON_STRING=$(jq -n \
-        --arg UPDATEDLIST "$NEW_LIST_JSON" \
-        --argjson SSL_CONFIG "$SSL_CONFIG" \
-        --argjson SECRETS "$SECRETS" \
-        '{"name": "grid-kafka","type": "kafka","hosts": $UPDATEDLIST,"is_default": true,"is_default_monitoring": true,"config_yaml": "","ssl": $SSL_CONFIG,"secrets": $SECRETS}')
+        if [[ "$UPDATE_CERTS" != "true" ]]; then
+            # Update policy when fleet has secrets enabled
+            JSON_STRING=$(jq -n \
+              --arg UPDATEDLIST "$NEW_LIST_JSON" \
+              --argjson SSL_CONFIG "$SSL_CONFIG" \
+              --argjson SECRETS "$SECRETS" \
+              '{"name": "grid-kafka","type": "kafka","hosts": $UPDATEDLIST,"is_default": true,"is_default_monitoring": true,"config_yaml": "","ssl": $SSL_CONFIG,"secrets": $SECRETS}')
+        else
+            # Update certs, creating new secret
+            JSON_STRING=$(jq -n \
+              --arg UPDATEDLIST "$NEW_LIST_JSON" \
+              --arg KAFKAKEY "$KAFKAKEY" \
+              --arg KAFKACRT "$KAFKACRT" \
+              --arg KAFKACA "$KAFKACA" \
+              '{"name": "grid-kafka","type": "kafka","hosts": $UPDATEDLIST,"is_default": true,"is_default_monitoring": true,"config_yaml": "","ssl": {"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"secrets": {"ssl":{"key": $KAFKAKEY }}}')
+        fi
    else
-      # Update policy when fleet has secrets disabled or policy hasn't been force updated
-      JSON_STRING=$(jq -n \
-        --arg UPDATEDLIST "$NEW_LIST_JSON" \
-        --argjson SSL_CONFIG "$SSL_CONFIG" \
-        '{"name": "grid-kafka","type": "kafka","hosts": $UPDATEDLIST,"is_default": true,"is_default_monitoring": true,"config_yaml": "","ssl": $SSL_CONFIG}')
+        if [[ "$UPDATE_CERTS" != "true" ]]; then
+            # Update policy when fleet has secrets disabled or policy hasn't been force updated
+            JSON_STRING=$(jq -n \
+              --arg UPDATEDLIST "$NEW_LIST_JSON" \
+              --argjson SSL_CONFIG "$SSL_CONFIG" \
+              '{"name": "grid-kafka","type": "kafka","hosts": $UPDATEDLIST,"is_default": true,"is_default_monitoring": true,"config_yaml": "","ssl": $SSL_CONFIG}')
+        else
+            # Update ssl config
+            JSON_STRING=$(jq -n \
+              --arg UPDATEDLIST "$NEW_LIST_JSON" \
+              --arg KAFKAKEY "$KAFKAKEY" \
+              --arg KAFKACRT "$KAFKACRT" \
+              --arg KAFKACA "$KAFKACA" \
+              '{"name": "grid-kafka","type": "kafka","hosts": $UPDATEDLIST,"is_default": true,"is_default_monitoring": true,"config_yaml": "","ssl": { "certificate_authorities": [ $KAFKACA ], "certificate": $KAFKACRT, "key": $KAFKAKEY, "verification_mode": "full" }}')
+        fi
    fi
    # Update Kafka outputs
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_kafka" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" | jq
@@ -73,7 +153,7 @@ function update_kafka_outputs() {

  # Get the current list of kafka outputs & hash them
  CURRENT_LIST=$(jq -c -r '.item.hosts' <<<  "$RAW_JSON")
-  CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
+  CURRENT_HASH=$(sha256sum <<< "$CURRENT_LIST" | awk '{print $1}')

  declare -a NEW_LIST=()

@@ -96,10 +176,19 @@ function update_kafka_outputs() {
   printf "Failed to query for current Logstash Outputs..."
   exit 1
  fi
+  # logstash adv config - compare pillar to last state file value
+  if [[ -f "$LOGSTASH_PILLAR_STATE_FILE" ]]; then
+    PREVIOUS_LOGSTASH_PILLAR_CONFIG_YAML=$(cat "$LOGSTASH_PILLAR_STATE_FILE")
+    if [[ "$LOGSTASH_PILLAR_CONFIG_YAML" != "$PREVIOUS_LOGSTASH_PILLAR_CONFIG_YAML" ]]; then
+      echo "Logstash pillar config has changed - forcing update"
+      FORCE_UPDATE=true
+    fi
+    echo "$LOGSTASH_PILLAR_CONFIG_YAML" > "$LOGSTASH_PILLAR_STATE_FILE"
+  fi

  # Get the current list of Logstash outputs & hash them
  CURRENT_LIST=$(jq -c -r '.item.hosts' <<<  "$RAW_JSON")
-  CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
+  CURRENT_HASH=$(sha256sum <<< "$CURRENT_LIST" | awk '{print $1}')

  declare -a NEW_LIST=()

@@ -148,10 +237,10 @@ function update_kafka_outputs() {

 # Sort & hash the new list of Logstash Outputs
 NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
-NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
+NEW_HASH=$(sha256sum <<< "$NEW_LIST_JSON" | awk '{print $1}')

 # Compare the current & new list of outputs - if different, update the Logstash outputs
-if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
+if [[ "$NEW_HASH" = "$CURRENT_HASH" ]] && [[ "$FORCE_UPDATE" != "true" ]]; then
    printf "\nHashes match - no update needed.\n"
    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"

--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -72,6 +72,8 @@ elasticsearch:
            actions:
              set_priority:
                priority: 0
+              allocate:
+                number_of_replicas: ""
            min_age: 60d
          delete:
            actions:
@@ -84,11 +86,25 @@ elasticsearch:
                max_primary_shard_size: 50gb
              set_priority:
                priority: 100
+              forcemerge:
+                max_num_segments: ""
+              shrink:
+                max_primary_shard_size: ""
+                method: COUNT
+                number_of_shards: ""
            min_age: 0ms
          warm:
            actions:
              set_priority:
                priority: 50
+              forcemerge:
+                max_num_segments: ""
+              shrink:
+                max_primary_shard_size: ""
+                method: COUNT
+                number_of_shards: ""
+              allocate:
+                number_of_replicas: ""
            min_age: 30d
    so-case:
      index_sorting: false
@@ -245,7 +261,6 @@ elasticsearch:
              set_priority:
                priority: 50
            min_age: 30d
-      warm: 7
    so-detection:
      index_sorting: false
      index_template:
@@ -284,6 +299,19 @@ elasticsearch:
          hot:
            actions: {}
            min_age: 0ms
+    sos-backup:
+      index_sorting: false
+      index_template:
+        composed_of: []
+        ignore_missing_component_templates: []
+        index_patterns:
+        - sos-backup-*
+        priority: 501
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              number_of_shards: 1
    so-assistant-chat:
      index_sorting: false
      index_template:
@@ -584,7 +612,6 @@ elasticsearch:
              set_priority:
                priority: 50
            min_age: 30d
-      warm: 7
    so-import:
      index_sorting: false
      index_template:
@@ -932,7 +959,6 @@ elasticsearch:
              set_priority:
                priority: 50
            min_age: 30d
-      warm: 7
    so-hydra:
      close: 30
      delete: 365
@@ -1043,7 +1069,6 @@ elasticsearch:
              set_priority:
                priority: 50
            min_age: 30d
-      warm: 7
    so-lists:
      index_sorting: false
      index_template:
@@ -1127,6 +1152,8 @@ elasticsearch:
            actions:
              set_priority:
                priority: 0
+              allocate:
+                number_of_replicas: ""
            min_age: 60d
          delete:
            actions:
@@ -1139,11 +1166,25 @@ elasticsearch:
                max_primary_shard_size: 50gb
              set_priority:
                priority: 100
+              forcemerge:
+                max_num_segments: ""
+              shrink:
+                max_primary_shard_size: ""
+                method: COUNT
+                number_of_shards: ""
            min_age: 0ms
          warm:
            actions:
              set_priority:
                priority: 50
+              allocate:
+                number_of_replicas: ""
+              forcemerge:
+                max_num_segments: ""
+              shrink:
+                max_primary_shard_size: ""
+                method: COUNT
+                number_of_shards: ""
            min_age: 30d
    so-logs-detections_x_alerts:
      index_sorting: false
@@ -3123,7 +3164,6 @@ elasticsearch:
              set_priority:
                priority: 50
            min_age: 30d
-      warm: 7
    so-logs-system_x_application:
      index_sorting: false
      index_template:
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -131,6 +131,47 @@ elasticsearch:
                  description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
                  helpLink: elasticsearch.html
+              shrink:
+                method:
+                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
+                  options:
+                  - COUNT
+                  - SIZE
+                  global: True
+                  advanced: True
+                  forcedType: string
+                number_of_shards:
+                  title: shard count
+                  description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
+                  global: True
+                  forcedType: int
+                  advanced: True
+                max_primary_shard_size:
+                  title: max shard size
+                  description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
+                  regex: ^[0-9]+(?:gb|tb|pb)$
+                  global: True
+                  forcedType: string
+                  advanced: True
+                allow_write_after_shrink:
+                  description: Allow writes after shrink.
+                  global: True
+                  forcedType: bool
+                  default: False
+                  advanced: True
+              forcemerge:
+                max_num_segments:
+                  description: Reduce the number of segments in each index shard and clean up deleted documents.
+                  global: True
+                  forcedType: int
+                  advanced: True
+                index_codec:
+                  title: compression
+                  description: Use higher compression for stored fields at the cost of slower performance.
+                  forcedType: bool
+                  global: True
+                  default: False
+                  advanced: True
          cold:
            min_age:
              description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier.
@@ -144,6 +185,12 @@ elasticsearch:
                  description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  global: True
                  helpLink: elasticsearch.html
+              allocate:
+                number_of_replicas:
+                  description: Set the number of replicas. Remains the same as the previous phase by default.
+                  forcedType: int
+                  global: True
+                  advanced: True
          warm:
            min_age: 
              description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier.
@@ -158,6 +205,52 @@ elasticsearch:
                  forcedType: int
                  global: True
                  helpLink: elasticsearch.html
+              shrink:
+                method:
+                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
+                  options:
+                  - COUNT
+                  - SIZE
+                  global: True
+                  advanced: True
+                number_of_shards:
+                  title: shard count
+                  description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
+                  global: True
+                  forcedType: int
+                  advanced: True
+                max_primary_shard_size:
+                  title: max shard size
+                  description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
+                  regex: ^[0-9]+(?:gb|tb|pb)$
+                  global: True
+                  forcedType: string
+                  advanced: True
+                allow_write_after_shrink:
+                  description: Allow writes after shrink.
+                  global: True
+                  forcedType: bool
+                  default: False
+                  advanced: True
+              forcemerge:
+                max_num_segments:
+                  description: Reduce the number of segments in each index shard and clean up deleted documents.
+                  global: True
+                  forcedType: int
+                  advanced: True
+                index_codec:
+                  title: compression
+                  description: Use higher compression for stored fields at the cost of slower performance.
+                  forcedType: bool
+                  global: True
+                  default: False
+                  advanced: True
+              allocate:
+                number_of_replicas:
+                  description: Set the number of replicas. Remains the same as the previous phase by default.
+                  forcedType: int
+                  global: True
+                  advanced: True
          delete:
            min_age:
              description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion.
@@ -287,6 +380,47 @@ elasticsearch:
                  global: True
                  advanced: True
                  helpLink: elasticsearch.html
+              shrink:
+                method:
+                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
+                  options:
+                  - COUNT
+                  - SIZE
+                  global: True
+                  advanced: True
+                  forcedType: string
+                number_of_shards:
+                  title: shard count
+                  description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
+                  global: True
+                  forcedType: int
+                  advanced: True
+                max_primary_shard_size:
+                  title: max shard size
+                  description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
+                  regex: ^[0-9]+(?:gb|tb|pb)$
+                  global: True
+                  forcedType: string
+                  advanced: True
+                allow_write_after_shrink:
+                  description: Allow writes after shrink.
+                  global: True
+                  forcedType: bool
+                  default: False
+                  advanced: True
+              forcemerge:
+                max_num_segments:
+                  description: Reduce the number of segments in each index shard and clean up deleted documents.
+                  global: True
+                  forcedType: int
+                  advanced: True
+                index_codec:
+                  title: compression
+                  description: Use higher compression for stored fields at the cost of slower performance.
+                  forcedType: bool
+                  global: True
+                  default: False
+                  advanced: True
          warm:
            min_age:
              description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier.
@@ -314,6 +448,52 @@ elasticsearch:
                  global: True
                  advanced: True
                  helpLink: elasticsearch.html
+              shrink:
+                method:
+                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
+                  options:
+                  - COUNT
+                  - SIZE
+                  global: True
+                  advanced: True
+                number_of_shards:
+                  title: shard count
+                  description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
+                  global: True
+                  forcedType: int
+                  advanced: True
+                max_primary_shard_size:
+                  title: max shard size
+                  description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
+                  regex: ^[0-9]+(?:gb|tb|pb)$
+                  global: True
+                  forcedType: string
+                  advanced: True
+                allow_write_after_shrink:
+                  description: Allow writes after shrink.
+                  global: True
+                  forcedType: bool
+                  default: False
+                  advanced: True
+              forcemerge:
+                max_num_segments:
+                  description: Reduce the number of segments in each index shard and clean up deleted documents.
+                  global: True
+                  forcedType: int
+                  advanced: True
+                index_codec:
+                  title: compression
+                  description: Use higher compression for stored fields at the cost of slower performance.
+                  forcedType: bool
+                  global: True
+                  default: False
+                  advanced: True
+              allocate:
+                number_of_replicas:
+                  description: Set the number of replicas. Remains the same as the previous phase by default.
+                  forcedType: int
+                  global: True
+                  advanced: True
          cold:
            min_age:
              description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier.  While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier.
@@ -330,6 +510,12 @@ elasticsearch:
                  global: True
                  advanced: True
                  helpLink: elasticsearch.html
+              allocate:
+                number_of_replicas:
+                  description: Set the number of replicas. Remains the same as the previous phase by default.
+                  forcedType: int
+                  global: True
+                  advanced: True
          delete:
            min_age:
              description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion.
--- a/salt/elasticsearch/template.map.jinja
+++ b/salt/elasticsearch/template.map.jinja
@@ -61,5 +61,55 @@
 {%       do settings.index_template.template.settings.index.pop('sort') %}
 {%     endif %}
 {%   endif %}
+
+{# advanced ilm actions #}
+{%   if settings.policy is defined and settings.policy.phases is defined %}
+{%     set PHASE_NAMES = ["hot", "warm", "cold"] %}
+{%     for P in PHASE_NAMES %}
+{%       if settings.policy.phases[P] is defined and settings.policy.phases[P].actions is defined %}
+{%         set PHASE = settings.policy.phases[P].actions %}
+{#         remove allocate action if number_of_replicas isn't configured #}
+{%         if PHASE.allocate is defined %}
+{%           if PHASE.allocate.number_of_replicas is not defined or PHASE.allocate.number_of_replicas == "" %}
+{%             do PHASE.pop('allocate', none) %}
+{%           endif %}
+{%         endif %}
+{#         start shrink action #}
+{%         if PHASE.shrink is defined %}
+{%           if PHASE.shrink.method is defined %}
+{%             if PHASE.shrink.method == 'COUNT' and PHASE.shrink.number_of_shards is defined and PHASE.shrink.number_of_shards %}
+{#               remove max_primary_shard_size value when doing shrink operation by count vs size #}
+{%               do PHASE.shrink.pop('max_primary_shard_size', none) %}
+{%             elif PHASE.shrink.method == 'SIZE' and PHASE.shrink.max_primary_shard_size is defined and PHASE.shrink.max_primary_shard_size %}
+{#               remove number_of_shards value when doing shrink operation by size vs count #}
+{%               do PHASE.shrink.pop('number_of_shards', none) %}
+{%             else %}
+{#               method isn't defined or missing a required config number_of_shards/max_primary_shard_size #}
+{%               do PHASE.pop('shrink', none) %}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{#         always remove shrink method since its only used for SOC config, not in the actual ilm policy #}
+{%         if PHASE.shrink is defined %}
+{%            do PHASE.shrink.pop('method', none) %}
+{%         endif %}
+{#         end shrink action #}
+{#         start force merge #}
+{%         if PHASE.forcemerge is defined %}
+{%           if PHASE.forcemerge.index_codec is defined and PHASE.forcemerge.index_codec %}
+{%             do PHASE.forcemerge.update({'index_codec': 'best_compression'}) %}
+{%           else %}
+{%             do PHASE.forcemerge.pop('index_codec', none) %}
+{%           endif %}
+{%           if PHASE.forcemerge.max_num_segments is not defined or not PHASE.forcemerge.max_num_segments %}
+{#             max_num_segments is empty, drop it #}
+{%             do PHASE.pop('forcemerge', none) %}
+{%           endif %}
+{%         endif %}
+{#         end force merge #}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+
 {%   do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_GLOBAL_OVERRIDES[index]}) %}
 {% endfor %}
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -214,7 +214,7 @@ git_config_set_safe_dirs:

