Merge pull request #15597 from Security-Onion-Solutions/2.4.211

2.4.211

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -2,11 +2,13 @@ body:
   - type: markdown
     attributes:
       value: |
+        ⚠️ This category is solely for conversations related to Security Onion 2.4 ⚠️
+
         If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
   - type: dropdown
     attributes:
       label: Version
-      description: Which version of Security Onion are you asking about?
+      description: Which version of Security Onion 2.4.x are you asking about?
       options:
         -
         - 2.4.10

.github/DISCUSSION_TEMPLATE/3-0.yml

@@ -1,177 +0,0 @@
-body:
-  - type: markdown
-    attributes:
-      value: |
-        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
-  - type: dropdown
-    attributes:
-      label: Version
-      description: Which version of Security Onion are you asking about?
-      options:
-        -
-        - 3.0.0
-        - Other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Installation Method
-      description: How did you install Security Onion?
-      options:
-        -
-        - Security Onion ISO image
-        - Cloud image (Amazon, Azure, Google)
-        - Network installation on Oracle 9 (unsupported)
-        - Other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Description
-      description: >
-        Is this discussion about installation, configuration, upgrading, or other?
-      options:
-        -
-        - installation
-        - configuration
-        - upgrading
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Installation Type
-      description: >
-        When you installed, did you choose Import, Eval, Standalone, Distributed, or something else?
-      options:
-        -
-        - Import
-        - Eval
-        - Standalone
-        - Distributed
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Location
-      description: >
-        Is this deployment in the cloud, on-prem with Internet access, or airgap?
-      options:
-        -
-        - cloud
-        - on-prem with Internet access
-        - airgap
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Hardware Specs
-      description: >
-        Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://securityonion.net/docs/hardware?
-      options:
-        -
-        - Meets minimum requirements
-        - Exceeds minimum requirements
-        - Does not meet minimum requirements
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: CPU
-      description: How many CPU cores do you have?
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: RAM
-      description: How much RAM do you have?
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: Storage for /
-      description: How much storage do you have for the / partition?
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: Storage for /nsm
-      description: How much storage do you have for the /nsm partition?
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Network Traffic Collection
-      description: >
-        Are you collecting network traffic from a tap or span port?
-      options:
-        -
-        - tap
-        - span port
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Network Traffic Speeds
-      description: >
-        How much network traffic are you monitoring?
-      options:
-        -
-        - Less than 1Gbps
-        - 1Gbps to 10Gbps
-        - more than 10Gbps
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Status
-      description: >
-        Does SOC Grid show all services on all nodes as running OK?
-      options:
-        -
-        - Yes, all services on all nodes are running OK
-        - No, one or more services are failed (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Salt Status
-      description: >
-        Do you get any failures when you run "sudo salt-call state.highstate"?
-      options:
-        -
-        - Yes, there are salt failures (please provide detail below)
-        - No, there are no failures
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Logs
-      description: >
-        Are there any additional clues in /opt/so/log/?
-      options:
-        -
-        - Yes, there are additional clues in /opt/so/log/ (please provide detail below)
-        - No, there are no additional clues
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      label: Detail
-      description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you.
-      placeholder: |-
-        STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety!
-
-        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
-    validations:
-      required: true
-  - type: checkboxes
-    attributes:
-      label: Guidelines
-      options:
-        - label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
-          required: true

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,17 +1,17 @@
-### 2.4.210-20260302 ISO image released on 2026/03/02
+### 2.4.211-20260312 ISO image released on 2026/03/12
 
 
 ### Download and Verify
 
-2.4.210-20260302 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.210-20260302.iso
+2.4.211-20260312 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.211-20260312.iso
  
-MD5: 575F316981891EBED2EE4E1F42A1F016  
-SHA1: 600945E8823221CBC5F1C056084A71355308227E  
-SHA256: A6AA6471125F07FA6E2796430E94BEAFDEF728E833E9728FDFA7106351EBC47E  
+MD5: 7082210AE9FF4D2634D71EAD4DC8F7A3  
+SHA1: F76E08C47FD786624B2385B4235A3D61A4C3E9DC  
+SHA256: CE6E61788DFC492E4897EEDC139D698B2EDBEB6B631DE0043F66E94AF8A0FF4E  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.210-20260302.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.211-20260312.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.210-20260302.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.211-20260312.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.210-20260302.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.211-20260312.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.210-20260302.iso.sig securityonion-2.4.210-20260302.iso
+gpg --verify securityonion-2.4.211-20260312.iso.sig securityonion-2.4.211-20260312.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 02 Mar 2026 11:55:24 AM EST using RSA key ID FE507013
+gpg: Signature made Wed 11 Mar 2026 03:05:09 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

HOTFIX

@@ -0,0 +1 @@
+

README.md

@@ -1,58 +1,50 @@
-<p align="center">
-  <img src="https://securityonionsolutions.com/logo/logo-so-onion-dark.svg" width="400" alt="Security Onion Logo">
-</p>
+## Security Onion 2.4
 
-# Security Onion
+Security Onion 2.4 is here!
 
-Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes a comprehensive suite of tools designed to work together to provide visibility into your network and host activity.
+## Screenshots
 
-## ✨ Features
+Alerts
+![Alerts](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/50_alerts.png)
 
-Security Onion includes everything you need to monitor your network and host systems:
+Dashboards
+![Dashboards](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/53_dashboards.png)
 
-*   **Security Onion Console (SOC)**: A unified web interface for analyzing security events and managing your grid.
-*   **Elastic Stack**: Powerful search backed by Elasticsearch.
-*   **Intrusion Detection**: Network-based IDS with Suricata and host-based monitoring with Elastic Fleet.
-*   **Network Metadata**: Detailed network metadata generated by Zeek or Suricata.
-*   **Full Packet Capture**: Retain and analyze raw network traffic with Suricata PCAP.
+Hunt
+![Hunt](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/56_hunt.png)
 
-## ⭐ Security Onion Pro
+Detections
+![Detections](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/57_detections.png)
 
-For organizations and enterprises requiring advanced capabilities, **Security Onion Pro** offers additional features designed for scale and efficiency:
+PCAP
+![PCAP](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/62_pcap.png)
 
-*   **Onion AI**: Leverage powerful AI-driven insights to accelerate your analysis and investigations.
-*   **Enterprise Features**: Enhanced tools and integrations tailored for enterprise-grade security operations.
+Grid
+![Grid](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/75_grid.png)
 
-For more information, visit the [Security Onion Pro](https://securityonionsolutions.com/pro) page.
+Config
+![Config](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/87_config.png)
 
-## ☁️ Cloud Deployment
+### Release Notes
 
-Security Onion is available and ready to deploy in the **AWS**, **Azure**, and **Google Cloud (GCP)** marketplaces.
+https://securityonion.net/docs/release-notes
 
-## 🚀 Getting Started
+### Requirements
 
-| Goal | Resource |
-| :--- | :--- |
-| **Download** | [Security Onion ISO](https://securityonion.net/docs/download) |
-| **Requirements** | [Hardware Guide](https://securityonion.net/docs/hardware) |
-| **Install** | [Installation Instructions](https://securityonion.net/docs/installation) |
-| **What's New** | [Release Notes](https://securityonion.net/docs/release-notes) |
+https://securityonion.net/docs/hardware
 
-## 📖 Documentation & Support
+### Download
 
-For more detailed information, please visit our [Documentation](https://docs.securityonion.net).
+https://securityonion.net/docs/download
 
-*   **FAQ**: [Frequently Asked Questions](https://securityonion.net/docs/faq)
-*   **Community**: [Discussions & Support](https://securityonion.net/docs/community-support)
-*   **Training**: [Official Training](https://securityonion.net/training)
+### Installation
 
-## 🤝 Contributing
+https://securityonion.net/docs/installation
 
-We welcome contributions! Please see our [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on how to get involved.
+### FAQ
 
-## 🛡️ License
+https://securityonion.net/docs/faq
 
-Security Onion is licensed under the terms of the license found in the [LICENSE](LICENSE) file.
+### Feedback
 
----
-*Built with 🧅 by Security Onion Solutions.*
+https://securityonion.net/docs/community-support

SECURITY.md

@@ -4,7 +4,6 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 3.x     | :white_check_mark: |
 | 2.4.x   | :white_check_mark: |
 | 2.3.x   | :x:                |
 | 16.04.x | :x:                |

VERSION

@@ -1 +1 @@
-3.0.0
+2.4.211

pillar/top.sls

@@ -87,6 +87,8 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - minions.{{ grains.id }}
@@ -132,6 +134,8 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - minions.{{ grains.id }}
@@ -181,6 +185,8 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - minions.{{ grains.id }}
@@ -203,6 +209,8 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - strelka.soc_strelka
@@ -289,6 +297,8 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - strelka.soc_strelka

salt/_modules/needs_restarting.py

@@ -1,14 +1,24 @@
+from os import path
 import subprocess
 
 def check():
 
+  osfam = __grains__['os_family']
   retval = 'False'
 
-  cmd = 'needs-restarting -r > /dev/null 2>&1'
+  if osfam == 'Debian':
+    if path.exists('/var/run/reboot-required'):
+      retval = 'True'
 
-  try:
-    needs_restarting = subprocess.check_call(cmd, shell=True)
-  except subprocess.CalledProcessError:
-    retval = 'True'
+  elif osfam == 'RedHat':
+    cmd = 'needs-restarting -r > /dev/null 2>&1'
+    
+    try:
+      needs_restarting = subprocess.check_call(cmd, shell=True)
+    except subprocess.CalledProcessError:
+      retval = 'True'
+
+  else:
+    retval = 'Unsupported OS: %s' % os
 
   return retval

salt/allowed_states.map.jinja

@@ -38,6 +38,7 @@
 ] %}
 
 {% set sensor_states = [
+    'pcap',
     'suricata',
     'healthcheck',
     'tcpreplay',

salt/bpf/pcap.map.jinja

@@ -1,15 +1,21 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% set PCAP_BPF_STATUS = 0  %}
+{% set STENO_BPF_COMPILED = "" %}
 
