upgrade salt3006.23

Merge pull request #15742 from Security-Onion-Solutions/mwright/ai-query-length
Assistant: charsPerTokenEstimate
2026-04-14 00:32:01 +02:00 · 2026-04-13 09:41:32 -04:00 · 2026-04-09 11:28:37 -04:00 · 2026-04-09 10:39:13 -04:00 · 2026-04-09 10:18:36 -04:00 · 2026-04-08 16:00:26 -04:00
13 changed files with 52 additions and 26 deletions
--- a/.github/DISCUSSION_TEMPLATE/3-0.yml
+++ b/.github/DISCUSSION_TEMPLATE/3-0.yml
@@ -10,6 +10,7 @@ body:
      options:
        -
        - 3.0.0
+        - 3.1.0
        - Other (please provide detail below)
    validations:
      required: true
--- a/2
+++ b/2
@@ -1 +1 @@
-3.0.0
+3.1.0
--- a/salt/global/soc_global.yaml
+++ b/salt/global/soc_global.yaml
@@ -11,18 +11,14 @@ global:
    regexFailureMessage: You must enter a valid IP address or CIDR.
  mdengine:
    description: Which engine to use for meta data generation. Options are ZEEK and SURICATA.
-    regex: ^(ZEEK|SURICATA)$
    options:
      - ZEEK
      - SURICATA
-    regexFailureMessage: You must enter either ZEEK or SURICATA.
    global: True
  pcapengine:
    description: Which engine to use for generating pcap. Currently only SURICATA is supported.
-    regex: ^(SURICATA)$
    options:
      - SURICATA
-    regexFailureMessage: You must enter either SURICATA.
    global: True
  ids:
    description: Which IDS engine to use. Currently only Suricata is supported.
@@ -42,11 +38,9 @@ global:
    advanced: True
  pipeline:
    description: Sets which pipeline technology for events to use. The use of Kafka requires a Security Onion Pro license.
-    regex: ^(REDIS|KAFKA)$
    options:
      - REDIS
      - KAFKA
-    regexFailureMessage: You must enter either REDIS or KAFKA.
    global: True
    advanced: True
  repo_host:
--- a/salt/influxdb/soc_influxdb.yaml
+++ b/salt/influxdb/soc_influxdb.yaml
@@ -85,7 +85,10 @@ influxdb:
      description: The log level to use for outputting log statements. Allowed values are debug, info, or error.
      global: True
      advanced: false
-      regex: ^(info|debug|error)$
+      options:
+      - info
+      - debug
+      - error
      helpLink: influxdb
    metrics-disabled:
      description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible.
@@ -140,7 +143,9 @@ influxdb:
      description: Determines the type of storage used for secrets. Allowed values are bolt or vault.
      global: True
      advanced: True
-      regex: ^(bolt|vault)$
+      options:
+      - bolt
+      - vault
      helpLink: influxdb
    session-length:
      description: Number of minutes that a user login session can remain authenticated. 
@@ -260,7 +265,9 @@ influxdb:
      description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations.
      global: True
      advanced: True
-      regex: ^(disk|memory)$
+      options:
+      - disk
+      - memory
      helpLink: influxdb
    tls-cert: 
      description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses.
--- a/salt/kafka/soc_kafka.yaml
+++ b/salt/kafka/soc_kafka.yaml
@@ -128,10 +128,13 @@ kafka:
        title: ssl.keystore.password
        sensitive: True
        helpLink: kafka
-      ssl_x_keystore_x_type: 
+      ssl_x_keystore_x_type:
        description: The key store file format.
        title: ssl.keystore.type
-        regex: ^(JKS|PKCS12|PEM)$
+        options:
+        - JKS
+        - PKCS12
+        - PEM
        helpLink: kafka
      ssl_x_truststore_x_location:
        description: The trust store file location within the Docker container.
@@ -160,7 +163,11 @@ kafka:
      security_x_protocol:
        description: 'Broker communication protocol. Options are: SASL_SSL, PLAINTEXT, SSL, SASL_PLAINTEXT'
        title: security.protocol
-        regex: ^(SASL_SSL|PLAINTEXT|SSL|SASL_PLAINTEXT)
+        options:
+        - SASL_SSL
+        - PLAINTEXT
+        - SSL
+        - SASL_PLAINTEXT
        helpLink: kafka
      ssl_x_keystore_x_location:
        description: The key store file location within the Docker container.
@@ -174,7 +181,10 @@ kafka:
      ssl_x_keystore_x_type:
        description: The key store file format.
        title: ssl.keystore.type
-        regex: ^(JKS|PKCS12|PEM)$
+        options:
+        - JKS
+        - PKCS12
+        - PEM
        helpLink: kafka
      ssl_x_truststore_x_location:
        description: The trust store file location within the Docker container.
--- a/salt/kratos/soc_kratos.yaml
+++ b/salt/kratos/soc_kratos.yaml
@@ -21,8 +21,12 @@ kratos:
        description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft"
        global: True
        forcedType: string
-        regex: "auth0|generic|github|google|microsoft"
-        regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft"
+        options:
+        - auth0
+        - generic
+        - github
+        - google
+        - microsoft
        helpLink: oidc
      client_id: 
        description: Specify the client ID, also referenced as the application ID. Required.
@@ -43,8 +47,9 @@ kratos:
        description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'.
        global: True
        forcedType: string
-        regex: me|userinfo
-        regexFailureMessage: "Valid values are: me, userinfo"
+        options:
+        - me
+        - userinfo
        helpLink: oidc
      auth_url: 
        description: Provider's auth URL. Required when provider is 'generic'.
--- a/salt/salt/master.defaults.yaml
+++ b/salt/salt/master.defaults.yaml
@@ -1,4 +1,4 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
  master:
-    version: '3006.19'
+    version: '3006.23'
--- a/salt/salt/minion.defaults.yaml
+++ b/salt/salt/minion.defaults.yaml
@@ -1,5 +1,5 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
  minion:
-    version: '3006.19'
+    version: '3006.23'
    check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2687,4 +2687,5 @@ soc:
              lowBalanceColorAlert: 500000
              enabled: true
              adapter: SOAI
+              charsPerTokenEstimate: 4
            