 surinsmrulesdir:
  file.directory:
-    - name: /nsm/rules/suricata
+    - name: /nsm/rules/suricata/etopen
    - user: 939
    - group: 939
    - makedirs: True
--- a/salt/manager/managed_soc_annotations.sls
+++ b/salt/manager/managed_soc_annotations.sls
@@ -25,13 +25,11 @@
           {% set index_settings = es.get('index_settings', {}) %}
           {% set input = index_settings.get('so-logs', {}) %}
           {% for k in matched_integration_names %}
-           {%   if k not in index_settings %}
-           {%     set _ = index_settings.update({k: input}) %}
-           {%   endif %}
+           {%   do index_settings.update({k: input}) %}
           {% endfor %}
           {% for k in addon_integration_keys %}
           {%   if k not in matched_integration_names and k in index_settings %}
-           {%     set _ = index_settings.pop(k) %}
+           {%     do index_settings.pop(k) %}
           {%   endif %}
           {% endfor %}
           {{ data }}
@@ -45,14 +43,12 @@
           {% set es = data.get('elasticsearch', {}) %}
           {% set index_settings = es.get('index_settings', {}) %}
           {% for k in matched_integration_names %}
-           {%   if k not in index_settings %}
-           {%     set input = ADDON_INTEGRATION_DEFAULTS[k] %}
-           {%     set _ = index_settings.update({k: input})%}
-           {%   endif %}
+           {%   set input = ADDON_INTEGRATION_DEFAULTS[k] %}
+           {%     do index_settings.update({k: input})%}
           {% endfor %}
           {% for k in addon_integration_keys %}
           {%   if k not in matched_integration_names and k in index_settings %}
-           {%     set _ = index_settings.pop(k) %}
+           {%     do index_settings.pop(k) %}
           {%   endif %}
           {% endfor %}
           {{ data }}
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -126,16 +126,130 @@ ADVPILLARFILE=/opt/so/saltstack/local/pillar/minions/adv_$MINION_ID.sls

 function getinstallinfo() {
 	log "INFO" "Getting install info for minion $MINION_ID"
-	# Pull from file
-	INSTALLVARS=$(sudo salt "$MINION_ID" cp.get_file_str /opt/so/install.txt --out=newline_values_only)
-	if [ $? -ne 0 ]; then
+
+	local install_json
+	local install_text
+
+	# Reset any prior values so we fail closed if the file is missing keys
+	MAINIP=""
+	MNIC=""
+	NODE_DESCRIPTION=""
+	ES_HEAP_SIZE=""
+	PATCHSCHEDULENAME=""
+	INTERFACE=""
+	NODETYPE=""
+	CORECOUNT=""
+	LSHOSTNAME=""
+	LSHEAP=""
+	CPUCORES=""
+	IDH_MGTRESTRICT=""
+	IDH_SERVICES=""
+
+	# Pull from file (treat it as data, not code)
+	install_json=$(sudo salt "$MINION_ID" cp.get_file_str /opt/so/install.txt --out=json 2>/dev/null)
+	if [ $? -ne 0 ] || [ -z "$install_json" ]; then
 		log "ERROR" "Failed to get install info from $MINION_ID"
 		return 1
 	fi