+{% if GLOBALS.pcap_engine == "TRANSITION" %}
+{%   set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %}
+{% else %}
 {%   import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {%   set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
 {%   import 'bpf/macros.jinja' as MACROS %}
 {{   MACROS.remove_comments(BPFMERGED, 'pcap') }}
 {%   set PCAPBPF = BPFMERGED.pcap %}
+{% endif %}
 
 {% if PCAPBPF %}
    {% set PCAP_BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %}
    {% if PCAP_BPF_CALC['retcode'] == 0 %}
       {% set PCAP_BPF_STATUS = 1 %}
+      {% set STENO_BPF_COMPILED =  ",\\\"--filter=" + PCAP_BPF_CALC['stdout'] + "\\\""  %}
    {% endif %}
 {% endif %}

salt/ca/trustca.sls

@@ -3,6 +3,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
 include:
   - docker
 
@@ -16,3 +18,9 @@ trusttheca:
     - show_changes: False
     - makedirs: True
 
+{% if GLOBALS.os_family == 'Debian' %}
+symlinkca:
+  file.symlink:
+    - target: /etc/pki/tls/certs/intca.crt
+    - name: /etc/ssl/certs/intca.crt
+{% endif %}

salt/common/init.sls

@@ -20,6 +20,11 @@ kernel.printk:
   sysctl.present:
     - value: "3 4 1 3"
 
+# Remove variables.txt from /tmp - This is temp
+rmvariablesfile:
+  file.absent:
+    - name: /tmp/variables.txt
+
 # Add socore Group
 socoregroup:
   group.present:
@@ -144,6 +149,28 @@ common_sbin_jinja:
       - so-import-pcap
 {% endif %}
 
+{% if GLOBALS.role == 'so-heavynode' %}
+remove_so-pcap-import_heavynode:
+  file.absent:
+    - name: /usr/sbin/so-pcap-import
+
+remove_so-import-pcap_heavynode:
+  file.absent:
+    - name: /usr/sbin/so-import-pcap
+{% endif %}
+
+{% if not GLOBALS.is_manager%}
+# prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
+# these two states remove the scripts from non manager nodes
+remove_soup:
+  file.absent:
+    - name: /usr/sbin/soup
+
+remove_so-firewall:
+  file.absent:
+    - name: /usr/sbin/so-firewall
+{% endif %}
+
 so-status_script:
   file.managed:
     - name: /usr/sbin/so-status

salt/common/packages.sls

@@ -1,5 +1,52 @@
 # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
 # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
+{% if grains.os_family == 'Debian' %}
+commonpkgs:
+  pkg.installed:
+    - skip_suggestions: True
+    - pkgs:
+      - apache2-utils
+      - wget
+      - ntpdate
+      - jq
+      - curl
+      - ca-certificates
+      - software-properties-common
+      - apt-transport-https
+      - openssl
+      - netcat-openbsd
+      - sqlite3
+      - libssl-dev
+      - procps
+      - python3-dateutil
+      - python3-docker
+      - python3-packaging
+      - python3-lxml
+      - git
+      - rsync
+      - vim
+      - tar
+      - unzip
+      - bc
+      {% if grains.oscodename != 'focal' %}
+      - python3-rich
+      {% endif %}
+
+{%     if grains.oscodename == 'focal' %}
+# since Ubuntu requires and internet connection we can use pip to install modules
+python3-pip:
+  pkg.installed
+
+python-rich:
+  pip.installed:
+    - name: rich
+    - target: /usr/local/lib/python3.8/dist-packages/
+    - require:
+      - pkg: python3-pip
+{%     endif %}
+{% endif %}
+
+{% if grains.os_family == 'RedHat' %}
 
 remove_mariadb:
   pkg.removed:
@@ -37,3 +84,5 @@ commonpkgs:
       - unzip
       - wget
       - yum-utils
+
+{% endif %}

salt/common/soup_scripts.sls

@@ -3,6 +3,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+{% if '2.4' in salt['cp.get_file_str']('/etc/soversion') %}
+
 {%   import_yaml '/opt/so/saltstack/local/pillar/global/soc_global.sls' as SOC_GLOBAL %}
 {%   if SOC_GLOBAL.global.airgap %}
 {%     set UPDATE_DIR='/tmp/soagupdate/SecurityOnion' %}
@@ -11,6 +13,14 @@
 {%   endif %}
 {%   set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
 
+remove_common_soup:
+  file.absent:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
+
+remove_common_so-firewall:
+  file.absent:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
+
 # This section is used to put the scripts in place in the Salt file system
 # in case a state run tries to overwrite what we do in the next section.
 copy_so-common_common_tools_sbin:
@@ -110,3 +120,23 @@ copy_bootstrap-salt_sbin:
     - source: {{UPDATE_DIR}}/salt/salt/scripts/bootstrap-salt.sh
     - force: True
     - preserve: True
+
+{# this is added in 2.4.120 to remove salt repo files pointing to saltproject.io to accomodate the move to broadcom and new bootstrap-salt script #}
+{%   if salt['pkg.version_cmp'](SOVERSION, '2.4.120') == -1 %}
+{%     set saltrepofile = '/etc/yum.repos.d/salt.repo' %}
+{%     if grains.os_family == 'Debian' %}
+{%       set saltrepofile = '/etc/apt/sources.list.d/salt.list' %}
+{%     endif %}
+remove_saltproject_io_repo_manager:
+  file.absent:
+    - name: {{ saltrepofile }}
+{%   endif %}
+
+{% else %}
+fix_23_soup_sbin:
+  cmd.run:
+    - name: curl -s -f -o /usr/sbin/soup https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.3/main/salt/common/tools/sbin/soup
+fix_23_soup_salt:
+  cmd.run:
+    - name: curl -s -f -o /opt/so/saltstack/defalt/salt/common/tools/sbin/soup https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.3/main/salt/common/tools/sbin/soup
+{% endif %}

salt/common/tools/sbin/so-bpf-compile

@@ -16,7 +16,7 @@
 
 if [ "$#" -lt 2 ]; then
   cat 1>&2 <<EOF
-$0 compiles a BPF expression to be passed to PCAP to apply a socket filter.
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
 Its first argument is the interface (link type is required) and all other arguments
 are passed to TCPDump.
 

salt/common/tools/sbin/so-common

@@ -333,8 +333,8 @@ get_elastic_agent_vars() {
 
 	if [ -f "$defaultsfile" ]; then
 		ELASTIC_AGENT_TARBALL_VERSION=$(egrep " +version: " $defaultsfile | awk -F: '{print $2}' | tr -d '[:space:]')
-		ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/3/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
-		ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/3/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
+		ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
+		ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
 		ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
 		ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
 		ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent

salt/common/tools/sbin/so-image-common

@@ -32,6 +32,7 @@ container_list() {
       "so-nginx"
       "so-pcaptools"
       "so-soc"
+      "so-steno"
       "so-suricata"
       "so-telegraf"
       "so-zeek"
@@ -57,6 +58,7 @@ container_list() {
       "so-pcaptools"
       "so-redis"
       "so-soc"
+      "so-steno"
       "so-strelka-backend"
       "so-strelka-manager"
       "so-suricata"
@@ -69,6 +71,7 @@ container_list() {
       "so-logstash"
       "so-nginx"
       "so-redis"
+      "so-steno"
       "so-suricata"
       "so-soc"
       "so-telegraf"

salt/common/tools/sbin/so-log-check

@@ -179,6 +179,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check"            # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics"           # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field."                   # known ingest type collisions issue with earlier versions of SO
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature"      # Malformed Suricata rule, from upstream provider
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error

salt/common/tools/sbin/so-nsm-clear

@@ -55,22 +55,19 @@ if [ $SKIP -ne 1 ]; then
 fi
 
 delete_pcap() {
-  PCAP_DATA="/nsm/suripcap/"
-  [ -d $PCAP_DATA ] && rm -rf $PCAP_DATA/*
+  PCAP_DATA="/nsm/pcap/"
+  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
 }
 delete_suricata() {
   SURI_LOG="/nsm/suricata/"
-  [ -d $SURI_LOG ] && rm -rf $SURI_LOG/*
+  [ -d $SURI_LOG ] && so-suricata-stop && rm -rf $SURI_LOG/* && so-suricata-start
 }
 delete_zeek() {
   ZEEK_LOG="/nsm/zeek/logs/"
   [ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
 }
 