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -761,7 +761,7 @@ soc:
              required: True
            - field: origin
              label: Country of Origin for the Model Training
-              required: false
+              required: False
            - field: contextLimitSmall
              label: Context Limit (Small)
              forcedType: int
@@ -779,6 +779,10 @@ soc:
            - field: enabled
              label: Enabled
              forcedType: bool
+            - field: charsPerTokenEstimate
+              label: Characters per Token Estimate
+              forcedType: float
+              required: False
        apiTimeoutMs:
          description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
          global: True
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -33,7 +33,7 @@
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'conditional': SURICATAMERGED.pcap.conditional}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'dir': SURICATAMERGED.pcap.dir}) %}
 {#   multiply maxsize by 1000 since it is saved in GB, i.e. 52 = 52000MB. filesize is also saved in MB and we strip the MB and convert to int #}
-{%   set maxfiles = (SURICATAMERGED.pcap.maxsize * 1000 / (SURICATAMERGED.pcap.filesize[:-2] | int) / SURICATAMERGED.config['af-packet'].threads | int) | round | int %}
+{%   set maxfiles = ([1, (SURICATAMERGED.pcap.maxsize * 1000 / (SURICATAMERGED.pcap.filesize[:-2] | int) / SURICATAMERGED.config['af-packet'].threads | int) | round(0, 'ceil') | int] | max) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'max-files': maxfiles}) %}
 {% endif %}

--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -64,8 +64,10 @@ suricata:
      helpLink: suricata
    conditional: 
      description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
-      regex: ^(all|alerts|tag)$
-      regexFailureMessage: You must enter either all, alert or tag.
+      options:
+      - all
+      - alerts
+      - tag
      helpLink: suricata
    dir:
      description: Parent directory to store PCAP.
@@ -83,7 +85,9 @@ suricata:
        advanced: True
      cluster-type:
        advanced: True
-        regex: ^(cluster_flow|cluster_qm)$
+        options:
+        - cluster_flow
+        - cluster_qm
      defrag:
        description: Enable defragmentation of IP packets before processing.
        forcedType: bool
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -5,7 +5,7 @@ zeek:
    helpLink: zeek
  ja4plus:
    enabled:
-      description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license  [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
+      description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license  [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE)."
      forcedType: bool
      helpLink: zeek
      advanced: False
Author	SHA1	Message	Date
Josh Patterson	a268657ea0	upgrade salt3006.23	2026-04-13 09:41:32 -04:00
Matthew Wright	81afbd32d4	Merge pull request #15742 from Security-Onion-Solutions/mwright/ai-query-length Assistant: charsPerTokenEstimate	2026-04-09 11:28:37 -04:00
Josh Patterson	e9c4f40735	Merge pull request #15745 from Security-Onion-Solutions/delta define options in annotation files	2026-04-09 10:39:13 -04:00
Josh Patterson	9ec4a26f97	define options in annotation files	2026-04-09 10:18:36 -04:00
Josh Patterson	ef3cfc8722	Merge pull request #15741 from Security-Onion-Solutions/fix/suricata-pcap-log-max-files ensure max-files is 1 at minimum	2026-04-08 16:00:26 -04:00
Matthew Wright	28d31f4840	add charsPerTokenEstimate	2026-04-08 15:25:51 -04:00
Josh Patterson	2166bb749a	ensure max-files is 1 at minimum	2026-04-08 14:59:05 -04:00
Mike Reeves	88de246ce3	Merge pull request #15725 from Security-Onion-Solutions/3/main License Link to dev	2026-04-06 10:59:22 -04:00
Mike Reeves	3643b57167	Merge pull request #15724 from Security-Onion-Solutions/TOoSmOotH-patch-2 Fix JA4+ license link in soc_zeek.yaml	2026-04-06 10:24:04 -04:00
Mike Reeves	5b3ca98b80	Fix JA4+ license link in soc_zeek.yaml Updated the license link in the JA4+ fingerprinting description.	2026-04-06 10:12:37 -04:00
Jason Ertel	76f4ccf8c8	Merge pull request #15705 from Security-Onion-Solutions/3/main Merge pr/workflow changes back to dev	2026-04-01 10:57:34 -04:00
Mike Reeves	3dec6986b6	Merge pull request #15702 from Security-Onion-Solutions/3/main soup fix	2026-03-31 15:12:01 -04:00
Mike Reeves	ff45e5ebc6	Merge pull request #15699 from Security-Onion-Solutions/TOoSmOotH-patch-4 Version Bump	2026-03-31 13:55:55 -04:00
Mike Reeves	1e2b51eae6	Add version 3.1.0 to discussion template options	2026-03-31 13:53:00 -04:00
Mike Reeves	58d332ea94	Bump version from 3.0.0 to 3.1.0	2026-03-31 13:52:07 -04:00
@@ -1 +1 @@
 .0.0
 .1.0