-	source <(echo $INSTALLVARS)
-	if [ $? -ne 0 ]; then
-		log "ERROR" "Failed to source install variables"
+	install_text=$(jq -r --arg id "$MINION_ID" '.[$id] // empty' <<<"$install_json" 2>/dev/null)
+	if [ $? -ne 0 ] || [ -z "$install_text" ] || [ "$install_text" == "null" ]; then
+		log "ERROR" "Failed to parse install info response for $MINION_ID"
+		return 1
+	fi
+
+	while IFS= read -r line; do
+		# Trim trailing CR (in case of CRLF files)
+		line=${line%$'\r'}
+
+		# Skip empty/comment lines
+		[[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue
+
+		if [[ "$line" =~ ^[[:space:]]*([A-Z0-9_]+)[[:space:]]*=(.*)$ ]]; then
+			local key="${BASH_REMATCH[1]}"
+			local value="${BASH_REMATCH[2]}"
+
+			# Trim leading whitespace from value (writers shouldn't include it, but tolerate it)
+			value="${value#"${value%%[![:space:]]*}"}"
+
+			# Strip a single layer of surrounding quotes
+			if [[ "$value" =~ ^\".*\"$ ]]; then
+				value="${value:1:${#value}-2}"
+			elif [[ "$value" =~ ^\'.*\'$ ]]; then
+				value="${value:1:${#value}-2}"
+			fi
+
+			case "$key" in
+				MAINIP)
+					[[ "$value" =~ ^[A-Za-z0-9.:-]+$ ]] || { log "ERROR" "Invalid MAINIP in install info"; return 1; }
+					MAINIP="$value"
+					;;
+				MNIC)
+					[[ "$value" =~ ^[A-Za-z0-9_.:-]+$ ]] || { log "ERROR" "Invalid MNIC in install info"; return 1; }
+					MNIC="$value"
+					;;
+				NODE_DESCRIPTION)
+					# Allow spaces and common punctuation, but reject control chars
+					[[ "$value" =~ ^[[:print:]]{0,256}$ ]] || { log "ERROR" "Invalid NODE_DESCRIPTION in install info"; return 1; }
+					NODE_DESCRIPTION="$value"
+					;;
+				ES_HEAP_SIZE)
+					[[ "$value" =~ ^[0-9]+[kKmMgGtTpPeE]?$ ]] || { log "ERROR" "Invalid ES_HEAP_SIZE in install info"; return 1; }
+					ES_HEAP_SIZE="$value"
+					;;
+				PATCHSCHEDULENAME)
+					[[ "$value" =~ ^[A-Za-z0-9._-]*$ ]] || { log "ERROR" "Invalid PATCHSCHEDULENAME in install info"; return 1; }
+					PATCHSCHEDULENAME="$value"
+					;;
+				INTERFACE)
+					[[ "$value" =~ ^[A-Za-z0-9._:,-]+$ ]] || { log "ERROR" "Invalid INTERFACE in install info"; return 1; }
+					INTERFACE="$value"
+					;;
+				NODETYPE)
+					[[ "$value" =~ ^[A-Z0-9_]+$ ]] || { log "ERROR" "Invalid NODETYPE in install info"; return 1; }
+					if ! declare -F "create${value}" >/dev/null; then
+						log "ERROR" "Unknown NODETYPE '$value' in install info"
+						return 1
+					fi
+					NODETYPE="$value"
+					;;
+				CORECOUNT)
+					[[ "$value" =~ ^[0-9]+$ ]] || { log "ERROR" "Invalid CORECOUNT in install info"; return 1; }
+					CORECOUNT="$value"
+					;;
+				LSHOSTNAME)
+					[[ "$value" =~ ^[A-Za-z0-9.-]+$ ]] || { log "ERROR" "Invalid LSHOSTNAME in install info"; return 1; }
+					LSHOSTNAME="$value"
+					;;
+				LSHEAP)
+					[[ "$value" =~ ^[0-9]+[kKmMgGtTpPeE]?$ ]] || { log "ERROR" "Invalid LSHEAP in install info"; return 1; }
+					LSHEAP="$value"
+					;;
+				CPUCORES)
+					[[ "$value" =~ ^[0-9]+$ ]] || { log "ERROR" "Invalid CPUCORES in install info"; return 1; }
+					CPUCORES="$value"
+					;;
+				IDH_MGTRESTRICT)
+					[[ "$value" == "True" || "$value" == "False" ]] || { log "ERROR" "Invalid IDH_MGTRESTRICT in install info"; return 1; }
+					IDH_MGTRESTRICT="$value"
+					;;
+				IDH_SERVICES)
+					[[ "$value" =~ ^[[:print:]]{0,512}$ ]] || { log "ERROR" "Invalid IDH_SERVICES in install info"; return 1; }
+					IDH_SERVICES="$value"
+					;;
+				*)
+					# Ignore unknown keys for forward compatibility
+					:
+					;;
+			esac
+		else
+			log "ERROR" "Invalid install info line from $MINION_ID"
+			return 1
+		fi
+	done <<<"$install_text"
+
+	if [[ -z "$NODETYPE" || -z "$MAINIP" || -z "$MNIC" ]]; then
+		log "ERROR" "Missing required install variables from $MINION_ID"
 		return 1
 	fi
 }
@@ -996,7 +1110,7 @@ function setupMinionFiles() {
 	log "INFO" "Setting up minion files for $MINION_ID"
 	
 	# Check to see if nodetype is set
-	if [ -z $NODETYPE ]; then
+	if [ -z "$NODETYPE" ]; then
 		error_msg="No node type specified"
 		log "ERROR" "$error_msg"
 		echo "$error_msg"
@@ -1018,7 +1132,12 @@ function setupMinionFiles() {
 	fi

 	# Create node-specific configuration
-	create$NODETYPE || return 1
+	local create_func="create${NODETYPE}"
+	if ! declare -F "$create_func" >/dev/null; then
+		log "ERROR" "Unknown node type '$NODETYPE'"
+		return 1
+	fi
+	"$create_func" || return 1
 	
 	# Ensure proper ownership after all content is written
 	ensure_socore_ownership || return 1
--- a/salt/manager/tools/sbin/so-yaml.py
+++ b/salt/manager/tools/sbin/so-yaml.py
@@ -17,6 +17,7 @@ def showUsage(args):
    print('Usage: {} <COMMAND> <YAML_FILE> [ARGS...]'.format(sys.argv[0]), file=sys.stderr)
    print('  General commands:', file=sys.stderr)
    print('    append         - Append a list item to a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr)
+    print('    removelistitem - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr)
    print('    add            - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr)
    print('    get            - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr)
    print('    remove         - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr)
@@ -57,6 +58,24 @@ def appendItem(content, key, listItem):
            return 1


+def removeListItem(content, key, listItem):
+    pieces = key.split(".", 1)
+    if len(pieces) > 1:
+        removeListItem(content[pieces[0]], pieces[1], listItem)
+    else:
+        try:
+            if not isinstance(content[key], list):
+                raise AttributeError("Value is not a list")
+            if listItem in content[key]:
+                content[key].remove(listItem)
+        except (AttributeError, TypeError):
+            print("The existing value for the given key is not a list. No action was taken on the file.", file=sys.stderr)
+            return 1
+        except KeyError:
+            print("The key provided does not exist. No action was taken on the file.", file=sys.stderr)
+            return 1
+
+
 def convertType(value):
    if isinstance(value, str) and value.startswith("file:"):
        path = value[5:]  # Remove "file:" prefix
@@ -103,6 +122,23 @@ def append(args):
    return 0


+def removelistitem(args):
+    if len(args) != 3:
+        print('Missing filename, key arg, or list item to remove', file=sys.stderr)
+        showUsage(None)
+        return 1
+
+    filename = args[0]
+    key = args[1]
+    listItem = args[2]
+
+    content = loadYaml(filename)
+    removeListItem(content, key, convertType(listItem))
+    writeYaml(filename, content)
+
+    return 0
+
+
 def addKey(content, key, value):
    pieces = key.split(".", 1)
    if len(pieces) > 1:
@@ -211,6 +247,7 @@ def main():
        "help": showUsage,
        "add": add,
        "append": append,
+        "removelistitem": removelistitem,
        "get": get,
        "remove": remove,
        "replace": replace,
--- a/salt/manager/tools/sbin/so-yaml_test.py
+++ b/salt/manager/tools/sbin/so-yaml_test.py
@@ -457,3 +457,126 @@ class TestRemove(unittest.TestCase):
                self.assertEqual(result, 1)
                self.assertIn("Missing filename or key arg", mock_stderr.getvalue())
                sysmock.assert_called_once_with(1)
+
+
+class TestRemoveListItem(unittest.TestCase):
+
+    def test_removelistitem_missing_arg(self):
+        with patch('sys.exit', new=MagicMock()) as sysmock:
+            with patch('sys.stderr', new=StringIO()) as mock_stderr:
+                sys.argv = ["cmd", "help"]
+                soyaml.removelistitem(["file", "key"])
+                sysmock.assert_called()
+                self.assertIn("Missing filename, key arg, or list item to remove", mock_stderr.getvalue())
+
+    def test_removelistitem(self):
+        filename = "/tmp/so-yaml_test-removelistitem.yaml"
+        file = open(filename, "w")
+        file.write("{key1: { child1: 123, child2: abc }, key2: false, key3: [a,b,c]}")
+        file.close()
+
+        soyaml.removelistitem([filename, "key3", "b"])
+
+        file = open(filename, "r")
+        actual = file.read()
+        file.close()
+
+        expected = "key1:\n  child1: 123\n  child2: abc\nkey2: false\nkey3:\n- a\n- c\n"
+        self.assertEqual(actual, expected)
+
+    def test_removelistitem_nested(self):
+        filename = "/tmp/so-yaml_test-removelistitem.yaml"
+        file = open(filename, "w")
+        file.write("{key1: { child1: 123, child2: [a,b,c] }, key2: false, key3: [e,f,g]}")
+        file.close()
+
+        soyaml.removelistitem([filename, "key1.child2", "b"])
+
+        file = open(filename, "r")
+        actual = file.read()
+        file.close()
+
+        expected = "key1:\n  child1: 123\n  child2:\n  - a\n  - c\nkey2: false\nkey3:\n- e\n- f\n- g\n"
+        self.assertEqual(actual, expected)
+
+    def test_removelistitem_nested_deep(self):
+        filename = "/tmp/so-yaml_test-removelistitem.yaml"
+        file = open(filename, "w")
+        file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
+        file.close()
+
+        soyaml.removelistitem([filename, "key1.child2.deep2", "b"])
+
+        file = open(filename, "r")
+        actual = file.read()
+        file.close()
+
+        expected = "key1:\n  child1: 123\n  child2:\n    deep1: 45\n    deep2:\n    - a\n    - c\nkey2: false\nkey3:\n- e\n- f\n- g\n"
+        self.assertEqual(actual, expected)
+
+    def test_removelistitem_item_not_in_list(self):
+        filename = "/tmp/so-yaml_test-removelistitem.yaml"
+        file = open(filename, "w")
+        file.write("{key1: [a,b,c]}")
+        file.close()
+
+        soyaml.removelistitem([filename, "key1", "d"])
+
+        file = open(filename, "r")
+        actual = file.read()
+        file.close()
+
+        expected = "key1:\n- a\n- b\n- c\n"
+        self.assertEqual(actual, expected)
+
+    def test_removelistitem_key_noexist(self):
+        filename = "/tmp/so-yaml_test-removelistitem.yaml"
+        file = open(filename, "w")
+        file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
+        file.close()
+
+        with patch('sys.exit', new=MagicMock()) as sysmock:
+            with patch('sys.stderr', new=StringIO()) as mock_stderr:
+                sys.argv = ["cmd", "removelistitem", filename, "key4", "h"]
+                soyaml.main()
+                sysmock.assert_called()
+                self.assertEqual("The key provided does not exist. No action was taken on the file.\n", mock_stderr.getvalue())
+
+    def test_removelistitem_key_noexist_deep(self):
+        filename = "/tmp/so-yaml_test-removelistitem.yaml"
+        file = open(filename, "w")
+        file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
+        file.close()
+
+        with patch('sys.exit', new=MagicMock()) as sysmock:
+            with patch('sys.stderr', new=StringIO()) as mock_stderr:
+                sys.argv = ["cmd", "removelistitem", filename, "key1.child2.deep3", "h"]
+                soyaml.main()
+                sysmock.assert_called()
+                self.assertEqual("The key provided does not exist. No action was taken on the file.\n", mock_stderr.getvalue())
+
+    def test_removelistitem_key_nonlist(self):
+        filename = "/tmp/so-yaml_test-removelistitem.yaml"
+        file = open(filename, "w")
+        file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
+        file.close()
+
+        with patch('sys.exit', new=MagicMock()) as sysmock:
+            with patch('sys.stderr', new=StringIO()) as mock_stderr:
+                sys.argv = ["cmd", "removelistitem", filename, "key1", "h"]
+                soyaml.main()
+                sysmock.assert_called()
+                self.assertEqual("The existing value for the given key is not a list. No action was taken on the file.\n", mock_stderr.getvalue())
+
+    def test_removelistitem_key_nonlist_deep(self):
+        filename = "/tmp/so-yaml_test-removelistitem.yaml"
+        file = open(filename, "w")
+        file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [a,b,c] } }, key2: false, key3: [e,f,g]}")
+        file.close()
+
+        with patch('sys.exit', new=MagicMock()) as sysmock:
+            with patch('sys.stderr', new=StringIO()) as mock_stderr:
+                sys.argv = ["cmd", "removelistitem", filename, "key1.child2.deep1", "h"]
+                soyaml.main()
+                sysmock.assert_called()
+                self.assertEqual("The existing value for the given key is not a list. No action was taken on the file.\n", mock_stderr.getvalue())
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -916,6 +916,8 @@ up_to_2.4.200() {
  echo "Backing up idstools config..."
  suricata_idstools_removal_pre

+  touch /opt/so/state/esfleet_logstash_config_pillar
+
  INSTALLEDVERSION=2.4.200
 }