-so-suricata-stop
 delete_pcap
 delete_suricata
 delete_zeek
-so-suricata-start
-
 

salt/common/tools/sbin/so-restart

@@ -23,6 +23,7 @@ if [ $# -ge 1 ]; then
         fi
 
         case $1 in
+                "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
                 "elastic-fleet") docker stop so-elastic-fleet && docker rm so-elastic-fleet && salt-call state.apply elasticfleet queue=True;;
                 *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
         esac

salt/common/tools/sbin/so-sensor-clean

@@ -72,7 +72,7 @@ clean() {
 		done
 	fi
 
-	## Clean up extracted pcaps
+	## Clean up extracted pcaps from Steno
 	PCAPS='/nsm/pcapout'
 	OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1)
 	if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ]; then

salt/common/tools/sbin/so-start

@@ -23,6 +23,7 @@ if [ $# -ge 1 ]; then
 
 	case $1 in
    		"all") salt-call state.highstate queue=True;;
+   		"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
    		"elastic-fleet") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply elasticfleet queue=True; fi ;; 
    		*) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 	esac

salt/curator/disabled.sls

@@ -0,0 +1,34 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+so-curator:
+  docker_container.absent:
+    - force: True
+
+so-curator_so-status.disabled:
+  file.line:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - match: ^so-curator$
+    - mode: delete
+
+so-curator-cluster-close:
+  cron.absent:
+    - identifier: so-curator-cluster-close
+
+so-curator-cluster-delete:
+  cron.absent:
+    - identifier: so-curator-cluster-delete
+
+delete_curator_configuration:
+  file.absent:
+    - name: /opt/so/conf/curator
+    - recurse: True
+
+{% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
+{% if files|length > 0 %}
+delete_curator_scripts:
+  file.absent:
+    - names: {{files|yaml}}
+{% endif %}

salt/docker/defaults.yaml

@@ -174,6 +174,11 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
+    'so-steno':
+      final_octet: 99
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
     'so-suricata':
       final_octet: 99
       custom_bind_mounts: []

salt/docker/init.sls

@@ -15,6 +15,39 @@ dockergroup:
     - name: docker
     - gid: 920
 
+{% if GLOBALS.os_family == 'Debian' %}
+{%    if grains.oscodename == 'bookworm' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 2.2.1-1~debian.12~bookworm
+      - docker-ce: 5:29.2.1-1~debian.12~bookworm
+      - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
+      - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
+    - hold: True
+    - update_holds: True
+{%    elif grains.oscodename == 'jammy' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 2.2.1-1~ubuntu.22.04~jammy
+      - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
+      - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
+      - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
+    - hold: True
+    - update_holds: True
+{%    else %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.7.21-1
+      - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
+      - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
+      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
+    - hold: True
+    - update_holds: True
+{%   endif %}
+{% else %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
@@ -24,6 +57,7 @@ dockerheldpackages:
       - docker-ce-rootless-extras: 29.2.1-1.el9
     - hold: True
     - update_holds: True
+{% endif %}
 
 #disable docker from managing iptables
 iptables_disabled:

salt/docker/soc_docker.yaml

@@ -62,6 +62,7 @@ docker:
     so-idh: *dockerOptions
     so-elastic-agent: *dockerOptions
     so-telegraf: *dockerOptions
+    so-steno: *dockerOptions
     so-suricata:
       final_octet:
         description: Last octet of the container IP address.

salt/elasticsearch/config.map.jinja

@@ -6,6 +6,8 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
 
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
+
 {# this is a list of dicts containing hostname:ip for elasticsearch nodes that need to know about each other for cluster #}
 {% set ELASTICSEARCH_SEED_HOSTS = [] %}
 {% set node_data = salt['pillar.get']('elasticsearch:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
@@ -34,8 +36,14 @@
       {% endfor %}
     {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
+  {% if HIGHLANDER %}
+        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
+  {% endif %}
   {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
 {% endif %}
+{% if HIGHLANDER %}
+      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
+{% endif %}
 
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}

salt/elasticsearch/config.sls

@@ -98,6 +98,10 @@ esrolesdir:
     - group: 939
     - makedirs: True
 
+eslibdir:
+  file.absent:
+    - name: /opt/so/conf/elasticsearch/lib
+
 esingestdynamicconf:
   file.recurse:
     - name: /opt/so/conf/elasticsearch/ingest
@@ -115,6 +119,11 @@ esingestconf:
     - group: 939
     - show_changes: False
 
+# Remove .fleet_final_pipeline-1 because we are using global@custom now
+so-fleet-final-pipeline-remove:
+  file.absent:
+    - name: /opt/so/conf/elasticsearch/ingest/.fleet_final_pipeline-1
+
 # Auto-generate Elasticsearch ingest node pipelines from pillar
 {% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
 es_ingest_conf_{{pipeline}}:

salt/elasticsearch/files/ingest-dynamic/common

@@ -1,3 +1,5 @@
+{%- set HIGHLANDER = salt['pillar.get']('global:highlander', False) -%}
+{%- raw -%}
 {
   "description" : "common",
   "processors" : [
@@ -65,7 +67,19 @@
     { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
     { "grok":            { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
     { "set":             { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
-    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
+    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
+{%- endraw %}
+{%- if HIGHLANDER %}
+    ,
+    {
+      "pipeline": {
+        "name": "ecs"
+      }
+    }
+{%- endif %}
+{%- raw %}
+    ,
     { "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
   ]
 }
+{% endraw %}

salt/firewall/init.sls

@@ -27,12 +27,14 @@ iptables_config:
     - source: salt://firewall/iptables.jinja
     - template: jinja
 
+{%   if grains.os_family == 'RedHat' %}
 disable_firewalld:
   service.dead:
     - name: firewalld
     - enable: False
     - require:
       - file: iptables_config
+{%   endif %}
 
 iptables_restore:
   cmd.run:
@@ -42,6 +44,7 @@ iptables_restore:
     - onlyif:
       - iptables-restore --test {{ iptmap.configfile }}
 
+{%   if grains.os_family == 'RedHat' %}
 enable_firewalld:
   service.running:
     - name: firewalld
@@ -49,6 +52,7 @@ enable_firewalld:
     - onfail:
       - file: iptables_config
       - cmd: iptables_restore
+{%   endif %}
 
 {% else %}
 

salt/firewall/ipt.map.jinja

@@ -1,6 +1,14 @@
-{% set iptmap = {
-    'service': 'iptables',
-    'iptpkg': 'iptables-nft',
-    'persistpkg': 'iptables-nft-services',
-    'configfile': '/etc/sysconfig/iptables'
-} %}
+{% set iptmap = salt['grains.filter_by']({
+    'Debian': {
+        'service': 'netfilter-persistent',
+        'iptpkg': 'iptables',
+        'persistpkg': 'iptables-persistent',
+        'configfile': '/etc/iptables/rules.v4'
+    },
+    'RedHat': {
+        'service': 'iptables',
+        'iptpkg': 'iptables-nft',
+        'persistpkg': 'iptables-nft-services',
+        'configfile': '/etc/sysconfig/iptables'
+    },
+}) %}

salt/global/defaults.yaml

@@ -1,3 +1,3 @@
 global:
-  pcapengine: SURICATA
+  pcapengine: STENO
   pipeline: REDIS

salt/global/soc_global.yaml

@@ -18,11 +18,13 @@ global:
     regexFailureMessage: You must enter either ZEEK or SURICATA.
     global: True
   pcapengine:
-    description: Which engine to use for generating pcap. Currently only SURICATA is supported.
-    regex: ^(SURICATA)$
+    description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION.
+    regex: ^(STENO|SURICATA|TRANSITION)$
     options:
+      - STENO
       - SURICATA
-    regexFailureMessage: You must enter either SURICATA.
+      - TRANSITION
+    regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION.
     global: True
   ids:
     description: Which IDS engine to use. Currently only Suricata is supported.

salt/idh/openssh/config.sls

@@ -3,6 +3,7 @@
 include:
   - idh.openssh
 
+{% if grains.os_family == 'RedHat' %}
 idh_sshd_selinux:
   selinux.port_policy_present:
     - port: {{ openssh_map.config.port }}
@@ -12,6 +13,7 @@ idh_sshd_selinux:
       - file: openssh_config
     - require:
       - pkg: python_selinux_mgmt_tools
+{% endif %}
 
 openssh_config:
   file.replace:

salt/idh/openssh/init.sls

@@ -16,6 +16,8 @@ openssh:
     - name: {{ openssh_map.service }}
   {% endif %}
 
+{% if grains.os_family == 'RedHat' %}
 python_selinux_mgmt_tools:
   pkg.installed:
     - name: policycoreutils-python-utils
+{% endif %}

salt/influxdb/templates/alarm_steno_packet_loss.json

@@ -0,0 +1,27 @@
+[{
+	"apiVersion": "influxdata.com/v2alpha1",
+	"kind": "CheckThreshold",
+	"metadata": {
+		"name": "steno-packet-loss"
+	},
+	"spec": {
+		"description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level.",
+		"every": "1m",
+		"name": "Stenographer Packet Loss",
+		"query": "from(bucket: \"telegraf/so_short_term\")\n  |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"stenodrop\")\n  |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n  |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n  |\u003e yield(name: \"mean\")",
+		"status": "active",
+		"statusMessageTemplate": "Stenographer Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.",
+		"thresholds": [
+			{
+				"level": "CRIT",
+				"type": "greater", 
+				"value": 5
+			},
+			{
+				"level": "WARN",
+				"type": "greater",
+				"value": 3
+			}
+		]
+	}
+}]

salt/kibana/map.jinja

@@ -5,6 +5,7 @@
 
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 
 {% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}

salt/kibana/so_dashboard_load.sls

@@ -3,6 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 include:
   - kibana.enabled
 
@@ -28,3 +29,27 @@ so-kibana-dashboard-load:
     - require:
       - sls: kibana.enabled
       - file: dashboard_saved_objects_template
+{%- if HIGHLANDER %}
+dashboard_saved_objects_template_hl:
+  file.managed:
+    - name: /opt/so/conf/kibana/hl.ndjson.template
+    - source: salt://kibana/files/hl.ndjson
+    - user: 932
+    - group: 939
+    - show_changes: False
+
+dashboard_saved_objects_hl_changes:
+  file.absent:
+    - names:
+      - /opt/so/state/kibana_hl.txt
+    - onchanges:
+      - file: dashboard_saved_objects_template_hl
+
+so-kibana-dashboard-load_hl:
+  cmd.run:
+    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
+    - cwd: /opt/so
+    - require:
+      - sls: kibana.enabled
+      - file: dashboard_saved_objects_template_hl
+{%- endif %}

salt/kibana/tools/sbin_jinja/so-kibana-space-defaults

@@ -1,5 +1,6 @@
 #!/bin/bash
 . /usr/sbin/so-common
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
 ## This hackery will be removed if using Elastic Auth ##
 
@@ -8,6 +9,10 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:
 
