#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. . /usr/sbin/so-common UPDATE_URL=https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/refs/heads/3/main/VERSION # Check if already running version 3 CURRENT_VERSION=$(cat /etc/soversion 2>/dev/null) if [[ "$CURRENT_VERSION" =~ ^3\. ]]; then echo "" echo "=========================================================================" echo " Already Running Security Onion 3" echo "=========================================================================" echo "" echo " This system is already running Security Onion $CURRENT_VERSION." echo " Use 'soup' to update within the 3.x release line." echo "" exit 0 fi echo "" echo "Checking PCAP settings." echo "" # Check pcapengine setting - must be SURICATA before upgrading to version 3 PCAP_ENGINE=$(lookup_pillar "pcapengine") PCAP_DELETED=false prompt_delete_pcap() { read -rp " Would you like to delete all remaining Stenographer PCAP data? (y/N): " DELETE_PCAP if [[ "$DELETE_PCAP" =~ ^[Yy]$ ]]; then echo "" echo " WARNING: This will permanently delete all Stenographer PCAP data" echo " on all nodes. This action cannot be undone." echo "" read -rp " Are you sure? (y/N): " CONFIRM_DELETE if [[ "$CONFIRM_DELETE" =~ ^[Yy]$ ]]; then echo "" echo " Deleting Stenographer PCAP data on all nodes..." salt '*' cmd.run "rm -rf /nsm/pcap/* && rm -rf /nsm/pcapindex/*" echo " Done." PCAP_DELETED=true else echo "" echo " Delete cancelled." fi fi } pcapengine_not_changed() { echo "" echo " PCAP engine must be set to SURICATA before upgrading to Security Onion 3." echo " You can change this in SOC by navigating to:" echo " Configuration -> global -> pcapengine" } prompt_change_engine() { local current_engine=$1 echo "" read -rp " Would you like to change the PCAP engine to SURICATA now? (y/N): " CHANGE_ENGINE if [[ "$CHANGE_ENGINE" =~ ^[Yy]$ ]]; then if [[ "$PCAP_DELETED" != "true" ]]; then echo "" echo " WARNING: Stenographer PCAP data was not deleted. If you proceed," echo " this data will no longer be accessible through SOC and will never" echo " be automatically deleted. You will need to manually remove it later." echo "" read -rp " Continue with changing pcapengine to SURICATA? (y/N): " CONFIRM_CHANGE if [[ ! "$CONFIRM_CHANGE" =~ ^[Yy]$ ]]; then pcapengine_not_changed return 1 fi fi echo "" echo " Updating PCAP engine to SURICATA..." so-yaml.py replace /opt/so/saltstack/local/pillar/global/soc_global.sls global.pcapengine SURICATA echo " Done." return 0 else pcapengine_not_changed return 1 fi } case "$PCAP_ENGINE" in SURICATA) echo "PCAP engine settings OK." ;; TRANSITION|STENO) echo "" echo "=========================================================================" echo " PCAP Engine Check Failed" echo "=========================================================================" echo "" echo " Your PCAP engine is currently set to $PCAP_ENGINE." echo "" echo " Before upgrading to Security Onion 3, Stenographer PCAP data must be" echo " removed and the PCAP engine must be set to SURICATA." echo "" echo " To check remaining Stenographer PCAP usage, run:" echo " salt '*' cmd.run 'du -sh /nsm/pcap'" echo "" prompt_delete_pcap if ! prompt_change_engine "$PCAP_ENGINE"; then echo "" exit 1 fi ;; *) echo "" echo "=========================================================================" echo " PCAP Engine Check Failed" echo "=========================================================================" echo "" echo " Unable to determine the PCAP engine setting (got: '$PCAP_ENGINE')." echo " Please ensure the PCAP engine is set to SURICATA." echo " In SOC, navigate to Configuration -> global -> pcapengine" echo " and change the value to SURICATA." echo "" exit 1 ;; esac echo "" echo "Checking Versions." echo "" # Check if Security Onion 3 has been released VERSION=$(curl -sSf "$UPDATE_URL" 2>/dev/null) if [[ -z "$VERSION" ]]; then echo "" echo "=========================================================================" echo " Unable to Check Version" echo "=========================================================================" echo "" echo " Could not retrieve version information from:" echo " $UPDATE_URL" echo "" echo " Please check your network connection and try again." echo "" exit 1 fi if [[ "$VERSION" == "UNRELEASED" ]]; then echo "" echo "=========================================================================" echo " Security Onion 3 Not Available" echo "=========================================================================" echo "" echo " Security Onion 3 has not been released yet." echo "" echo " Please check back later or visit https://securityonion.net for updates." echo "" exit 1 fi # Validate version format (e.g., 3.0.2) if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "" echo "=========================================================================" echo " Invalid Version" echo "=========================================================================" echo "" echo " Received unexpected version format: '$VERSION'" echo "" echo " Please check back later or visit https://securityonion.net for updates." echo "" exit 1 fi echo "Security Onion 3 ($VERSION) is available. Upgrading..." echo "" # All checks passed - proceed with upgrade BRANCH=3/main soup