@@ -1111,47 +1113,47 @@ suricata_idstools_removal_pre() {
 install -d -o 939 -g 939 -m 755 /opt/so/conf/soc/fingerprints
 install -o 939 -g 939 -m 644 /dev/null /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
 cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF
-Suricata ruleset sync is blocked until this file is removed. Make sure that you have manually added any custom Suricata rulesets via SOC config - review the documentation for more details: securityonion.net/docs
+Suricata ruleset sync is blocked until this file is removed. **CRITICAL** Make sure that you have manually added any custom Suricata rulesets via SOC config before removing this file - review the documentation for more details: https://docs.securityonion.net/en/2.4/nids.html#sync-block
 EOF

+# Remove possible symlink & create salt local rules dir
+[ -L /opt/so/saltstack/local/salt/suricata/rules ] && rm -f /opt/so/saltstack/local/salt/suricata/rules
+install -d -o 939 -g 939 /opt/so/saltstack/local/salt/suricata/rules/ || echo "Failed to create Suricata local rules directory"
+
 # Backup custom rules & overrides
 mkdir -p /nsm/backup/detections-migration/2-4-200
 cp /usr/sbin/so-rule-update /nsm/backup/detections-migration/2-4-200
 cp /opt/so/conf/idstools/etc/rulecat.conf /nsm/backup/detections-migration/2-4-200

-if [[ -f /opt/so/conf/soc/so-detections-backup.py ]]; then
-    python3 /opt/so/conf/soc/so-detections-backup.py
+# Backup so-detection index via reindex
+echo "Creating sos-backup index template..."
+template_result=$(/sbin/so-elasticsearch-query '_index_template/sos-backup' -X PUT \
+    --retry 5 --retry-delay 15 --retry-all-errors \
+    -d '{"index_patterns":["sos-backup-*"],"priority":501,"template":{"settings":{"index":{"number_of_replicas":0,"number_of_shards":1}}}}')

-    # Verify backup by comparing counts
-    echo "Verifying detection overrides backup..."
-    es_override_count=$(/sbin/so-elasticsearch-query 'so-detection/_count' \
-       -d '{"query": {"bool": {"must": [{"exists": {"field": "so_detection.overrides"}}]}}}' | jq -r '.count') || {
-        echo "  Error: Failed to query Elasticsearch for override count"
-        exit 1
-    }
+if [[ -z "$template_result" ]] || ! echo "$template_result" | jq -e '.acknowledged == true' > /dev/null 2>&1; then
+    echo "Error: Failed to create sos-backup index template"
+    echo "$template_result"
+    exit 1
+fi

-    if [[ ! "$es_override_count" =~ ^[0-9]+$ ]]; then
-        echo "  Error: Invalid override count from Elasticsearch: '$es_override_count'"
-        exit 1
-    fi
+BACKUP_INDEX="sos-backup-detection-$(date +%Y%m%d-%H%M%S)"
+echo "Backing up so-detection index to $BACKUP_INDEX..."
+reindex_result=$(/sbin/so-elasticsearch-query '_reindex?wait_for_completion=true' \
+    --retry 5 --retry-delay 15 --retry-all-errors \
+    -X POST -d "{\"source\": {\"index\": \"so-detection\"}, \"dest\": {\"index\": \"$BACKUP_INDEX\"}}")

-    backup_override_count=$(find /nsm/backup/detections/repo/*/overrides -type f 2>/dev/null | wc -l)
-
-    echo "  Elasticsearch overrides: $es_override_count"
-    echo "  Backed up overrides: $backup_override_count"
-
-    if [[ "$es_override_count" -gt 0 ]]; then
-        if [[ "$backup_override_count" -gt 0 ]]; then
-            echo "  Override backup verified successfully"
-        else
-            echo "  Error: Elasticsearch has $es_override_count overrides but backup has 0 files"
-            exit 1
-        fi
-    else
-        echo "  No overrides to backup"
-    fi
+if [[ -z "$reindex_result" ]]; then
+    echo "Error: Backup of detections failed - no response from Elasticsearch"
+    exit 1
+elif echo "$reindex_result" | jq -e '.created >= 0' > /dev/null 2>&1; then
+    echo "Backup complete: $(echo "$reindex_result" | jq -r '.created') documents copied"
+elif echo "$reindex_result" | grep -q "index_not_found_exception"; then
+    echo "so-detection index does not exist, skipping backup"
 else
-    echo "SOC Detections backup script not found, skipping detection backup"
+    echo "Error: Backup of detections failed"
+    echo "$reindex_result"
+    exit 1
 fi

 }
@@ -1172,21 +1174,47 @@ hash_normalized_file() {
        return 1
    fi

-    sed -E \
+    # Ensure trailing newline for consistent hashing regardless of source file
+    { sed -E \
        -e 's/^[[:space:]]+//; s/[[:space:]]+$//' \
        -e '/^$/d' \
        -e 's|--url=http://[^:]+:7788|--url=http://MANAGER:7788|' \
-        "$file" | sha256sum | awk '{print $1}'
+        "$file"; echo; } | sed '/^$/d' | sha256sum | awk '{print $1}'
 }

-# Known-default hashes
+# Known-default hashes for so-rule-update (ETOPEN ruleset)
 KNOWN_SO_RULE_UPDATE_HASHES=(
-    "8f1fe1cb65c08aab78830315b952785c7ccdcc108c5c0474f427e29d4e39ee5f"  # non-Airgap
-    "d23ac5a962c709dcb888103effb71444df72b46009b6c426e280dbfbc7d74d40"  # Airgap
+    # 2.4.100+ (suricata 7.0.3, non-airgap)
+    "5fbd067ced86c8ec72ffb7e1798aa624123b536fb9d78f4b3ad8d3b45db1eae7"  # 2.4.100-2.4.190 non-Airgap
+    # 2.4.90+ airgap (same for 2.4.90 and 2.4.100+)
+    "61f632c55791338c438c071040f1490066769bcce808b595b5cc7974a90e653a"  # 2.4.90+ Airgap
+    # 2.4.90 (suricata 6.0, non-airgap, comment inside proxy block)
+    "0380ec52a05933244ab0f0bc506576e1d838483647b40612d5fe4b378e47aedd"  # 2.4.90 non-Airgap
+    # 2.4.10-2.4.80 (suricata 6.0, non-airgap, comment outside proxy block)
+    "b6e4d1b5a78d57880ad038a9cd2cc6978aeb2dd27d48ea1a44dd866a2aee7ff4"  # 2.4.10-2.4.80 non-Airgap
+    # 2.4.10-2.4.80 airgap
+    "b20146526ace2b142fde4664f1386a9a1defa319b3a1d113600ad33a1b037dad"  # 2.4.10-2.4.80 Airgap
+    # 2.4.5 and earlier (no pidof check, non-airgap)
+    "d04f5e4015c348133d28a7840839e82d60009781eaaa1c66f7f67747703590dc"  # 2.4.5 non-Airgap
 )

+# Known-default hashes for rulecat.conf
 KNOWN_RULECAT_CONF_HASHES=(
-    "17fc663a83b30d4ba43ac6643666b0c96343c5ea6ea833fe6a8362fe415b666b"  # default
+    # 2.4.100+ (suricata 7.0.3)
+    "302e75dca9110807f09ade2eec3be1fcfc8b2bf6cf2252b0269bb72efeefe67e"  # 2.4.100-2.4.190 without SURICATA md_engine
+    "8029b7718c324a9afa06a5cf180afde703da1277af4bdd30310a6cfa3d6398cb"  # 2.4.100-2.4.190 with SURICATA md_engine
+    # 2.4.80-2.4.90 (suricata 6.0, with --suricata-version and --output)
+    "4d8b318e6950a6f60b02f307cf27c929efd39652990c1bd0c8820aa8a307e1e7"  # 2.4.80-2.4.90 without SURICATA md_engine
+    "a1ddf264c86c4e91c81c5a317f745a19466d4311e4533ec3a3c91fed04c11678"  # 2.4.80-2.4.90 with SURICATA md_engine
+    # 2.4.50-2.4.70 (/suri/ path, no --suricata-version)
+    "86e3afb8d0f00c62337195602636864c98580a13ca9cc85029661a539deae6ae"  # 2.4.50-2.4.70 without SURICATA md_engine
+    "5a97604ca5b820a10273a2d6546bb5e00c5122ca5a7dfe0ba0bfbce5fc026f4b"  # 2.4.50-2.4.70 with SURICATA md_engine
+    # 2.4.20-2.4.40 (/nids/ path without /suri/)
+    "d098ea9ecd94b5cca35bf33543f8ea8f48066a0785221fabda7fef43d2462c29"  # 2.4.20-2.4.40 without SURICATA md_engine
+    "9dbc60df22ae20d65738ba42e620392577857038ba92278e23ec182081d191cd"  # 2.4.20-2.4.40 with SURICATA md_engine
+    # 2.4.5-2.4.10 (/sorules/ path for extraction/filters)
+    "490f6843d9fca759ee74db3ada9c702e2440b8393f2cfaf07bbe41aaa6d955c3"  # 2.4.5-2.4.10 with SURICATA md_engine
+    # Note: 2.4.5-2.4.10 without SURICATA md_engine has same hash as 2.4.20-2.4.40 without SURICATA md_engine
 )

 # Check a config file against known hashes
@@ -1247,6 +1275,13 @@ custom_found=0
 check_config_file "$SO_RULE_UPDATE" "KNOWN_SO_RULE_UPDATE_HASHES" || custom_found=1
 check_config_file "$RULECAT_CONF" "KNOWN_RULECAT_CONF_HASHES" || custom_found=1

+# Check for ETPRO rules on airgap systems
+if [[ $is_airgap -eq 0 ]] && grep -q 'ETPRO ' /nsm/rules/suricata/emerging-all.rules 2>/dev/null; then
+    echo "ETPRO rules detected on airgap system - custom configuration"
+    echo "ETPRO rules detected on Airgap in /nsm/rules/suricata/emerging-all.rules" >> /opt/so/conf/soc/fingerprints/suricataengine.syncBlock
+    custom_found=1
+fi
+
 # If no custom configs found, remove syncBlock
 if [[ $custom_found -eq 0 ]]; then
    echo "idstools migration completed successfully - removing Suricata engine syncBlock"
@@ -1255,6 +1290,31 @@ else
    echo "Custom idstools configuration detected - syncBlock remains in place"
    echo "Review /opt/so/conf/soc/fingerprints/suricataengine.syncBlock for details"
 fi
+
+echo "Cleaning up idstools"
+echo "Stopping and removing the idstools container..."
+if [ -n "$(docker ps -q -f name=^so-idstools$)" ]; then
+    image_name=$(docker ps -a --filter name=^so-idstools$ --format '{{.Image}}' 2>/dev/null || true)
+    docker stop so-idstools || echo "Warning: failed to stop so-idstools container"
+    docker rm so-idstools || echo "Warning: failed to remove so-idstools container"
+
+    if [[ -n "$image_name" ]]; then
+        echo "Removing idstools image: $image_name"
+        docker rmi "$image_name" || echo "Warning: failed to remove image $image_name"
+    fi
+fi
+
+echo "Removing idstools symlink and scripts..."
+rm -rf /usr/sbin/so-idstools*
+sed -i '/^#\?so-idstools$/d' /opt/so/conf/so-status/so-status.conf
+crontab -l | grep -v 'so-rule-update' | crontab -
+
+# Backup the salt master config & manager pillar before editing it
+cp /opt/so/saltstack/local/pillar/minions/$MINIONID.sls /nsm/backup/detections-migration/2-4-200/
+cp /etc/salt/master  /nsm/backup/detections-migration/2-4-200/
+so-yaml.py remove /opt/so/saltstack/local/pillar/minions/$MINIONID.sls idstools
+so-yaml.py removelistitem /etc/salt/master file_roots.base /opt/so/rules/nids
+
 }