 # Disable certain Features from showing up in the Kibana UI
 echo
-echo "Setting up default Kibana Space:"
+echo "Setting up default Space:"
+{% if HIGHLANDER %}
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
+{% else %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV3","inventory","dataQuality","searchSynonyms","enterpriseSearchApplications","enterpriseSearchAnalytics","securitySolutionTimeline","securitySolutionNotes","entityManager"]} ' >> /opt/so/log/kibana/misc.log
+{% endif %}
 echo

salt/logrotate/defaults.yaml

@@ -180,6 +180,16 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
+    /opt/so/log/stenographer/*_x_log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
     /opt/so/log/salt/so-salt-minion-check:
       - daily
       - rotate 14

salt/logrotate/soc_logrotate.yaml

@@ -112,6 +112,13 @@ logrotate:
       multiline: True
       global: True
       forcedType: "[]string"
+    "/opt/so/log/stenographer/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/stenographer/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
     "/opt/so/log/salt/so-salt-minion-check":
       description: List of logrotate options for this file.
       title: /opt/so/log/salt/so-salt-minion-check

salt/logstash/config.sls

@@ -36,6 +36,10 @@ logstash:
     - gid: 931
     - home: /opt/so/conf/logstash
 
+lslibdir:
+  file.absent:
+    - name: /opt/so/conf/logstash/lib
+
 logstash_sbin:
   file.recurse:
     - name: /usr/sbin

salt/manager/files/mirror.txt

@@ -1,2 +1,2 @@
-https://repo.securityonion.net/file/so-repo/prod/3/oracle/9
-https://repo-alt.securityonion.net/prod/3/oracle/9
+https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9
+https://repo-alt.securityonion.net/prod/2.4/oracle/9

salt/manager/init.sls

@@ -63,9 +63,11 @@ yara_log_dir:
       - user
       - group
 
+{% if GLOBALS.os_family == 'RedHat' %}
 install_createrepo:
   pkg.installed:
     - name: createrepo_c
+{% endif %}
 
 repo_conf_dir:
   file.directory:

salt/manager/tools/sbin/so-minion

@@ -462,14 +462,19 @@ function add_sensor_to_minion() {
         echo "      lb_procs: '$CORECOUNT'"
         echo "suricata:"
         echo "  enabled: True "
-        echo "  pcap:"
-        echo "    enabled: True"
         if [[ $is_pcaplimit ]]; then
+            echo "  pcap:"
             echo "    maxsize: $MAX_PCAP_SPACE"
         fi
         echo "  config:"
         echo "    af-packet:"
         echo "      threads: '$CORECOUNT'"
+        echo "pcap:"
+        echo "  enabled: True"
+        if [[ $is_pcaplimit ]]; then
+            echo "  config:"
+            echo "    diskfreepercentage: $DFREEPERCENT"
+        fi
         echo "  "
     } >> $PILLARFILE
     if [ $? -ne 0 ]; then

salt/manager/tools/sbin/so-saltstack-update

@@ -143,7 +143,7 @@ show_usage() {
     echo "  -v       Show verbose output (files changed/added/deleted)"
     echo "  -vv      Show very verbose output (includes file diffs)"
     echo "  --test   Test mode - show what would change without making changes"
-    echo "  branch   Git branch to checkout (default: 3/main)"
+    echo "  branch   Git branch to checkout (default: 2.4/main)"
     echo ""
     echo "Examples:"
     echo "  $0                    # Normal operation"
@@ -193,7 +193,7 @@ done
 
 # Set default branch if not provided
 if [ -z "$BRANCH" ]; then
-  BRANCH=3/main
+  BRANCH=2.4/main
 fi
 
 got_root

salt/manager/tools/sbin/so-yaml.py

@@ -256,7 +256,7 @@ def replacelistobject(args):
 def addKey(content, key, value):
     pieces = key.split(".", 1)
     if len(pieces) > 1:
-        if pieces[0] not in content or content[pieces[0]] is None:
+        if not pieces[0] in content:
             content[pieces[0]] = {}
         addKey(content[pieces[0]], pieces[1], value)
     elif key in content:
@@ -346,12 +346,7 @@ def get(args):
         print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
         return 2
 
-    if isinstance(output, bool):
-        print(str(output).lower())
-    elif isinstance(output, (dict, list)):
-        print(yaml.safe_dump(output).strip())
-    else:
-        print(output)
+    print(yaml.safe_dump(output))
     return 0
 
 

salt/manager/tools/sbin/so-yaml_test.py

@@ -393,7 +393,7 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
-            self.assertEqual("45\n", mock_stdout.getvalue())
+            self.assertIn("45\n...", mock_stdout.getvalue())
 
     def test_get_str(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:
@@ -404,18 +404,7 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
-            self.assertEqual("hello\n", mock_stdout.getvalue())
-
-    def test_get_bool(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get([filename, "key2"])
-            self.assertEqual(result, 0)
-            self.assertEqual("false\n", mock_stdout.getvalue())
+            self.assertIn("hello\n...", mock_stdout.getvalue())
 
     def test_get_list(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:

salt/manager/tools/sbin/soupto3

@@ -0,0 +1,184 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+. /usr/sbin/so-common
+
+UPDATE_URL=https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/refs/heads/3/main/VERSION
+
+# Check if already running version 3
+CURRENT_VERSION=$(cat /etc/soversion 2>/dev/null)
+if [[ "$CURRENT_VERSION" =~ ^3\. ]]; then
+    echo ""
+    echo "========================================================================="
+    echo " Already Running Security Onion 3"
+    echo "========================================================================="
+    echo ""
+    echo " This system is already running Security Onion $CURRENT_VERSION."
+    echo " Use 'soup' to update within the 3.x release line."
+    echo ""
+    exit 0
+fi
+
+echo ""
+echo "Checking PCAP settings."
+echo ""
+
+# Check pcapengine setting - must be SURICATA before upgrading to version 3
+PCAP_ENGINE=$(lookup_pillar "pcapengine")
+
+PCAP_DELETED=false
+
+prompt_delete_pcap() {
+    read -rp " Would you like to delete all remaining Stenographer PCAP data? (y/N): " DELETE_PCAP
+    if [[ "$DELETE_PCAP" =~ ^[Yy]$ ]]; then
+        echo ""
+        echo " WARNING: This will permanently delete all Stenographer PCAP data"
+        echo " on all nodes. This action cannot be undone."
+        echo ""
+        read -rp " Are you sure? (y/N): " CONFIRM_DELETE
+        if [[ "$CONFIRM_DELETE" =~ ^[Yy]$ ]]; then
+            echo ""
+            echo " Deleting Stenographer PCAP data on all nodes..."
+            salt '*' cmd.run "rm -rf /nsm/pcap/* && rm -rf /nsm/pcapindex/*"
+            echo " Done."
+            PCAP_DELETED=true
+        else
+            echo ""
+            echo " Delete cancelled."
+        fi
+    fi
+}
+
+pcapengine_not_changed() {
+    echo ""
+    echo " PCAP engine must be set to SURICATA before upgrading to Security Onion 3."
+    echo " You can change this in SOC by navigating to:"
+    echo "   Configuration -> global -> pcapengine"
+}
+
+prompt_change_engine() {
+    local current_engine=$1
+    echo ""
+    read -rp " Would you like to change the PCAP engine to SURICATA now? (y/N): " CHANGE_ENGINE
+    if [[ "$CHANGE_ENGINE" =~ ^[Yy]$ ]]; then
+        if [[ "$PCAP_DELETED" != "true" ]]; then
+            echo ""
+            echo " WARNING: Stenographer PCAP data was not deleted. If you proceed,"
+            echo " this data will no longer be accessible through SOC and will never"
+            echo " be automatically deleted. You will need to manually remove it later."
+            echo ""
+            read -rp " Continue with changing pcapengine to SURICATA? (y/N): " CONFIRM_CHANGE
+            if [[ ! "$CONFIRM_CHANGE" =~ ^[Yy]$ ]]; then
+                pcapengine_not_changed
+                return 1
+            fi
+        fi
+        echo ""
+        echo " Updating PCAP engine to SURICATA..."
+        so-yaml.py replace /opt/so/saltstack/local/pillar/global/soc_global.sls global.pcapengine SURICATA
+        echo " Done."
+        return 0
+    else
+        pcapengine_not_changed
+        return 1
+    fi
+}
+
+case "$PCAP_ENGINE" in
+    SURICATA)
+        echo "PCAP engine settings OK."
+        ;;
+    TRANSITION|STENO)
+        echo ""
+        echo "========================================================================="
+        echo " PCAP Engine Check Failed"
+        echo "========================================================================="
+        echo ""
+        echo " Your PCAP engine is currently set to $PCAP_ENGINE."
+        echo ""
+        echo " Before upgrading to Security Onion 3, Stenographer PCAP data must be"
+        echo " removed and the PCAP engine must be set to SURICATA."
+        echo ""
+        echo " To check remaining Stenographer PCAP usage, run:"
+        echo "   salt '*' cmd.run 'du -sh /nsm/pcap'"
+        echo ""
+
+        prompt_delete_pcap
+        if ! prompt_change_engine "$PCAP_ENGINE"; then
+            echo ""
+            exit 1
+        fi
+        ;;
+    *)
+        echo ""
+        echo "========================================================================="
+        echo " PCAP Engine Check Failed"
+        echo "========================================================================="
+        echo ""
+        echo " Unable to determine the PCAP engine setting (got: '$PCAP_ENGINE')."
+        echo " Please ensure the PCAP engine is set to SURICATA."
+        echo " In SOC, navigate to Configuration -> global -> pcapengine"
+        echo " and change the value to SURICATA."
+        echo ""
+        exit 1
+        ;;
+esac
+
+echo ""
+echo "Checking Versions."
+echo ""
+
+# Check if Security Onion 3 has been released
+VERSION=$(curl -sSf "$UPDATE_URL" 2>/dev/null)
+
+if [[ -z "$VERSION" ]]; then
+    echo ""
+    echo "========================================================================="
+    echo " Unable to Check Version"
+    echo "========================================================================="
+    echo ""
+    echo " Could not retrieve version information from:"
+    echo "   $UPDATE_URL"
+    echo ""
+    echo " Please check your network connection and try again."
+    echo ""
+    exit 1
+fi
+
+if [[ "$VERSION" == "UNRELEASED" ]]; then
+    echo ""
+    echo "========================================================================="
+    echo " Security Onion 3 Not Available"
+    echo "========================================================================="
+    echo ""
+    echo " Security Onion 3 has not been released yet."
+    echo ""
+    echo " Please check back later or visit https://securityonion.net for updates."
+    echo ""
+    exit 1
+fi
+
+# Validate version format (e.g., 3.0.2)
+if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+    echo ""
+    echo "========================================================================="
+    echo " Invalid Version"
+    echo "========================================================================="
+    echo ""
+    echo " Received unexpected version format: '$VERSION'"
+    echo ""
+    echo " Please check back later or visit https://securityonion.net for updates."
+    echo ""
+    exit 1
+fi
+
+echo "Security Onion 3 ($VERSION) is available. Upgrading..."
+echo ""
+
+# All checks passed - proceed with upgrade
+BRANCH=3/main soup