 determine_elastic_agent_upgrade() {
@@ -1303,7 +1363,7 @@ unmount_update() {

 update_airgap_rules() {
  # Copy the rules over to update them for airgap.
-  rsync -a $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/
+  rsync -a --delete $UPDATE_DIR/agrules/suricata/ /nsm/rules/suricata/etopen/
  rsync -a $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
  rsync -a $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
  # Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch
@@ -1813,7 +1873,7 @@ main() {
      if [[ $is_airgap -eq 0 ]]; then
        echo ""
        echo "Cleaning repos on remote Security Onion nodes."
-        salt -C 'not *_eval and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
+        salt -C 'not *_eval and not *_manager* and not *_standalone and G@os:OEL' cmd.run "dnf clean all"
        echo ""
      fi
    fi
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1622,12 +1622,11 @@ soc:
                sourceType: directory
            airgap:
              - name: Emerging-Threats
-                description: "Emerging Threats ruleset - To enable ET Pro, enter your license key below. Leave empty for ET Open (free) rules."
+                description: "Emerging Threats ruleset - To enable ET Pro on Airgap, review the documentation at https://docs.securityonion.net/suricata"
                licenseKey: ""
                enabled: true
-                sourceType: url
-                sourcePath: 'https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz'
-                urlHash: "https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz.md5"
+                sourceType: directory
+                sourcePath: /nsm/rules/suricata/etopen/
                license: "BSD"
                excludeFiles:
                  - "*deleted*"
@@ -2653,26 +2652,16 @@ soc:
          thresholdColorRatioMed: 0.75
          thresholdColorRatioMax: 1
          availableModels:
-            - id: sonnet-4
-              displayName: Claude Sonnet 4
-              contextLimitSmall: 200000
-              contextLimitLarge: 1000000
-              lowBalanceColorAlert: 500000
-              enabled: true
            - id: sonnet-4.5
-              displayName: Claude Sonnet 4.5
+              displayName: Claude Sonnet 4.5 ($$$)
+              origin: USA
              contextLimitSmall: 200000
              contextLimitLarge: 1000000
              lowBalanceColorAlert: 500000
              enabled: true
-            - id: gptoss-120b
-              displayName: GPT-OSS 120B
-              contextLimitSmall: 128000
-              contextLimitLarge: 128000
-              lowBalanceColorAlert: 500000
-              enabled: true
            - id: qwen-235b
-              displayName: QWEN 235B
+              displayName: QWEN 235B ($)
+              origin: China
              contextLimitSmall: 256000
              contextLimitLarge: 256000
              lowBalanceColorAlert: 500000
--- a/salt/soc/files/soc/so-detections-backup.py
+++ b/salt/soc/files/soc/so-detections-backup.py
@@ -6,6 +6,7 @@
 # This script queries Elasticsearch for Custom Detections and all Overrides,
 # and git commits them to disk at $OUTPUT_DIR

+import argparse
 import os
 import subprocess
 import json
@@ -18,10 +19,10 @@ from datetime import datetime
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

 # Constants
-ES_URL = "https://localhost:9200/so-detection/_search"
+DEFAULT_INDEX = "so-detection"
+DEFAULT_OUTPUT_DIR = "/nsm/backup/detections/repo"
 QUERY_DETECTIONS = '{"query": {"bool": {"must": [{"match_all": {}}, {"term": {"so_detection.ruleset": "__custom__"}}]}},"size": 10000}'
 QUERY_OVERRIDES = '{"query": {"bool": {"must": [{"exists": {"field": "so_detection.overrides"}}]}},"size": 10000}'
-OUTPUT_DIR = "/nsm/backup/detections/repo"
 AUTH_FILE = "/opt/so/conf/elasticsearch/curl.config"

 def get_auth_credentials(auth_file):
@@ -30,9 +31,10 @@ def get_auth_credentials(auth_file):
            if line.startswith('user ='):
                return line.split('=', 1)[1].strip().replace('"', '')

-def query_elasticsearch(query, auth):
+def query_elasticsearch(query, auth, index):
+    url = f"https://localhost:9200/{index}/_search"
    headers = {"Content-Type": "application/json"}
-    response = requests.get(ES_URL, headers=headers, data=query, auth=auth, verify=False)
+    response = requests.get(url, headers=headers, data=query, auth=auth, verify=False)
    response.raise_for_status()
    return response.json()

@@ -47,12 +49,12 @@ def save_content(hit, base_folder, subfolder="", extension="txt"):
        f.write(content)
    return file_path

-def save_overrides(hit):
+def save_overrides(hit, output_dir):
    so_detection = hit["_source"]["so_detection"]
    public_id = so_detection["publicId"]
    overrides = so_detection["overrides"]
    language = so_detection["language"]
-    folder = os.path.join(OUTPUT_DIR, language, "overrides")
+    folder = os.path.join(output_dir, language, "overrides")
    os.makedirs(folder, exist_ok=True)
    extension = "yaml" if language == "sigma" else "txt"
    file_path = os.path.join(folder, f"{public_id}.{extension}")
@@ -60,20 +62,20 @@ def save_overrides(hit):
        f.write('\n'.join(json.dumps(override) for override in overrides) if isinstance(overrides, list) else overrides)
    return file_path

-def ensure_git_repo():
-    if not os.path.isdir(os.path.join(OUTPUT_DIR, '.git')):
+def ensure_git_repo(output_dir):
+    if not os.path.isdir(os.path.join(output_dir, '.git')):
        subprocess.run(["git", "config", "--global", "init.defaultBranch", "main"], check=True)
-        subprocess.run(["git", "-C", OUTPUT_DIR, "init"], check=True)
-        subprocess.run(["git", "-C", OUTPUT_DIR, "remote", "add", "origin", "default"], check=True)
+        subprocess.run(["git", "-C", output_dir, "init"], check=True)
+        subprocess.run(["git", "-C", output_dir, "remote", "add", "origin", "default"], check=True)

-def commit_changes():
-    ensure_git_repo()
-    subprocess.run(["git", "-C", OUTPUT_DIR, "config", "user.email", "securityonion@local.invalid"], check=True)
-    subprocess.run(["git", "-C", OUTPUT_DIR, "config", "user.name", "securityonion"], check=True)
-    subprocess.run(["git", "-C", OUTPUT_DIR, "add", "."], check=True)
-    status_result = subprocess.run(["git", "-C", OUTPUT_DIR, "status"], capture_output=True, text=True)
+def commit_changes(output_dir):
+    ensure_git_repo(output_dir)
+    subprocess.run(["git", "-C", output_dir, "config", "user.email", "securityonion@local.invalid"], check=True)
+    subprocess.run(["git", "-C", output_dir, "config", "user.name", "securityonion"], check=True)
+    subprocess.run(["git", "-C", output_dir, "add", "."], check=True)
+    status_result = subprocess.run(["git", "-C", output_dir, "status"], capture_output=True, text=True)
    print(status_result.stdout)
-    commit_result = subprocess.run(["git", "-C", OUTPUT_DIR, "commit", "-m", "Update detections and overrides"], check=False, capture_output=True)
+    commit_result = subprocess.run(["git", "-C", output_dir, "commit", "-m", "Update detections and overrides"], check=False, capture_output=True)
    if commit_result.returncode == 1:
        print("No changes to commit.")
    elif commit_result.returncode == 0:
@@ -81,28 +83,40 @@ def commit_changes():
    else:
        commit_result.check_returncode()

+def parse_args():
+    parser = argparse.ArgumentParser(description="Backup custom detections and overrides from Elasticsearch")
+    parser.add_argument("--output", "-o", default=DEFAULT_OUTPUT_DIR,
+                        help=f"Output directory for backups (default: {DEFAULT_OUTPUT_DIR})")
+    parser.add_argument("--index", "-i", default=DEFAULT_INDEX,
+                        help=f"Elasticsearch index to query (default: {DEFAULT_INDEX})")
+    return parser.parse_args()
+
 def main():
+    args = parse_args()
+    output_dir = args.output
+    index = args.index
+
    try:
        timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
-        print(f"Backing up Custom Detections and all Overrides to {OUTPUT_DIR} - {timestamp}\n")
+        print(f"Backing up Custom Detections and all Overrides to {output_dir} - {timestamp}\n")

-        os.makedirs(OUTPUT_DIR, exist_ok=True)
+        os.makedirs(output_dir, exist_ok=True)

        auth_credentials = get_auth_credentials(AUTH_FILE)
        username, password = auth_credentials.split(':', 1)
        auth = HTTPBasicAuth(username, password)

        # Query and save custom detections
-        detections = query_elasticsearch(QUERY_DETECTIONS, auth)["hits"]["hits"]
+        detections = query_elasticsearch(QUERY_DETECTIONS, auth, index)["hits"]["hits"]
        for hit in detections:
-            save_content(hit, OUTPUT_DIR, hit["_source"]["so_detection"]["language"], "yaml" if hit["_source"]["so_detection"]["language"] == "sigma" else "txt")
+            save_content(hit, output_dir, hit["_source"]["so_detection"]["language"], "yaml" if hit["_source"]["so_detection"]["language"] == "sigma" else "txt")

        # Query and save overrides
-        overrides = query_elasticsearch(QUERY_OVERRIDES, auth)["hits"]["hits"]
+        overrides = query_elasticsearch(QUERY_OVERRIDES, auth, index)["hits"]["hits"]
        for hit in overrides:
-            save_overrides(hit)
+            save_overrides(hit, output_dir)

-        commit_changes()
+        commit_changes(output_dir)

        timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
        print(f"Backup Completed - {timestamp}")
--- a/salt/soc/files/soc/so-detections-backup_test.py
+++ b/salt/soc/files/soc/so-detections-backup_test.py
@@ -58,11 +58,11 @@ class TestBackupScript(unittest.TestCase):
        mock_response.raise_for_status = MagicMock()
        mock_get.return_value = mock_response

-        response = ds.query_elasticsearch(ds.QUERY_DETECTIONS, self.auth)
+        response = ds.query_elasticsearch(ds.QUERY_DETECTIONS, self.auth, ds.DEFAULT_INDEX)

        self.assertEqual(response, {'hits': {'hits': []}})
        mock_get.assert_called_once_with(
-            ds.ES_URL,
+            f"https://localhost:9200/{ds.DEFAULT_INDEX}/_search",
            headers={"Content-Type": "application/json"},
            data=ds.QUERY_DETECTIONS,
            auth=self.auth,
@@ -81,7 +81,7 @@ class TestBackupScript(unittest.TestCase):
    @patch('os.makedirs')
    @patch('builtins.open', new_callable=mock_open)
    def test_save_overrides(self, mock_file, mock_makedirs):
-        file_path = ds.save_overrides(self.mock_override_hit)
+        file_path = ds.save_overrides(self.mock_override_hit, self.output_dir)
        expected_path = f'{self.output_dir}/sigma/overrides/test_id.yaml'
        self.assertEqual(file_path, expected_path)
        mock_makedirs.assert_called_once_with(f'{self.output_dir}/sigma/overrides', exist_ok=True)
@@ -91,7 +91,7 @@ class TestBackupScript(unittest.TestCase):
    def test_ensure_git_repo(self, mock_run):
        mock_run.return_value = MagicMock(returncode=0)