salt/nginx/defaults.yaml

@@ -3,7 +3,6 @@ nginx:
   external_suricata: False
   ssl:
     replace_cert: False
-    alt_names: []
   config:
     throttle_login_burst: 12
     throttle_login_rate: 20

salt/nginx/etc/nginx.conf

@@ -60,8 +60,6 @@ http {
     {%- endif %}
 
 	{%- if GLOBALS.is_manager %}
-	{%- set all_names = [GLOBALS.hostname, GLOBALS.url_base] + NGINXMERGED.ssl.alt_names %}
-	{%- set full_server_name = all_names | unique | join(' ') %}
 
 	server {
 		listen 80 default_server;
@@ -71,7 +69,7 @@ http {
 
 	server {
 		listen 8443;
-		server_name {{ full_server_name }};
+		server_name {{ GLOBALS.url_base }};
 		root /opt/socore/html;
 		location /artifacts/ {
 			try_files $uri =206;
@@ -114,7 +112,7 @@ http {
 
 	server {
 		listen 7788;
-		server_name {{ full_server_name }};
+		server_name {{ GLOBALS.url_base }};
 		root /nsm/rules;
 		location / {
 			allow all;
@@ -130,7 +128,7 @@ http {
     server {
         listen 7789 ssl;
 		http2 on;
-        server_name {{ full_server_name }};
+        server_name {{ GLOBALS.url_base }};
         root /surirules;
 
 		add_header 	Content-Security-Policy     "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob: wss:; frame-ancestors 'self'";
@@ -163,7 +161,7 @@ http {
 	server {
 		listen       443 ssl;
 		http2 on;
-		server_name  {{ full_server_name }};
+		server_name  {{ GLOBALS.url_base }};
 		root         /opt/socore/html;
 		index        index.html;
 
@@ -387,13 +385,15 @@ http {
 		error_page 429 = @error429;
 
 		location @error401 {
-			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}
 
-			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+			if ($request_uri ~* ^/(?!(^/api/.*))) {
+				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+			}
 
-			if ($request_uri ~* ^/(?!(login|auth|oauth2|$))) {
+			if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			}
 			return        302 /auth/self-service/login/browser;

salt/nginx/soc_nginx.yaml

@@ -30,12 +30,6 @@ nginx:
       advanced: True
       global: True
       helpLink: nginx.html
-    alt_names:
-      description: Provide a list of alternate names to allow remote systems the ability to refer to the SOC API as another hostname.
-      global: True
-      forcedType: '[]string'
-      multiline: True
-      helpLink: nginx.html
   config:
     throttle_login_burst:
       description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow.

salt/nginx/ssl.sls

@@ -49,17 +49,6 @@ managerssl_key:
       - docker_container: so-nginx
 
 # Create a cert for the reverse proxy
-{% set san_list = [GLOBALS.hostname, GLOBALS.node_ip, GLOBALS.url_base] + NGINXMERGED.ssl.alt_names %}
-{% set unique_san_list = san_list | unique %}
-{% set managerssl_san_list = [] %}
-{% for item in unique_san_list %}
-{%   if item | ipaddr %}
-{%     do managerssl_san_list.append("IP:" + item) %}
-{%   else %}
-{%     do managerssl_san_list.append("DNS:" + item) %}
-{%   endif %}
-{% endfor %}
-{% set managerssl_san = managerssl_san_list | join(', ') %}
 managerssl_crt:
   x509.certificate_managed:
     - name: /etc/pki/managerssl.crt
@@ -67,7 +56,7 @@ managerssl_crt:
     - signing_policy: managerssl
     - private_key: /etc/pki/managerssl.key
     - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: {{ managerssl_san }}
+    - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" 
     - days_remaining: 7
     - days_valid: 820
     - backup: True

salt/ntp/init.sls

@@ -2,6 +2,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
+{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'ntp/config.map.jinja' import NTPCONFIG %}
 
 chrony_pkg:
@@ -16,7 +17,11 @@ chronyconf:
     - defaults:
         NTPCONFIG: {{ NTPCONFIG }}
 
+{% if GLOBALS.os_family == 'RedHat' %}
 chronyd:
+{% else %}
+chrony:
+{% endif %}
   service.running:
     - enable: True
     - watch: 

salt/pcap/ca.sls

@@ -0,0 +1,22 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states or sls in allowed_states%}
+
+stenoca:
+  file.directory:
+    - name: /opt/so/conf/steno/certs
+    - user: 941
+    - group: 939
+    - makedirs: True
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/pcap/cleanup.sls

@@ -1,59 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-{% if GLOBALS.is_sensor %}
-
-delete_so-steno_so-status.conf:
-  file.line:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - mode: delete
-    - match: so-steno
-
-remove_stenographer_user:
-  user.absent:
-    - name: stenographer
-    - force: True
-
-remove_stenographer_log_dir:
-  file.absent:
-    - name: /opt/so/log/stenographer
-
-remove_stenoloss_script:
-  file.absent:
-    - name: /opt/so/conf/telegraf/scripts/stenoloss.sh
-
-remove_steno_conf_dir:
-  file.absent:
-    - name: /opt/so/conf/steno
-
-remove_so_pcap_export:
-  file.absent:
-    - name: /usr/sbin/so-pcap-export
-
-remove_so_pcap_restart:
-  file.absent:
-    - name: /usr/sbin/so-pcap-restart
-
-remove_so_pcap_start:
-  file.absent:
-    - name: /usr/sbin/so-pcap-start
-
-remove_so_pcap_stop:
-  file.absent:
-    - name: /usr/sbin/so-pcap-stop
-
-so-steno:
-  docker_container.absent:
-    - force: True
-
-{% else %}
-
-{{sls}}.non_sensor_node:
-  test.show_notification:
-    - text: "Stenographer cleanup not applicable on non-sensor nodes."
-
-{% endif %}

salt/pcap/config.map.jinja

@@ -0,0 +1,13 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %}
+{% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %}
+
+{# disable stenographer if the pcap engine is set to SURICATA #}
+{% if GLOBALS.pcap_engine == "SURICATA" %}
+{%   do PCAPMERGED.update({'enabled': False}) %}
+{% endif %}

salt/pcap/config.sls

@@ -0,0 +1,87 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from "pcap/config.map.jinja" import PCAPMERGED %}
+{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC, STENO_BPF_COMPILED %}
+
+# PCAP Section
+stenographergroup:
+  group.present:
+    - name: stenographer
+    - gid: 941
+
+stenographer:
+  user.present:
+    - uid: 941
+    - gid: 941
+    - home: /opt/so/conf/steno
+
+stenoconfdir:
+  file.directory:
+    - name: /opt/so/conf/steno
+    - user: 941
+    - group: 939
+    - makedirs: True
+
+pcap_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://pcap/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+{% if PCAPBPF and not PCAP_BPF_STATUS %}
+stenoPCAPbpfcompilationfailure:
+  test.configurable_test_state:
+   - changes: False
+   - result: False
+  - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}"
+{% endif %}
+
+stenoconf:
+  file.managed:
+    - name: /opt/so/conf/steno/config
+    - source: salt://pcap/files/config.jinja
+    - user: stenographer
+    - group: stenographer
+    - mode: 644
+    - template: jinja
+    - defaults:
+        PCAPMERGED: {{ PCAPMERGED }}
+        STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}"
+
+pcaptmpdir:
+  file.directory:
+    - name: /nsm/pcaptmp
+    - user: 941
+    - group: 941
+    - makedirs: True
+
+pcapindexdir:
+  file.directory:
+    - name: /nsm/pcapindex
+    - user: 941
+    - group: 941
+    - makedirs: True
+
+stenolog:
+  file.directory:
+    - name: /opt/so/log/stenographer
+    - user: 941
+    - group: 941
+    - makedirs: True
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/pcap/defaults.yaml

@@ -0,0 +1,11 @@
+pcap:
+  enabled: False
+  config:
+    maxdirectoryfiles: 30000
+    diskfreepercentage: 10
+    blocks: 2048
+    preallocate_file_mb: 4096
+    aiops: 128
+    pin_to_cpu: False
+    cpus_to_pin_to: []
+    disks: []

salt/pcap/disabled.sls

@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - pcap.sostatus
+  
+so-steno:
+  docker_container.absent:
+    - force: True
+
+so-steno_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-steno$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/pcap/enabled.sls