-        ds.ensure_git_repo()
+        ds.ensure_git_repo(self.output_dir)

        mock_run.assert_has_calls([
            call(["git", "config", "--global", "init.defaultBranch", "main"], check=True),
@@ -108,7 +108,7 @@ class TestBackupScript(unittest.TestCase):
        mock_run.side_effect = [mock_status_result, mock_commit_result, MagicMock(returncode=0), MagicMock(returncode=0), MagicMock(returncode=0), MagicMock(returncode=0), MagicMock(returncode=0), MagicMock(returncode=0)]

        print("Running test_commit_changes...")
-        ds.commit_changes()
+        ds.commit_changes(self.output_dir)
        print("Finished test_commit_changes.")

        mock_run.assert_has_calls([
@@ -120,13 +120,18 @@ class TestBackupScript(unittest.TestCase):
        ])

    @patch('builtins.print')
-    @patch('so-detections-backup.commit_changes')
-    @patch('so-detections-backup.save_overrides')
-    @patch('so-detections-backup.save_content')
-    @patch('so-detections-backup.query_elasticsearch')
-    @patch('so-detections-backup.get_auth_credentials')
+    @patch.object(ds, 'commit_changes')
+    @patch.object(ds, 'save_overrides')
+    @patch.object(ds, 'save_content')
+    @patch.object(ds, 'query_elasticsearch')
+    @patch.object(ds, 'get_auth_credentials')
    @patch('os.makedirs')
-    def test_main(self, mock_makedirs, mock_get_auth, mock_query, mock_save_content, mock_save_overrides, mock_commit, mock_print):
+    @patch.object(ds, 'parse_args')
+    def test_main(self, mock_parse_args, mock_makedirs, mock_get_auth, mock_query, mock_save_content, mock_save_overrides, mock_commit, mock_print):
+        mock_args = MagicMock()
+        mock_args.output = self.output_dir
+        mock_args.index = ds.DEFAULT_INDEX
+        mock_parse_args.return_value = mock_args
        mock_get_auth.return_value = self.auth_credentials
        mock_query.side_effect = [
            {'hits': {'hits': [{"_source": {"so_detection": {"publicId": "1", "content": "content1", "language": "sigma"}}}]}},
@@ -140,8 +145,8 @@ class TestBackupScript(unittest.TestCase):
        mock_makedirs.assert_called_once_with(self.output_dir, exist_ok=True)
        mock_get_auth.assert_called_once_with(ds.AUTH_FILE)
        mock_query.assert_has_calls([
-            call(ds.QUERY_DETECTIONS, self.auth),
-            call(ds.QUERY_OVERRIDES, self.auth)
+            call(ds.QUERY_DETECTIONS, self.auth, ds.DEFAULT_INDEX),
+            call(ds.QUERY_OVERRIDES, self.auth, ds.DEFAULT_INDEX)
        ])
        mock_save_content.assert_called_once_with(
            {"_source": {"so_detection": {"publicId": "1", "content": "content1", "language": "sigma"}}},
@@ -150,9 +155,10 @@ class TestBackupScript(unittest.TestCase):
            "yaml"
        )
        mock_save_overrides.assert_called_once_with(
-            {"_source": {"so_detection": {"publicId": "2", "overrides": [{"key": "value"}], "language": "suricata"}}}
+            {"_source": {"so_detection": {"publicId": "2", "overrides": [{"key": "value"}], "language": "suricata"}}},
+            self.output_dir
        )
-        mock_commit.assert_called_once()
+        mock_commit.assert_called_once_with(self.output_dir)
        mock_print.assert_called()

 if __name__ == '__main__':
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -70,7 +70,7 @@

 {# Define the Detections custom ruleset that should always be present #}
 {% set CUSTOM_RULESET = {
-  'name': 'custom',
+  'name': '__custom__',
  'description': 'User-created custom rules created via the Detections module in the SOC UI',
  'sourceType': 'elasticsearch',
  'sourcePath': 'so_detection.ruleset:__custom__',
@@ -83,7 +83,7 @@
 {# Always append the custom ruleset to suricataengine.rulesetSources if not already present #}
 {% if SOCMERGED.config.server.modules.suricataengine is defined and SOCMERGED.config.server.modules.suricataengine.rulesetSources is defined %}
 {%   if SOCMERGED.config.server.modules.suricataengine.rulesetSources is not mapping %}
-{%     set custom_names = SOCMERGED.config.server.modules.suricataengine.rulesetSources | selectattr('name', 'equalto', 'custom') | list %}
+{%     set custom_names = SOCMERGED.config.server.modules.suricataengine.rulesetSources | selectattr('name', 'equalto', '__custom__') | list %}
 {%     if custom_names | length == 0 %}
 {%       do SOCMERGED.config.server.modules.suricataengine.rulesetSources.append(CUSTOM_RULESET) %}
 {%     endif %}
@@ -108,21 +108,39 @@
 {%     if ruleset.name == 'Emerging-Threats' %}
 {%       if ruleset.licenseKey and ruleset.licenseKey != '' %}
 {#         License key is defined - transform to ETPRO #}
-{#         Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
-{%         do ruleset.update({
-             'name': 'ETPRO',
-             'sourcePath': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz',
-             'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
-             'license': 'Commercial'
-           }) %}
+{%         if ruleset.sourceType == 'directory' %}
+{#           Airgap mode - update directory path #}
+{%           do ruleset.update({
+               'name': 'ETPRO',
+               'sourcePath': '/nsm/rules/custom-local-repos/local-etpro-suricata/etpro.rules.tar.gz',
+               'license': 'Commercial'
+             }) %}
+{%         else %}
+{#           Engine Version is hardcoded in the URL - this does not change often: https://community.emergingthreats.net/t/supported-engines/71 #}
+{%           do ruleset.update({
+               'name': 'ETPRO',
+               'sourcePath': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz',
+               'urlHash': 'https://rules.emergingthreatspro.com/' ~ ruleset.licenseKey ~ '/suricata-7.0.3/etpro.rules.tar.gz.md5',
+               'license': 'Commercial'
+             }) %}
+{%         endif %}
 {%       else %}
 {#         No license key - explicitly set to ETOPEN #}
-{%         do ruleset.update({
-             'name': 'ETOPEN',
-             'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
-             'urlHash': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz.md5',
-             'license': 'BSD'
-           }) %}
+{%         if ruleset.sourceType == 'directory' %}
+{#           Airgap mode - update directory path #}
+{%           do ruleset.update({
+               'name': 'ETOPEN',
+               'sourcePath': '/nsm/rules/suricata/etopen/',
+               'license': 'BSD'
+             }) %}
+{%         else %}
+{%           do ruleset.update({
+               'name': 'ETOPEN',
+               'sourcePath': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz',
+               'urlHash': 'https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz.md5',
+               'license': 'BSD'
+             }) %}
+{%         endif %}
 {%       endif %}
 {%     endif %}
 {%     endfor %}
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -608,6 +608,18 @@ soc:
                label: Delete Unreferenced (Deletes rules that are no longer referenced by ruleset source)
                forcedType: bool
                required: False
+              - field: proxyURL
+                label: HTTP/HTTPS proxy URL for downloading the ruleset.
+                required: False
+              - field: proxyUsername
+                label: Proxy authentication username.
+                required: False
+              - field: proxyPassword
+                label: Proxy authentication password.
+                required: False
+              - field: proxyCACert
+                label: Path to CA certificate file for MITM proxy verification.
+                required: False
            airgap: *serulesetSources
        navigator:
          intervalMinutes:
@@ -696,6 +708,9 @@ soc:
            - field: displayName
              label: Display Name
              required: True
+            - field: origin
+              label: Country of Origin for the Model Training
+              required: false
            - field: contextLimitSmall
              label: Context Limit (Small)
              forcedType: int
--- a/salt/suricata/config.sls
+++ b/salt/suricata/config.sls
@@ -22,6 +22,14 @@ suriPCAPbpfcompilationfailure:
 {%     endif %}
 {%   endif %}

+suridir:
+  file.directory:
+    - name: /opt/so/conf/suricata
+    - user: 940
+    - group: 939
+    - mode: 775
+    - makedirs: True
+
 # BPF applied to all of Suricata - alerts/metadata/pcap
 suribpf:
  file.managed:
@@ -81,13 +89,6 @@ suricata_sbin_jinja:
    - file_mode: 755
    - template: jinja

-suridir:
-  file.directory:
-    - name: /opt/so/conf/suricata
-    - user: 940
-    - group: 939
-    - mode: 775
-
 suriruledir:
  file.directory:
    - name: /opt/so/rules/suricata
@@ -123,7 +124,7 @@ surirulesync:
    - name: /opt/so/rules/suricata/
    - source: salt://suricata/rules/
    - user: 940
-    - group: 940
+    - group: 939
    - show_changes: False

 surilogscript:
@@ -159,7 +160,6 @@ surithresholding:
    - source: salt://suricata/files/threshold.conf
    - user: 940
    - group: 940
-    - onlyif: salt://suricata/files/threshold.conf

 suriclassifications:
  file.managed:
@@ -177,6 +177,14 @@ so-suricata-eve-clean:
    - template: jinja
    - source: salt://suricata/cron/so-suricata-eve-clean

+so-suricata-rulestats:
+  file.managed:
+    - name: /usr/sbin/so-suricata-rulestats
+    - user: root
+    - group: root
+    - mode: 755
+    - source: salt://suricata/cron/so-suricata-rulestats
+
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/suricata/cron/so-suricata-rulestats
+++ b/salt/suricata/cron/so-suricata-rulestats
@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# Query Suricata for ruleset stats and reload time, write to JSON file for Telegraf to consume
+
+OUTFILE="/opt/so/log/suricata/rulestats.json"
+SURICATASC="docker exec so-suricata /opt/suricata/bin/suricatasc"
+SOCKET="/var/run/suricata/suricata-command.socket"
+
+query() {
+    timeout 10 $SURICATASC -c "$1" "$SOCKET" 2>/dev/null
+}
+
+STATS=$(query "ruleset-stats")
+RELOAD=$(query "ruleset-reload-time")
+[ -z "$RELOAD" ] && RELOAD='{}'
+
+# Outputs valid JSON on success, empty on failure
+OUTPUT=$(jq -n \
+    --argjson stats "$STATS" \
+    --argjson reload "$RELOAD" \
+    'if $stats.return == "OK" and ($stats.message[0].rules_loaded | type) == "number" and ($stats.message[0].rules_failed | type) == "number" then
+        {
+            rules_loaded: $stats.message[0].rules_loaded,
+            rules_failed: $stats.message[0].rules_failed,
+            last_reload: ($reload.message[0].last_reload // ""),
+            return: "OK"
+        }
+    else empty end' 2>/dev/null)
+
+if [ -n "$OUTPUT" ]; then
+    echo "$OUTPUT" > "$OUTFILE"
+else
+    echo '{"return":"FAIL"}' > "$OUTFILE"
+fi
--- a/salt/suricata/disabled.sls
+++ b/salt/suricata/disabled.sls
@@ -23,6 +23,11 @@ clean_suricata_eve_files:
  cron.absent:
    - identifier: clean_suricata_eve_files

+# Remove rulestats cron
+rulestats:
+  cron.absent:
+    - identifier: suricata_rulestats
+
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -90,6 +90,18 @@ clean_suricata_eve_files:
    - month: '*'
    - dayweek: '*'