@@ -0,0 +1,63 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+
+
+include:
+  - pcap.ca
+  - pcap.config
+  - pcap.sostatus
+
+so-steno:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-steno:{{ GLOBALS.so_version }}
+    - start: True
+    - network_mode: host
+    - privileged: True
+    - binds:
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      - /opt/so/conf/steno/config:/etc/stenographer/config:rw
+      - /nsm/pcap:/nsm/pcap:rw
+      - /nsm/pcapindex:/nsm/pcapindex:rw
+      - /nsm/pcaptmp:/tmp:rw
+      - /opt/so/log/stenographer:/var/log/stenographer:rw
+    {% if DOCKER.containers['so-steno'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-steno'].custom_bind_mounts %}
+      - {{ BIND }}
+        {% endfor %}
+      {% endif %}
+    {% if DOCKER.containers['so-steno'].extra_hosts %}
+    - extra_hosts:
+      {% for XTRAHOST in DOCKER.containers['so-steno'].extra_hosts %}
+      - {{ XTRAHOST }}
+      {% endfor %}
+    {% endif %}
+    {% if DOCKER.containers['so-steno'].extra_env %}
+    - environment:
+      {% for XTRAENV in DOCKER.containers['so-steno'].extra_env %}
+      - {{ XTRAENV }}
+      {% endfor %}
+    {% endif %}
+    - watch:
+      - file: stenoconf
+    - require:
+      - file: stenoconf
+
+delete_so-steno_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-steno$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/pcap/files/config.jinja

@@ -0,0 +1,11 @@
+{
+  "Threads": [
+    { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.config.diskfreepercentage }} }
+  ]
+  , "StenotypePath": "/usr/bin/stenotype"
+  , "Interface": "{{ pillar.sensor.interface }}"
+  , "Port": 1234
+  , "Host": "127.0.0.1"
+  , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ STENO_BPF_COMPILED }}]
+  , "CertPath": "/etc/stenographer/certs"
+}

salt/pcap/init.sls

@@ -0,0 +1,41 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from 'pcap/config.map.jinja' import PCAPMERGED %}
+
+include:
+{% if PCAPMERGED.enabled and GLOBALS.role != 'so-import'%}
+  - pcap.enabled
+{% elif GLOBALS.role == 'so-import' %}
+  - pcap.config
+  - pcap.disabled
+{% else %}
+  - pcap.disabled
+{% endif %}
+
+# This directory needs to exist regardless of whether STENO is enabled or not, in order for
+# Sensoroni to be able to look at old steno PCAP data
+
+# if stenographer has never run as the pcap engine no 941 user is created, so we use socore as a placeholder.
+# /nsm/pcap is empty until stenographer is used as pcap engine
+{% set pcap_id = 941 %}
+{% set user_list = salt['user.list_users']() %}
+{% if GLOBALS.pcap_engine == "SURICATA" and 'stenographer' not in user_list %}
+{%   set pcap_id = 939 %}
+{% endif %}
+pcapdir:
+  file.directory:
+    - name: /nsm/pcap
+    - user: {{ pcap_id }}
+    - group: {{ pcap_id }}
+    - makedirs: True
+
+pcapoutdir:
+  file.directory:
+    - name: /nsm/pcapout
+    - user: 939
+    - group: 939
+    - makedirs: True

salt/pcap/soc_pcap.yaml

@@ -0,0 +1,35 @@
+pcap:
+  enabled: 
+    description: Enables or disables the Stenographer packet recording process. This process may already be disabled if Suricata is being used as the packet capture process.
+    helpLink: stenographer.html
+  config:
+    maxdirectoryfiles:
+      description: By default, Stenographer limits the number of files in the pcap directory to 30000 to avoid limitations with the ext3 filesystem. However, if you're using the ext4 or xfs filesystems, then it is safe to increase this value. So if you have a large amount of storage and find that you only have 3 weeks worth of PCAP on disk while still having plenty of free space, then you may want to increase this default setting.
+      helpLink: stenographer.html
+    diskfreepercentage:
+      description: Stenographer will purge old PCAP on a regular basis to keep the disk free percentage at this level. If you have a distributed deployment with dedicated Sensor nodes, then the default value of 10 should be reasonable since Stenographer should be the main consumer of disk space in the /nsm partition. However, if you have systems that run both Stenographer and Elasticsearch at the same time (like eval and standalone installations), then you’ll want to make sure that this value is no lower than 21 so that you avoid Elasticsearch hitting its watermark setting at 80% disk usage. If you have an older standalone installation, then you may need to manually change this value to 21.
+      helpLink: stenographer.html
+    blocks:
+      description: The number of 1MB packet blocks used by Stenographer and AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. 
+      advanced: True
+      helpLink: stenographer.html
+    preallocate_file_mb:
+      description: File size to pre-allocate for individual Stenographer PCAP files. You shouldn't need to change this. 
+      advanced: True
+      helpLink: stenographer.html
+    aiops:
+      description: The max number of async writes to allow for Stenographer at once.
+      advanced: True
+      helpLink: stenographer.html
+    pin_to_cpu:
+      description: Enable CPU pinning for Stenographer PCAP.
+      advanced: True
+      helpLink: stenographer.html
+    cpus_to_pin_to:
+      description: CPU to pin Stenographer PCAP to. Currently only a single CPU is supported.
+      advanced: True
+      helpLink: stenographer.html
+    disks:
+      description: List of disks to use for Stenographer PCAP. This is currently not used.
+      advanced: True
+      helpLink: stenographer.html

salt/pcap/sostatus.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-steno_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-steno
+    - unless: grep -q so-steno /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/pcap/tools/sbin/so-pcap-export

@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+if [ $# -lt 2 ]; then
+  echo "Usage: $0 <steno-query> Output-Filename"
+  exit 1
+fi
+
+docker exec -t so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
+
+echo ""
+echo "If successful, the output was written to: /nsm/pcapout/$2.pcap"

salt/pcap/tools/sbin/so-pcap-restart

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart steno $1

salt/pcap/tools/sbin/so-pcap-start

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start steno $1

salt/pcap/tools/sbin/so-pcap-stop

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop steno $1

salt/repo/client/map.jinja

@@ -1,29 +1,43 @@
-{% set REPOPATH = '/etc/yum.repos.d/' %}
-{% set ABSENTFILES = [
-       'centos-addons.repo',
-       'centos-devel.repo',
-       'centos-extras.repo',
-       'centos.repo',
-       'docker-ce.repo',
-       'epel.repo',
-       'epel-testing.repo',
-       'saltstack.repo',
-       'salt-latest.repo',
-       'wazuh.repo'
-       'Rocky-Base.repo',
-       'Rocky-CR.repo',
-       'Rocky-Debuginfo.repo',
-       'Rocky-fasttrack.repo',
-       'Rocky-Media.repo',
-       'Rocky-Sources.repo',
-       'Rocky-Vault.repo',
-       'Rocky-x86_64-kernel.repo',
-       'rocky-addons.repo',
-       'rocky-devel.repo',
-       'rocky-extras.repo',
-       'rocky.repo',
-       'oracle-linux-ol9.repo',
-       'uek-ol9.repo',
-       'virt-ol9.repo'
-     ]
-%}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+{% if GLOBALS.os_family == 'RedHat' %}
+  {% set REPOPATH = '/etc/yum.repos.d/' %}
+{%     if GLOBALS.os == 'OEL' %}
+  {% set ABSENTFILES = [
+         'centos-addons.repo',
+         'centos-devel.repo',
+         'centos-extras.repo',
+         'centos.repo',
+         'docker-ce.repo',
+         'epel.repo',
+         'epel-testing.repo',
+         'saltstack.repo',
+         'salt-latest.repo',
+         'wazuh.repo'
+         'Rocky-Base.repo',
+         'Rocky-CR.repo',
+         'Rocky-Debuginfo.repo',
+         'Rocky-fasttrack.repo',
+         'Rocky-Media.repo',
+         'Rocky-Sources.repo',
+         'Rocky-Vault.repo',
+         'Rocky-x86_64-kernel.repo',
+         'rocky-addons.repo',
+         'rocky-devel.repo',
+         'rocky-extras.repo',
+         'rocky.repo',
+         'oracle-linux-ol9.repo',
+         'uek-ol9.repo',
+         'virt-ol9.repo'
+       ]
+  %}
+{%     else %}
+  {% set ABSENTFILES = [] %}
+{%    endif %}
+
+{% else %}
+
+  {% set REPOPATH = '/etc/apt/sources.list.d/' %}
+  {% set ABSENTFILES = [] %}
+
+{% endif %}

salt/salt/init.sls

@@ -1,3 +1,10 @@
+{% if grains.oscodename == 'focal' %}
+saltpymodules:
+  pkg.installed:
+    - pkgs:
+      - python3-docker
+{% endif %}
+
 # distribute to minions for salt upgrades
 salt_bootstrap:
   file.managed:

salt/salt/map.jinja

@@ -17,12 +17,22 @@
 {% set SALTVERSION = saltminion.salt.minion.version | string %}
 {% set INSTALLEDSALTVERSION = grains.saltversion | string %}
 
-{% set SPLITCHAR = '-' %}
-{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
-{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
+{% if grains.os_family == 'Debian' %}
+  {% set SPLITCHAR = '+' %}
+  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+  {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
+{% else %}
+  {% set SPLITCHAR = '-' %}
+  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+  {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
+{% endif %}
 
 {% if INSTALLEDSALTVERSION != SALTVERSION %}
-  {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
+  {% if grains.os_family|lower == 'redhat' %}
+      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
+  {% elif grains.os_family|lower == 'debian' %}
+    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
+  {% endif %}
 {% else %}
   {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
 {% endif %}

salt/salt/master.sls

@@ -23,6 +23,15 @@ sync_runners:
     - name: saltutil.sync_runners
 {% endif %}
 
+# prior to 2.4.30 this engine ran on the manager with salt-minion
+# this has changed to running with the salt-master in 2.4.30
+remove_engines_config:
+  file.absent:
+    - name: /etc/salt/minion.d/engines.conf
+    - source: salt://salt/files/engines.conf
+    - watch_in:
+      - service: salt_minion_service
+
 checkmine_engine:
   file.managed:
     - name: /etc/salt/engines/checkmine.py

salt/salt/minion/init.sls

@@ -22,6 +22,18 @@ include:
 {% endif %}
 
 {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
+
+{# this is added in 2.4.120 to remove salt repo files pointing to saltproject.io to accomodate the move to broadcom and new bootstrap-salt script #}
+{%   if salt['pkg.version_cmp'](GLOBALS.so_version, '2.4.120') == -1 %}
+{%     set saltrepofile = '/etc/yum.repos.d/salt.repo' %}
+{%     if grains.os_family == 'Debian' %}
+{%       set saltrepofile = '/etc/apt/sources.list.d/salt.list' %}
+{%     endif %}
+remove_saltproject_io_repo_minion:
+  file.absent:
+    - name: {{ saltrepofile }}
+{%   endif %}
+
 unhold_salt_packages:
   pkg.unheld:
     - pkgs:

salt/sensoroni/enabled.sls

@@ -8,6 +8,9 @@
 
 
 include:
+{% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
+  - pcap.ca
+{% endif %}
   - sensoroni.config
   - sensoroni.sostatus
 
@@ -16,6 +19,10 @@ so-sensoroni:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
     - network_mode: host
     - binds:
+      {% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      {% endif %}
+      - /nsm/pcap:/nsm/pcap:rw
       - /nsm/import:/nsm/import:rw
       - /nsm/pcapout:/nsm/pcapout:rw
       - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro

salt/sensoroni/files/analyzers/elasticsearch/README.md

@@ -14,7 +14,7 @@ An API key or User Credentials is necessary for utilizing Elasticsearch.
 
 In SOC, navigate to `Administration`, toggle `Show all configurable settings, including advanced settings.`, and navigate to `sensoroni` -> `analyzers` -> `elasticsearch`.
 
-![image](https://github.com/Security-Onion-Solutions/securityonion/blob/3/dev/assets/images/screenshots/analyzers/elasticsearch.png?raw=true)
+![image](https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/dev/assets/images/screenshots/analyzers/elasticsearch.png?raw=true)
 
 
 The following configuration options are available for:

salt/sensoroni/files/analyzers/sublime/README.md

@@ -6,7 +6,7 @@ Submit a base64-encoded EML file to Sublime Platform for analysis.
 ## Configuration Requirements
 In SOC, navigate to `Administration`, toggle `Show all configurable settings, including advanced settings.`, and navigate to `sensoroni` -> `analyzers` -> `sublime_platform`.
 
-![image](https://github.com/Security-Onion-Solutions/securityonion/blob/3/dev/assets/images/screenshots/analyzers/sublime.png?raw=true)
+![image](https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/dev/assets/images/screenshots/analyzers/sublime.png?raw=true)
 
 
 The following configuration options are available for:

salt/sensoroni/files/sensoroni.json

@@ -32,6 +32,11 @@
         "apiKey": "{{ GLOBALS.sensoroni_key }}"
 {%  if GLOBALS.is_sensor %}
       },     
+      "stenoquery": {
+        "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
+        "pcapInputPath": "/nsm/pcap",
+        "pcapOutputPath": "/nsm/pcapout"
+      },     
       "suriquery": {
         "pcapInputPath": "/nsm/suripcap",
         "pcapOutputPath": "/nsm/pcapout",

salt/strelka/filestream/config.sls

@@ -47,6 +47,12 @@ filestream_config:
         FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }}
 
 # Filecheck Section
+{% if GLOBALS.os_family == 'Debian' %}
+install_watchdog:
+  pkg.installed:
+    - name: python3-watchdog
+
+{% elif GLOBALS.os_family == 'RedHat' %}
 remove_old_watchdog:
   pkg.removed:
     - name: python3-watchdog
@@ -54,6 +60,7 @@ remove_old_watchdog:
 install_watchdog:
   pkg.installed:
     - name: securityonion-python39-watchdog
+{% endif %}
 
 filecheck_logdir:
   file.directory:

salt/suricata/config.sls

@@ -10,7 +10,7 @@
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
 {%   from 'bpf/suricata.map.jinja' import SURICATABPF, SURICATA_BPF_STATUS, SURICATA_BPF_CALC %}
 
-{%   if GLOBALS.pcap_engine in ["SURICATA"] %}
+{%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 {%     from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC %}
 # BPF compilation and configuration
 {%     if PCAPBPF and not PCAP_BPF_STATUS %}

salt/suricata/defaults.yaml

@@ -1,7 +1,6 @@
 suricata:
   enabled: False
   pcap:
-    enabled: "no"
     filesize: 1000mb
     maxsize: 25
     compression: "none"
@@ -142,6 +141,8 @@ suricata:
         enabled: "no"
       tls-store:
         enabled: "no"
+      pcap-log:
+        enabled: "no"
       alert-debug:
         enabled: "no"
       alert-prelude:

salt/suricata/map.jinja

@@ -9,20 +9,21 @@
 {% set surimeta_filestore_index = [] %}
 
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
-{% if GLOBALS.pcap_engine in ["SURICATA"] %}
-
-{# initialize pcap-log in config.outputs since we dont put it in defaults #}
-{%   if 'pcap-log' not in SURICATAMERGED.config.outputs %}
-{%     do SURICATAMERGED.config.outputs.update({'pcap-log': {}}) %}
-{%   endif %}
+{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 
 {%   from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
 {%   if PCAPBPF and PCAP_BPF_STATUS %}
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}
 
+{%   set PCAP = salt['pillar.get']('pcap', {'enabled': false}) %}
+{%   if PCAP.enabled and GLOBALS.role != 'so-import'%}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
+{%   else %}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'no'}) %}
+{%   endif %}
+
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': SURICATAMERGED.pcap.enabled}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %}

salt/suricata/pcap.sls

@@ -2,7 +2,7 @@
 {% from 'suricata/map.jinja' import SURICATAMERGED %}
 
 # This directory needs to exist regardless of whether SURIPCAP is enabled or not, in order for
-# Sensoroni to mount it
+# Sensoroni to be able to look at old Suricata PCAP data
 suripcapdir:
   file.directory:
     - name: /nsm/suripcap
@@ -11,14 +11,7 @@ suripcapdir:
     - mode: 775
     - makedirs: True
 
-pcapoutdir:
-  file.directory:
-    - name: /nsm/pcapout
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-{%   if GLOBALS.pcap_engine in ["SURICATA"] %}
+{%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 
 {# there should only be 1 interface in af-packet so we can just reference the first list item #}
 {% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %}

salt/suricata/soc_suricata.yaml

@@ -22,10 +22,6 @@ suricata:
       title: Classifications
       helpLink: suricata.html
   pcap:
-    enabled:
-      description: Enables or disables the Suricata packet recording process.
-      forcedType: bool
-      helpLink: suricata.html
     filesize: 
       description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
       advanced: True
@@ -213,6 +209,12 @@ suricata:
               header:
                 description: Header name where the actual IP address will be reported.
                 helpLink: suricata.html
+      pcap-log:
+        enabled:
+          description: This value is ignored by SO. pcapengine in globals takes precedence.
+          readonly: True
+          helpLink: suricata.html
+          advanced: True        
     asn1-max-frames:
       description: Maximum nuber of asn1 frames to decode.
       helpLink: suricata.html

salt/suricata/tools/sbin_jinja/so-suricata-testrule

@@ -31,9 +31,8 @@ mkdir -p /tmp/nids-testing/output
 chown suricata:socore /tmp/nids-testing/output
 mkdir -p /tmp/nids-testing/rules
 
-cp /opt/so/rules/suricata/all-rulesets.rules /tmp/nids-testing/rules/all-rulesets.rules
-cat $TESTRULE >> /tmp/nids-testing/rules/all-rulesets.rules
-
+cp /opt/so/conf/suricata/rules/all.rules /tmp/nids-testing/rules/all.rules
+cat $TESTRULE >> /tmp/nids-testing/rules/all.rules
 
 echo "==== Begin Suricata Output ==="
 

salt/telegraf/defaults.yaml

@@ -19,6 +19,7 @@ telegraf:
       - os.sh
       - raid.sh
       - sostatus.sh
+      - stenoloss.sh
       - suriloss.sh
       - surirules.sh
       - zeekcaptureloss.sh
@@ -34,6 +35,7 @@ telegraf:
       - raid.sh
       - redis.sh
       - sostatus.sh
+      - stenoloss.sh
       - suriloss.sh
       - surirules.sh
       - zeekcaptureloss.sh
@@ -79,6 +81,7 @@ telegraf:
       - os.sh
       - raid.sh
       - sostatus.sh
+      - stenoloss.sh
       - suriloss.sh
       - surirules.sh
       - zeekcaptureloss.sh
@@ -93,6 +96,7 @@ telegraf:
       - raid.sh
       - redis.sh
       - sostatus.sh
+      - stenoloss.sh
       - suriloss.sh
       - surirules.sh
       - zeekcaptureloss.sh

salt/telegraf/enabled.sls

@@ -47,6 +47,7 @@ so-telegraf:
       - /etc/pki/telegraf.crt:/etc/telegraf/telegraf.crt:ro
       - /etc/pki/telegraf.key:/etc/telegraf/telegraf.key:ro
       - /opt/so/conf/telegraf/scripts:/scripts:ro
+      - /opt/so/log/stenographer:/var/log/stenographer:ro
       - /opt/so/log/suricata:/var/log/suricata:ro
       - /opt/so/log/raid:/var/log/raid:ro
       - /opt/so/log/sostatus:/var/log/sostatus:ro

salt/telegraf/map.jinja

@@ -14,6 +14,13 @@
 {%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %}
 {%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %}
 {%   endif %}
+
+{%   from 'pcap/config.map.jinja' import PCAPMERGED %}
+{#   PCAPMERGED.enabled is set false in soc ui or if suricata is the pcap engine #}
+{%   if not PCAPMERGED.enabled %}
+{%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('stenoloss.sh') %}
+{%   endif %}
+
 {% endif %}
 