+# Add rulestats cron - runs every minute to query Suricata for rule load status
+suricata_rulestats:
+  cron.present:
+    - name: /usr/sbin/so-suricata-rulestats > /dev/null 2>&1
+    - identifier: suricata_rulestats
+    - user: root
+    - minute: '*'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/suricata/files/threshold.conf
+++ b/salt/suricata/files/threshold.conf
@@ -0,0 +1,2 @@
+# Threshold configuration generated by Security Onion
+# This file is automatically generated - do not edit manually
--- a/salt/telegraf/defaults.yaml
+++ b/salt/telegraf/defaults.yaml
@@ -21,6 +21,7 @@ telegraf:
      - sostatus.sh
      - stenoloss.sh
      - suriloss.sh
+      - surirules.sh
      - zeekcaptureloss.sh
      - zeekloss.sh
    standalone:
@@ -36,6 +37,7 @@ telegraf:
      - sostatus.sh
      - stenoloss.sh
      - suriloss.sh
+      - surirules.sh
      - zeekcaptureloss.sh
      - zeekloss.sh
      - features.sh
@@ -81,6 +83,7 @@ telegraf:
      - sostatus.sh
      - stenoloss.sh
      - suriloss.sh
+      - surirules.sh
      - zeekcaptureloss.sh
      - zeekloss.sh
      - features.sh
@@ -95,6 +98,7 @@ telegraf:
      - sostatus.sh
      - stenoloss.sh
      - suriloss.sh
+      - surirules.sh
      - zeekcaptureloss.sh
      - zeekloss.sh
    idh:
--- a/salt/telegraf/scripts/surirules.sh
+++ b/salt/telegraf/scripts/surirules.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# Read Suricata ruleset stats from JSON file written by so-suricata-rulestats cron job
+# JSON format: {"rules_loaded":45879,"rules_failed":1,"last_reload":"2025-12-04T14:10:57+0000","return":"OK"}
+# or on failure: {"return":"FAIL"}
+
+# if this script isn't already running
+if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
+
+    STATSFILE="/var/log/suricata/rulestats.json"
+
+    # Check file exists, is less than 90 seconds old, and has valid data
+    if [ -f "$STATSFILE" ] && [ $(($(date +%s) - $(stat -c %Y "$STATSFILE"))) -lt 90 ] && jq -e '.return == "OK" and .rules_loaded != null and .rules_failed != null' "$STATSFILE" > /dev/null 2>&1; then
+        LOADED=$(jq -r '.rules_loaded' "$STATSFILE")
+        FAILED=$(jq -r '.rules_failed' "$STATSFILE")
+        RELOAD_TIME=$(jq -r 'if .last_reload then .last_reload else "" end' "$STATSFILE")
+
+        if [ -n "$RELOAD_TIME" ]; then
+            echo "surirules loaded=${LOADED}i,failed=${FAILED}i,reload_time=\"${RELOAD_TIME}\",status=\"ok\""
+        else
+            echo "surirules loaded=${LOADED}i,failed=${FAILED}i,status=\"ok\""
+        fi
+    else
+        echo "surirules loaded=0i,failed=0i,status=\"unknown\""
+    fi
+
+fi
+
+exit 0
--- a/salt/zeek/files/config.zeek.ja4
+++ b/salt/zeek/files/config.zeek.ja4
@@ -11,6 +11,8 @@ export {
  option JA4S_enabled:   bool = F;
  option JA4S_raw:   bool = F;

+  option JA4D_enabled:  bool = F;
+
  option JA4H_enabled:   bool = F;
  option JA4H_raw:   bool = F;

--- a/setup/so-functions
+++ b/setup/so-functions
@@ -656,11 +656,11 @@ check_requirements() {
 	fi
 	
 	if [[ $total_mem_hr -lt $req_mem ]]; then
-		whiptail_requirements_error "memory" "${total_mem_hr} GB" "${req_mem} GB"
 		if [[ $is_standalone || $is_heavynode ]]; then
 			echo "This install type will fail with less than $req_mem GB of memory. Exiting setup."
 			exit 0
 		fi
+		whiptail_requirements_error "memory" "${total_mem_hr} GB" "${req_mem} GB"
 	fi
 	if [[ $is_standalone || $is_heavynode ]]; then
 		if [[ $total_mem_hr -gt 15 && $total_mem_hr -lt 24 ]]; then
@@ -1504,7 +1504,13 @@ networking_needful() {
 	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
 		collect_hostname
 	fi
-	[[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description
+	if [[ ! ( $is_eval || $is_import ) ]]; then
+		whiptail_node_description
+		while [[ "$NODE_DESCRIPTION" =~ [[:cntrl:]] ]]; do
+			whiptail_error_message "Node description cannot contain control characters. Please enter a new description."
+			whiptail_node_description
+		done
+	fi
 	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
 		network_init_whiptail
 	else
@@ -1598,16 +1604,21 @@ proxy_validate() {

 reserve_group_ids() {
 	# This is a hack to fix OS from taking group IDs that we need
+	logCmd "groupadd -g 920 docker"
 	logCmd "groupadd -g 928 kratos"
 	logCmd "groupadd -g 930 elasticsearch"
 	logCmd "groupadd -g 931 logstash"
 	logCmd "groupadd -g 932 kibana"
 	logCmd "groupadd -g 933 elastalert"
 	logCmd "groupadd -g 937 zeek"
+	logCmd "groupadd -g 938 salt"
+	logCmd "groupadd -g 939 socore"
 	logCmd "groupadd -g 940 suricata"
+	logCmd "groupadd -g 948 elastic-agent-pr"
+	logCmd "groupadd -g 949 elastic-agent"
 	logCmd "groupadd -g 941 stenographer"
-	logCmd "groupadd -g 945 ossec"
-	logCmd "groupadd -g 946 cyberchef"
+	logCmd "groupadd -g 947 elastic-fleet"
+	logCmd "groupadd -g 960 kafka"
 }

 reserve_ports() {
@@ -1751,6 +1762,50 @@ backup_dir() {
 }

 drop_install_options() {
+	# Ensure values written to install.txt won't later fail manager-side parsing in so-minion
+	strip_control_chars() {
+		# bash: remove ASCII control characters (incl. newlines/tabs/ESC)
+		printf '%s' "$1" | tr -d '[:cntrl:]'
+	}
+
+	validate_install_txt_vars() {
+		# Sanitize first (fail closed if still invalid)
+		MAINIP="$(strip_control_chars "$MAINIP")"
+		MNIC="$(strip_control_chars "$MNIC")"
+		NODE_DESCRIPTION="$(strip_control_chars "$NODE_DESCRIPTION")"
+		ES_HEAP_SIZE="$(strip_control_chars "$ES_HEAP_SIZE")"
+		PATCHSCHEDULENAME="$(strip_control_chars "$PATCHSCHEDULENAME")"
+		INTERFACE="$(strip_control_chars "$INTERFACE")"
+		HOSTNAME="$(strip_control_chars "$HOSTNAME")"
+		LS_HEAP_SIZE="$(strip_control_chars "$LS_HEAP_SIZE")"
+		IDH_MGTRESTRICT="$(strip_control_chars "$IDH_MGTRESTRICT")"
+		IDH_SERVICES="$(strip_control_chars "$IDH_SERVICES")"
+
+		valid_ip4 "$MAINIP" || return 1
+		[[ "$MNIC" =~ ^[A-Za-z0-9_.:-]+$ ]] || return 1
+		[[ "$NODE_DESCRIPTION" =~ ^[[:print:]]{0,256}$ ]] || return 1
+		[[ "$ES_HEAP_SIZE" =~ ^[0-9]+[kKmMgGtTpPeE]?$ ]] || return 1
+		[[ "$PATCHSCHEDULENAME" =~ ^[A-Za-z0-9._-]*$ ]] || return 1
+		[[ "$INTERFACE" =~ ^[A-Za-z0-9._:,-]+$ ]] || return 1
+		valid_hostname "$HOSTNAME" || return 1
+		[[ "$LS_HEAP_SIZE" =~ ^[0-9]+[kKmMgGtTpPeE]?$ ]] || return 1
+		[[ "$lb_procs" =~ ^[0-9]+$ ]] || return 1
+		[[ "$num_cpu_cores" =~ ^[0-9]+$ ]] || return 1
+		[[ -z "$IDH_MGTRESTRICT" || "$IDH_MGTRESTRICT" == "True" || "$IDH_MGTRESTRICT" == "False" ]] || return 1
+		[[ -z "$IDH_SERVICES" || "$IDH_SERVICES" =~ ^[[:print:]]{0,512}$ ]] || return 1
+
+		return 0
+	}
+
+	if ! validate_install_txt_vars; then
+		if declare -F whiptail_error_message >/dev/null; then
+			whiptail_error_message "One or more setup values were invalid and would cause the manager to reject this node when adding it. Please re-run setup and verify hostname, management IP/interface, and node description."
+		else
+			echo "Error: invalid setup values detected; refusing to write /opt/so/install.txt"
+		fi
+		return 1
+	fi
+
 	# Drop the install Variable
 	echo "MAINIP=$MAINIP" > /opt/so/install.txt
 	echo "MNIC=$MNIC" >> /opt/so/install.txt
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -682,6 +682,8 @@ if ! [[ -f $install_opt_file ]]; then
 		fi
 		info "Reserving ports"
 		reserve_ports
+		info "Reserving group ids"
+		reserve_group_ids
 		info "Setting Paths"
 		# Set the paths
 		set_path
@@ -840,7 +842,10 @@ if ! [[ -f $install_opt_file ]]; then
 		if [[ $monints ]]; then
 			configure_network_sensor
 		fi
+		info "Reserving ports"
 		reserve_ports
+		info "Reserving group ids"
+		reserve_group_ids
 		# Set the version
 		mark_version
 		# Disable the setup from prompting at login
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -903,8 +903,9 @@ whiptail_management_nic() {
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus

-	while [ -z "$MNIC" ]
+	while [ -z "$MNIC" ] || [[ "$MNIC" =~ [[:cntrl:]] ]] || [[ ! "$MNIC" =~ ^[A-Za-z0-9_.:-]+$ ]]
 	do
+		whiptail_invalid_input
 		MNIC=$(whiptail --title "$whiptail_title" --menu "Please select the NIC you would like to use for management.\n\nUse the arrow keys to move around and the Enter key to select." 22 75 12 "${nic_list_management[@]}" 3>&1 1>&2 2>&3 )	
 		local exitstatus=$?
 		whiptail_check_exitstatus $exitstatus
@@ -1098,6 +1099,14 @@ whiptail_node_description() {

 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
+
+	while [[ "$NODE_DESCRIPTION" =~ [[:cntrl:]] ]]; do
+		whiptail_error_message "Node description cannot contain control characters. Please enter a new description."
+		NODE_DESCRIPTION=$(whiptail --title "$whiptail_title" \
+			--inputbox "Enter a short description for the node or press ENTER to leave blank:" 10 75 3>&1 1>&2 2>&3)
+		local exitstatus=$?
+		whiptail_check_exitstatus $exitstatus
+	done
 }

 whiptail_ntp_ask() {
Author	SHA1	Message	Date
Mike Reeves	3910e83436	Update Validation	2025-12-15 09:57:42 -05:00
Mike Reeves	26b329a9bd	Update Validation	2025-12-15 09:47:57 -05:00
Mike Reeves	506cbc62bb	Update Validation	2025-12-15 09:42:38 -05:00
Jason Ertel	285b0e4af9	Merge pull request #15308 from Security-Onion-Solutions/idstools-refactor Add trailing nl if it doesnt already exist	2025-12-14 15:35:24 -05:00
DefensiveDepth	f9edfd6391	Add trailing nl if it doesnt already exist	2025-12-14 12:03:44 -05:00
Josh Patterson	f6301bc3e5	Merge pull request #15304 from Security-Onion-Solutions/ggjorge fix cleaning repos on remote nodes if airgap	2025-12-12 14:22:21 -05:00
Josh Patterson	6c5c176b7d	fix cleaning repos on remote nodes if airgap	2025-12-12 14:18:54 -05:00
Josh Brower	c6d52b5eb1	Merge pull request #15303 from Security-Onion-Solutions/idstools-refactor Add Airgap check	2025-12-12 09:59:19 -05:00
DefensiveDepth	7cac528389	Add Airgap check	2025-12-12 09:52:01 -05:00
Josh Brower	6fe817ca4a	Merge pull request #15301 from Security-Onion-Solutions/idstools-refactor Rework backup	2025-12-11 13:57:25 -05:00
DefensiveDepth	cb9a6fac25	Update tests for rework	2025-12-11 12:14:37 -05:00
DefensiveDepth	a945768251	Refactor backup	2025-12-11 11:15:30 -05:00
Mike Reeves	c6646e3821	Merge pull request #15289 from Security-Onion-Solutions/TOoSmOotH-patch-3 Update Assistant Models	2025-12-10 17:22:13 -05:00
Mike Reeves	99dc72cece	Merge branch '2.4/dev' into TOoSmOotH-patch-3	2025-12-10 17:19:32 -05:00
Josh Brower	04d6cca204	Merge pull request #15298 from Security-Onion-Solutions/idstools-refactor Fixup logic	2025-12-10 17:18:59 -05:00
DefensiveDepth	5ab6bda639	Fixup logic	2025-12-10 17:16:35 -05:00
Josh Brower	f433de7e12	Merge pull request #15297 from Security-Onion-Solutions/idstools-refactor small fixes	2025-12-10 15:23:12 -05:00
DefensiveDepth	8ef6c2f91d	small fixes	2025-12-10 15:19:44 -05:00
Mike Reeves	7575218697	Merge pull request #15293 from Security-Onion-Solutions/TOoSmOotH-patch-4 Remove Claude Sonnet 4 model configuration	2025-12-09 11:04:38 -05:00
Mike Reeves	dc945dad00	Remove Claude Sonnet 4 model configuration Removed configuration for Claude Sonnet 4 model.	2025-12-09 11:00:53 -05:00
Josh Brower	ddcd74ffd2	Merge pull request #15292 from Security-Onion-Solutions/idstools-refactor Fix custom name	2025-12-09 10:12:41 -05:00
DefensiveDepth	e105bd12e6	Fix custom name	2025-12-09 09:49:27 -05:00
Josh Brower	f5688175b6	Merge pull request #15290 from Security-Onion-Solutions/idstools-refactor match correct custom ruleset name	2025-12-08 18:25:46 -05:00
DefensiveDepth	72a4ba405f	match correct custom ruleset name	2025-12-08 16:45:40 -05:00
Mike Reeves	94694d394e	Add origin field to model training configuration	2025-12-08 16:36:09 -05:00
Mike Reeves	03dd746601	Add origin field to model configurations	2025-12-08 16:34:19 -05:00
Mike Reeves	eec3373ae7	Update display name for Claude Sonnet 4	2025-12-08 16:30:50 -05:00
Mike Reeves	db45ce07ed	Modify model display names and remove GPT-OSS 120B Updated display names for models and removed GPT-OSS 120B.	2025-12-08 16:26:45 -05:00
Josh Brower	ba49765312	Merge pull request #15287 from Security-Onion-Solutions/idstools-refactor Rework ordering	2025-12-08 12:42:48 -05:00
DefensiveDepth	72c8c2371e	Rework ordering	2025-12-08 12:39:30 -05:00
Josh Brower	80411ab6cf	Merge pull request #15286 from Security-Onion-Solutions/idstools-refactor be more verbose	2025-12-08 10:31:39 -05:00
DefensiveDepth	0ff8fa57e7	be more verbose	2025-12-08 10:29:24 -05:00
Josh Brower	411f28a049	Merge pull request #15284 from Security-Onion-Solutions/idstools-refactor Make sure local salt dir is created	2025-12-07 17:49:56 -05:00
DefensiveDepth	0f42233092	Make sure local salt dir is created	2025-12-07 16:13:55 -05:00
Josh Brower	2dd49f6d9b	Merge pull request #15283 from Security-Onion-Solutions/idstools-refactor Fixup Airgap	2025-12-06 16:06:57 -05:00
DefensiveDepth	271f545f4f	Fixup Airgap	2025-12-06 15:26:44 -05:00
Josh Brower	c4a70b540e	Merge pull request #15232 from Security-Onion-Solutions/idstools-refactor Idstools refactor	2025-12-05 12:58:10 -05:00
DefensiveDepth	bef85772e3	Merge branch 'idstools-refactor' of https://github.com/Security-Onion-Solutions/securityonion into idstools-refactor	2025-12-05 12:17:06 -05:00
DefensiveDepth	a6b19c4a6c	Remove idstools config from manager pillar file	2025-12-05 12:13:05 -05:00
Josh Brower	44f5e6659b	Merge branch '2.4/dev' into idstools-refactor	2025-12-05 10:30:54 -05:00
DefensiveDepth	3f9a9b7019	tweak threshold	2025-12-05 10:23:24 -05:00
DefensiveDepth	b7ad985c7a	Add cron.abset	2025-12-05 09:48:46 -05:00
Josh Brower	dba087ae25	Update version from 2.4.0-delta to 2.4.200	2025-12-05 09:43:31 -05:00
Jorge Reyes	bbc4b1b502	Merge pull request #15241 from Security-Onion-Solutions/reyesj2/advilm FEATURE: Advanced ILM actions via SOC UI	2025-12-04 14:43:12 -06:00
DefensiveDepth	9304513ce8	Add support for suricata rules load status	2025-12-04 12:26:13 -05:00
reyesj2	0b127582cb	2.4.200 soup changes	2025-12-03 20:49:25 -06:00
reyesj2	6e9b8791c8	Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into reyesj2/advilm	2025-12-03 20:27:13 -06:00
reyesj2	ef87ad77c3	Merge branch 'reyesj2/advilm' of github.com:Security-Onion-Solutions/securityonion into reyesj2/advilm	2025-12-03 20:23:03 -06:00
reyesj2	8477420911	logstash adv config state file	2025-12-03 20:10:06 -06:00
Jason Ertel	f5741e318f	Merge pull request #15281 from Security-Onion-Solutions/jertel/wip skip continue prompt if user cannot actually continue	2025-12-03 16:37:07 -05:00
Josh Patterson	e010b5680a	Merge pull request #15280 from Security-Onion-Solutions/reservegid reserve group ids	2025-12-03 16:24:12 -05:00
Josh Patterson	8620d3987e	add saltgid	2025-12-03 15:04:28 -05:00
Jason Ertel	30487a54c1	skip continue prompt if user cannot actually contine	2025-12-03 11:52:10 -05:00
DefensiveDepth	f15a39c153	Add historical hashes	2025-12-03 11:24:04 -05:00
Josh Patterson	aed27fa111	reserve group ids	2025-12-03 11:19:46 -05:00
Josh Brower	822c411e83	Update version to 2.4.0-delta	2025-12-02 21:24:24 -05:00
DefensiveDepth	41b3ac7554	Backup salt master config	2025-12-02 19:58:56 -05:00
DefensiveDepth	23575fdf6c	edit actual file	2025-12-02 19:19:57 -05:00
DefensiveDepth	52f70dc49a	Cleanup idstools	2025-12-02 17:40:30 -05:00
DefensiveDepth	79c9749ff7	Merge remote-tracking branch 'origin/2.4/dev' into idstools-refactor	2025-12-02 17:40:04 -05:00
Jorge Reyes	8d2701e143	Merge branch '2.4/dev' into reyesj2/advilm	2025-12-02 15:42:15 -06:00
reyesj2	877444ac29	cert update is a forced update	2025-12-02 15:16:59 -06:00
reyesj2	b0d9426f1b	automated cert update for kafka fleet output policy	2025-12-02 15:11:00 -06:00
reyesj2	18accae47e	annotation typo	2025-12-02 15:10:29 -06:00
Josh Patterson	55e3a2c6b6	Merge pull request #15277 from Security-Onion-Solutions/soyamllistremove need additional line bw class	2025-12-02 15:09:47 -05:00
Josh Patterson	ef092e2893	rename to removelistitem	2025-12-02 15:01:32 -05:00
Josh Patterson	89eb95c077	add removefromlist	2025-12-02 14:46:24 -05:00
Josh Patterson	e871ec358e	need additional line bw class	2025-12-02 14:43:33 -05:00
Josh Patterson	271a2f74ad	Merge pull request #15275 from Security-Onion-Solutions/soyamllistremove add new so-yaml_test for removefromlist	2025-12-02 14:34:09 -05:00
Josh Patterson	d6bd951c37	add new so-yaml_test for removefromlist	2025-12-02 14:31:57 -05:00
DefensiveDepth	8abd4c9c78	Remove idstools files	2025-12-02 12:42:15 -05:00
reyesj2	45a8c0acd1	merge 2.4/dev	2025-12-02 11:16:08 -06:00
DefensiveDepth	c372cd533d	Merge remote-tracking branch 'origin/2.4/dev' into idstools-refactor	2025-12-01 16:10:22 -05:00
DefensiveDepth	999f83ce57	Create dir earlier	2025-12-01 14:21:58 -05:00
Jorge Reyes	6fbed2dd9f	Merge pull request #15264 from Security-Onion-Solutions/reyesj2-patch-2 add force & certs flag to update fleet certs as needed	2025-12-01 11:11:25 -06:00
Mike Reeves	875de88cb4	Merge pull request #15271 from Security-Onion-Solutions/TOoSmOotH-patch-2 Add JA4D option to config.zeek.ja4	2025-12-01 10:03:12 -05:00
Mike Reeves	63bb44886e	Add JA4D option to config.zeek.ja4	2025-12-01 10:00:42 -05:00
reyesj2	edf3c9464f	add --certs flag to update certs. Used with --force, to ensure certs are updated even if hosts update isn't needed	2025-11-25 16:16:19 -06:00
reyesj2	cc8fb96047	valid config for number_of_replicas in allocate action includes 0	2025-11-24 11:12:09 -06:00
reyesj2	3339b50daf	drop forcemerge when max_num_segements doesn't exist or empty	2025-11-21 16:39:45 -06:00
reyesj2	415ea07a4f	clean up	2025-11-21 16:04:26 -06:00
reyesj2	b80ec95fa8	update regex, revert to default will allow setting value back to '' \| None	2025-11-21 14:41:03 -06:00
reyesj2	99cb51482f	unneeded 'set'	2025-11-21 14:32:58 -06:00
reyesj2	90638f7a43	Merge branch 'reyesj2/advea' into reyesj2/advilm	2025-11-21 14:25:28 -06:00
reyesj2	1fb00c8eb6	update so-elastic-fleet-outputs-update to use advanced output options when set, else empty "". Also trigger update_logstash_outputs() when hash of config_yaml has changed	2025-11-21 14:22:42 -06:00
reyesj2	4490ea7635	format EA logstash output adv config items	2025-11-21 14:21:17 -06:00
reyesj2	bce7a20d8b	soc configurable EA logstash output adv settings	2025-11-21 14:19:51 -06:00
reyesj2	b52dd53e29	advanced ilm actions	2025-11-19 13:24:55 -06:00
reyesj2	a155f45036	always update annotation / defaults for managed integrations	2025-11-19 13:24:29 -06:00
reyesj2	de4424fab0	remove typos	2025-11-14 19:15:51 -06:00