 {% if GLOBALS.pipeline != 'REDIS' %}

salt/telegraf/scripts/oldpcap.sh

@@ -5,7 +5,11 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+{%- if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 PCAPLOC=/host/nsm/suripcap
+{%- else %}
+PCAPLOC=/host/nsm/pcap
+{%- endif %}
 
 # if this script isn't already running
 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then

salt/telegraf/scripts/stenoloss.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+# if this script isn't already running
+if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
+
+    CHECKIT=$(grep "Thread 0 stats" /var/log/stenographer/stenographer.log |tac |head -2|wc -l)
+    STENOGREP=$(grep "Thread 0 stats" /var/log/stenographer/stenographer.log |tac |head -2)
+
+    declare RESULT=($STENOGREP)
+
+    CURRENT_PACKETS=$(echo ${RESULT[9]} | awk -F'=' '{print $2 }')
+    CURRENT_DROPS=$(echo ${RESULT[12]} | awk -F'=' '{print $2 }')
+    PREVIOUS_PACKETS=$(echo ${RESULT[23]} | awk -F'=' '{print $2 }')
+    PREVIOUS_DROPS=$(echo ${RESULT[26]} | awk -F'=' '{print $2 }')
+
+    DROPPED=$((CURRENT_DROPS - PREVIOUS_DROPS))
+    TOTAL_CURRENT=$((CURRENT_PACKETS + CURRENT_DROPS))
+    TOTAL_PAST=$((PREVIOUS_PACKETS + PREVIOUS_DROPS))
+    TOTAL=$((TOTAL_CURRENT - TOTAL_PAST))
+
+    if [ $CHECKIT == 2 ]; then
+      if [ $DROPPED == 0 ]; then
+        echo "stenodrop drop=$DROPPED"
+      else
+        LOSS=$(echo "4 k $DROPPED $TOTAL / 100 * p" | dc)
+        echo "stenodrop drop=$LOSS"
+      fi
+    fi
+
+fi
+
+exit 0

salt/telegraf/ssl.sls

@@ -46,6 +46,17 @@ telegraf_key_perms:
     - mode: 640
     - group: 939
 
+{%   if not GLOBALS.is_manager %}
+{# Prior to 2.4.220, minions used influxdb.crt and key for telegraf #}
+remove_influxdb.crt:
+  file.absent:
+    - name: /etc/pki/influxdb.crt
+
+remove_influxdb.key:
+  file.absent:
+    - name: /etc/pki/influxdb.key
+{%   endif %}
+
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/top.sls

@@ -78,13 +78,14 @@ base:
     - elasticsearch
     - elastic-fleet-package-registry
     - kibana
+    - pcap
     - suricata
     - zeek
     - strelka
+    - curator.disabled
     - elastalert
     - utility
     - elasticfleet
-    - pcap.cleanup
 
   '*_standalone and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
@@ -107,15 +108,16 @@ base:
     - redis
     - elastic-fleet-package-registry
     - kibana
+    - pcap
     - suricata
     - zeek
     - strelka
+    - curator.disabled
     - elastalert
     - utility
     - elasticfleet
     - stig
     - kafka
-    - pcap.cleanup
 
   '*_manager or *_managerhype and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
@@ -137,6 +139,7 @@ base:
     - redis
     - elastic-fleet-package-registry
     - kibana
+    - curator.disabled
     - elastalert
     - utility
     - elasticfleet
@@ -165,6 +168,7 @@ base:
     - elasticsearch
     - logstash
     - redis
+    - curator.disabled
     - elastic-fleet-package-registry
     - kibana
     - elastalert
@@ -188,6 +192,7 @@ base:
     - sensoroni
     - telegraf
     - firewall
+    - pcap
     - elasticsearch
     - elastic-fleet-package-registry
     - kibana
@@ -195,7 +200,6 @@ base:
     - suricata
     - zeek
     - elasticfleet
-    - pcap.cleanup
 
   '*_searchnode and G@saltversion:{{saltversion}}':
     - match: compound
@@ -216,13 +220,13 @@ base:
     - telegraf
     - firewall
     - nginx
+    - pcap
     - suricata
     - healthcheck
     - zeek
     - strelka
     - elasticfleet.install_agent_grid
     - stig
-    - pcap.cleanup
 
   '*_heavynode and G@saltversion:{{saltversion}}':
     - match: compound
@@ -234,12 +238,13 @@ base:
     - elasticsearch
     - logstash
     - redis
+    - curator.disabled
     - strelka
+    - pcap
     - suricata
     - zeek
     - elasticfleet.install_agent_grid
     - elasticagent
-    - pcap.cleanup
 
   '*_receiver and G@saltversion:{{saltversion}}':
     - match: compound

salt/versionlock/init.sls

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% if salt['pkg.version']('python3-dnf-plugin-versionlock') != "" %}
+{% if grains.os_family == 'Debian' or (grains.os_family == 'RedHat' and salt['pkg.version']('python3-dnf-plugin-versionlock') !=  "") %}
 {%   from 'versionlock/map.jinja' import VERSIONLOCKMERGED %}
 {%   for pkg in VERSIONLOCKMERGED.hold %}
 {{pkg}}_held:

salt/versionlock/map.jinja

@@ -6,7 +6,11 @@
 {% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %}
 {% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %}
 
-{% set HELD = salt['pkg.list_holds']() %}
+{% if grains.os_family == 'RedHat' %}
+{%   set HELD = salt['pkg.list_holds']() %}
+{% else %}
+{%   set HELD = salt['pkg.get_selections'](state='hold')['hold'] %}
+{% endif %}
 
 {# these are packages held / versionlock in other states #}
 {% set PACKAGES_HELD_IN_OTHER_STATES = [

setup/so-functions

@@ -1366,6 +1366,9 @@ create_global() {
 	echo "  mdengine: 'ZEEK'" >> $global_pillar_file
 	echo "  ids: 'Suricata'" >> $global_pillar_file
 	echo "  url_base: '$REDIRECTIT'" >> $global_pillar_file
+	if [[ $HIGHLANDER == 'True' ]]; then
+		echo "  highlander: True" >> $global_pillar_file
+	fi
 	if [[ $is_airgap ]]; then
 		echo "  airgap: True" >> $global_pillar_file
 	else 
@@ -1379,7 +1382,9 @@ create_global() {
 	echo "  registry_host: '$HOSTNAME'" >> $global_pillar_file
 	echo "  endgamehost: '$ENDGAMEHOST'" >> $global_pillar_file
 
-   	echo "  pcapengine: SURICATA" >> $global_pillar_file
+	if [[ $is_standalone || $is_eval ]]; then
+        	echo "  pcapengine: SURICATA" >> $global_pillar_file
+	fi
 }
 
 create_sensoroni_pillar() {
@@ -1441,7 +1446,7 @@ make_some_dirs() {
 	mkdir -p $local_salt_dir/salt/firewall/portgroups
 	mkdir -p $local_salt_dir/salt/firewall/ports
 
-	for THEDIR in bpf elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idh elastalert stig global kafka versionlock hypervisor vm; do
+	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idh elastalert stig global kafka versionlock hypervisor vm; do
 	mkdir -p $local_salt_dir/pillar/$THEDIR
 	touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
 	touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls
@@ -1595,6 +1600,7 @@ reserve_group_ids() {
 	logCmd "groupadd -g 940 suricata"
 	logCmd "groupadd -g 948 elastic-agent-pr"
 	logCmd "groupadd -g 949 elastic-agent"
+	logCmd "groupadd -g 941 stenographer"
 	logCmd "groupadd -g 947 elastic-fleet"
 	logCmd "groupadd -g 960 kafka"
 }
@@ -1792,8 +1798,8 @@ securityonion_repo() {
 		if ! $is_desktop_grid; then
 			gpg_rpm_import
 			if [[ ! $is_airgap ]]; then
-				echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /etc/yum/mirror.txt
-				echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9" >> /etc/yum/mirror.txt
+				echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /etc/yum/mirror.txt
+				echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/2.4/oracle/9" >> /etc/yum/mirror.txt
 				echo "[main]" > /etc/yum.repos.d/securityonion.repo
 				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 				echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
@@ -1851,8 +1857,8 @@ repo_sync_local() {
 		info "Adding Repo Download Configuration"
 		mkdir -p /nsm/repo
 		mkdir -p /opt/so/conf/reposync/cache
-		echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
-		echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
+		echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /opt/so/conf/reposync/mirror.txt
+		echo "https://repo-alt.securityonion.net/prod/2.4/oracle/9" >> /opt/so/conf/reposync/mirror.txt
 		echo "[main]" > /opt/so/conf/reposync/repodownload.conf
 		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
 		echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
@@ -1889,7 +1895,7 @@ repo_sync_local() {
 				logCmd "dnf -y install epel-release"
 			fi
 			dnf install -y yum-utils device-mapper-persistent-data lvm2
-			curl -fsSL https://repo.securityonion.net/file/so-repo/prod/3/so/so.repo | tee /etc/yum.repos.d/so.repo
+			curl -fsSL https://repo.securityonion.net/file/so-repo/prod/2.4/so/so.repo | tee /etc/yum.repos.d/so.repo
 			rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
 			dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
 			curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo