From 3b5c9510d99192f478bbfc2d15b4ae048359054e Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 30 May 2024 16:25:02 -0600
Subject: [PATCH 01/57] Detection Templates

When you select a language from the dropdown on the New Detection page, a request is made to get an unused public Id for that engine (except YARA/Strelka). The source field is then filled with the template for that language/engine with publicId inserted in the right place.
---
 config/clientparameters.go                 | 54 +++++++++++++---------
 html/index.html                            |  2 +-
 html/js/routes/detection.js                | 28 +++++++++++
 html/js/routes/detection.test.js           | 38 +++++++++++++--
 server/detectionengine.go                  |  1 +
 server/detectionhandler.go                 | 28 +++++++++++
 server/modules/elastalert/elastalert.go    |  4 +-
 server/modules/elastalert/validate_test.go |  2 +-
 server/modules/strelka/strelka.go          |  6 +++
 server/modules/suricata/suricata.go        |  4 +-
 server/modules/suricata/validate_test.go   |  2 +-
 11 files changed, 134 insertions(+), 35 deletions(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index 7856e3ea..df6b7248 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -16,27 +16,27 @@ const DEFAULT_CHART_LABEL_OTHER_LIMIT = 10
 const DEFAULT_CHART_LABEL_FIELD_SEPARATOR = ", "
 
 type ClientParameters struct {
-	HuntingParams       HuntingParameters   `json:"hunt"`
-	AlertingParams      HuntingParameters   `json:"alerts"`
-	CasesParams         HuntingParameters   `json:"cases"`
-	CaseParams          CaseParameters      `json:"case"`
-	DashboardsParams    HuntingParameters   `json:"dashboards"`
-	JobParams           HuntingParameters   `json:"job"`
-	DetectionsParams    DetectionParameters `json:"detections"`
-	DetectionParams     DetectionParameters `json:"detection"`
-	DocsUrl             string              `json:"docsUrl"`
-	CheatsheetUrl       string              `json:"cheatsheetUrl"`
-	ReleaseNotesUrl     string              `json:"releaseNotesUrl"`
-	GridParams          GridParameters      `json:"grid"`
-	WebSocketTimeoutMs  int                 `json:"webSocketTimeoutMs"`
-	TipTimeoutMs        int                 `json:"tipTimeoutMs"`
-	ApiTimeoutMs        int                 `json:"apiTimeoutMs"`
-	CacheExpirationMs   int                 `json:"cacheExpirationMs"`
-	InactiveTools       []string            `json:"inactiveTools"`
-	Tools               []ClientTool        `json:"tools"`
-	CasesEnabled        bool                `json:"casesEnabled"`
-	EnableReverseLookup bool                `json:"enableReverseLookup"`
-	DetectionsEnabled   bool                `json:"detectionsEnabled"`
+	HuntingParams       HuntingParameters    `json:"hunt"`
+	AlertingParams      HuntingParameters    `json:"alerts"`
+	CasesParams         HuntingParameters    `json:"cases"`
+	CaseParams          CaseParameters       `json:"case"`
+	DashboardsParams    HuntingParameters    `json:"dashboards"`
+	JobParams           HuntingParameters    `json:"job"`
+	DetectionsParams    DetectionsParameters `json:"detections"`
+	DetectionParams     DetectionParameters  `json:"detection"`
+	DocsUrl             string               `json:"docsUrl"`
+	CheatsheetUrl       string               `json:"cheatsheetUrl"`
+	ReleaseNotesUrl     string               `json:"releaseNotesUrl"`
+	GridParams          GridParameters       `json:"grid"`
+	WebSocketTimeoutMs  int                  `json:"webSocketTimeoutMs"`
+	TipTimeoutMs        int                  `json:"tipTimeoutMs"`
+	ApiTimeoutMs        int                  `json:"apiTimeoutMs"`
+	CacheExpirationMs   int                  `json:"cacheExpirationMs"`
+	InactiveTools       []string             `json:"inactiveTools"`
+	Tools               []ClientTool         `json:"tools"`
+	CasesEnabled        bool                 `json:"casesEnabled"`
+	EnableReverseLookup bool                 `json:"enableReverseLookup"`
+	DetectionsEnabled   bool                 `json:"detectionsEnabled"`
 }
 
 func (config *ClientParameters) Verify() error {
@@ -190,15 +190,23 @@ type GridParameters struct {
 	StaleMetricsMs uint64 `json:"staleMetricsMs,omitempty"`
 }
 
-type DetectionParameters struct {
+type DetectionsParameters struct {
 	HuntingParameters
+	DetectionParameters
+}
+
+type DetectionParameters struct {
 	Presets              map[string]PresetParameters `json:"presets"`
 	SeverityTranslations map[string]string           `json:"severityTranslations"`
+	TemplateDetections   map[string]string           `json:"templateDetections"`
 }
 
-func (params *DetectionParameters) Verify() error {
+func (params *DetectionsParameters) Verify() error {
 	err := params.HuntingParameters.Verify()
 
 	return err
+}
 
+func (params *DetectionParameters) Verify() error {
+	return nil
 }
diff --git a/html/index.html b/html/index.html
index a79737b4..7c19c14c 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1064,7 +1064,7 @@ <h2 id="detection-title">{{ detect.title }}</h2>
                   <div class="header">{{ i18n.add }} {{ i18n.detection }}</div>
                   <!-- Language -->
                   <span data-aid="detection_new_language_select">
-                    <v-select id="detection-language-create" v-model="detect.language" :items="getPresets('language')" persistent-hint :hint="i18n.language" :rules="[rules.required]" v-on:change="onDetectionChange"/>
+                    <v-select id="detection-language-create" v-model="detect.language" :items="getPresets('language')" persistent-hint :hint="i18n.language" :rules="[rules.required]" v-on:change="onNewDetectionLanguageChange"/>
                   </span>
 
                   <!-- License -->
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 1088f9cc..d5b6cd9f 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -121,6 +121,12 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			convertedRule: '',
 			confirmDeleteDialog: false,
 			showDirtySourceDialog: false,
+			ruleTemplates: {},
+			languageToEngine: {
+				'suricata': 'suricata',
+				'sigma': 'elastalert',
+				'yara': 'strelka',
+			},
 	}},
 	created() {
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
@@ -141,6 +147,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			this.presets = params['presets'];
 			this.renderAbbreviatedCount = params["renderAbbreviatedCount"];
 			this.severityTranslations = params['severityTranslations'];
+			this.ruleTemplates = params['templateDetections'];
 
 			if (this.$route.params.id === 'create') {
 				this.detect = this.newDetection();
@@ -813,6 +820,27 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				}
 			}
 		},
+		async onNewDetectionLanguageChange() {
+			const lang = (this.detect.language || '').toLowerCase();
+			const engine = this.languageToEngine[lang];
+
+			if (engine) {
+				let publicId = '';
+
+				if (engine !== 'strelka') {
+					try {
+						const response = await this.$root.papi.get(`detection/${engine}/genpublicid`);
+						publicId = response.data.publicId;
+					} catch (error) {
+						this.$root.showError(error);
+					}
+				}
+
+				this.detect.content = this.ruleTemplates[engine].replaceAll('[publicId]', publicId);
+			}
+
+			this.onDetectionChange();
+		},
 		onDetectionChange() {
 			if (this.detect.engine) {
 				this.extractPublicID();
diff --git a/html/js/routes/detection.test.js b/html/js/routes/detection.test.js
index 8e55af28..36a7e687 100644
--- a/html/js/routes/detection.test.js
+++ b/html/js/routes/detection.test.js
@@ -327,7 +327,7 @@ test('deleteDetectionCancel', () => {
 	comp.cancelDeleteDetection();
 	expect(comp.confirmDeleteDialog).toBe(false);
 	comp.deleteDetection();
-})
+});
 
 test('deleteDetectionFailure', async () => {
 	resetPapi().mockPapi("delete", null, new Error("something bad"));
@@ -389,17 +389,45 @@ test('revertEnabled', () => {
 	comp.revertEnabled();
 	expect(comp.detect.isEnabled).toBe(false);
 	expect(comp.origDetect.isEnabled).toBe(false);
-})
+});
 
 test('isFieldValid', () => {
 	comp.$refs = {}
 	expect(comp.isFieldValid('foo')).toBe(true)
 
-	comp.$refs = {bar: { valid: false}}
+	comp.$refs = { bar: { valid: false } }
 	expect(comp.isFieldValid('foo')).toBe(true)
 	expect(comp.isFieldValid('bar')).toBe(false)
 
-	comp.$refs = {bar: { valid: true}}
+	comp.$refs = { bar: { valid: true } }
 	expect(comp.isFieldValid('bar')).toBe(true)
+});
 
-})
\ No newline at end of file
+test('onNewDetectionLanguageChange', async () => {
+	comp.ruleTemplates = {
+		"suricata": 'a [publicId]',
+		"strelka": 'b [publicId]',
+		"elastalert": 'c [publicId]',
+	}
+	// no language means no engine means no request means no change
+	comp.detect = { language: '', content: 'x' };
+	await comp.onNewDetectionLanguageChange();
+	expect(comp.detect.content).toBe('x');
+
+	// yara, no publicId, results in template without publicId
+	comp.detect = { language:'yara', content: 'x' };
+	await comp.onNewDetectionLanguageChange();
+	expect(comp.detect.content).toBe('b ');
+
+	// suricata, sid, results in template with publicId
+	resetPapi().mockPapi("get", { data: { publicId: 'X' } }, null);
+	comp.detect = { language:'suricata', content: 'x' };
+	await comp.onNewDetectionLanguageChange();
+	expect(comp.detect.content).toBe('a X');
+
+	// sigma, uuid, results in template with publicId
+	resetPapi().mockPapi("get", { data: { publicId: 'X' } }, null);
+	comp.detect = { language:'sigma', content: 'x' };
+	await comp.onNewDetectionLanguageChange();
+	expect(comp.detect.content).toBe('c X');
+});
diff --git a/server/detectionengine.go b/server/detectionengine.go
index a4b88f8f..465a95e4 100644
--- a/server/detectionengine.go
+++ b/server/detectionengine.go
@@ -19,6 +19,7 @@ type DetectionEngine interface {
 	InterruptSync(forceFull bool, notify bool)
 	DuplicateDetection(ctx context.Context, detection *model.Detection) (*model.Detection, error)
 	GetState() *model.EngineState
+	GenerateUnusedPublicId(ctx context.Context) (string, error)
 }
 
 type SyncStatus struct {
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index be09c8e4..5acd79c2 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -65,6 +65,8 @@ func RegisterDetectionRoutes(srv *Server, r chi.Router, prefix string) {
 
 		r.Post("/bulk/{newStatus}", h.bulkUpdateDetection)
 		r.Post("/sync/{engine}/{type}", h.syncEngineDetections)
+
+		r.Get("/{engine}/genpublicid", h.genPublicId)
 	})
 }
 
@@ -683,6 +685,32 @@ func (h *DetectionHandler) syncEngineDetections(w http.ResponseWriter, r *http.R
 	web.Respond(w, r, http.StatusOK, nil)
 }
 
+func (h *DetectionHandler) genPublicId(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	engine := chi.URLParam(r, "engine")
+
+	eng, ok := h.server.DetectionEngines[model.EngineName(engine)]
+	if !ok {
+		web.Respond(w, r, http.StatusBadRequest, errors.New("unsupported engine"))
+		return
+	}
+
+	id, err := eng.GenerateUnusedPublicId(ctx)
+	if err != nil {
+		if err.Error() == "not implemented" {
+			web.Respond(w, r, http.StatusNotImplemented, nil)
+		} else {
+			web.Respond(w, r, http.StatusInternalServerError, err)
+		}
+		return
+	}
+
+	web.Respond(w, r, http.StatusOK, map[string]string{
+		"publicId": id,
+	})
+}
+
 func (h *DetectionHandler) PrepareForSave(ctx context.Context, detect *model.Detection, e DetectionEngine) error {
 	err := e.ExtractDetails(detect)
 	if err != nil {
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index f8e49850..1fdc51db 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -1333,7 +1333,7 @@ func (e *ElastAlertEngine) sigmaToElastAlert(ctx context.Context, det *model.Det
 	return query, nil
 }
 
-func (e *ElastAlertEngine) generateUnusedPublicId(ctx context.Context) (string, error) {
+func (e *ElastAlertEngine) GenerateUnusedPublicId(ctx context.Context) (string, error) {
 	id := uuid.New().String()
 
 	i := 0
@@ -1359,7 +1359,7 @@ func (e *ElastAlertEngine) generateUnusedPublicId(ctx context.Context) (string,
 }
 
 func (e *ElastAlertEngine) DuplicateDetection(ctx context.Context, detection *model.Detection) (*model.Detection, error) {
-	id, err := e.generateUnusedPublicId(ctx)
+	id, err := e.GenerateUnusedPublicId(ctx)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/modules/elastalert/validate_test.go b/server/modules/elastalert/validate_test.go
index 89637d2a..5ab12ca9 100644
--- a/server/modules/elastalert/validate_test.go
+++ b/server/modules/elastalert/validate_test.go
@@ -189,7 +189,7 @@ func TestGenerateUnusedPublicId(t *testing.T) {
 		isRunning: true,
 	}
 
-	id, err := eng.generateUnusedPublicId(ctx)
+	id, err := eng.GenerateUnusedPublicId(ctx)
 
 	assert.Empty(t, id)
 	assert.Error(t, err)
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index f8ac6e94..b8aaff11 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -1003,6 +1003,12 @@ func (e *StrelkaEngine) DuplicateDetection(ctx context.Context, detection *model
 	return det, nil
 }
 
+func (e *StrelkaEngine) GenerateUnusedPublicId(ctx context.Context) (string, error) {
+	// PublicIDs for Strelka are the rule name which should correlate with what the rule does.
+	// Cannot generate arbitrary but still useful public IDs
+	return "", fmt.Errorf("not implemented")
+}
+
 func (e *StrelkaEngine) IntegrityCheck(canInterrupt bool) error {
 	// escape
 	if canInterrupt && !e.IntegrityCheckerData.IsRunning {
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 60508f38..fec933b3 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -1506,7 +1506,7 @@ func lookupLicense(ruleset string) string {
 	return license
 }
 
-func (e *SuricataEngine) generateUnusedPublicId(ctx context.Context) (string, error) {
+func (e *SuricataEngine) GenerateUnusedPublicId(ctx context.Context) (string, error) {
 	id := strconv.Itoa(rand.IntN(1000000) + 1000000) // [1000000, 2000000)
 
 	i := 0
@@ -1532,7 +1532,7 @@ func (e *SuricataEngine) generateUnusedPublicId(ctx context.Context) (string, er
 }
 
 func (e *SuricataEngine) DuplicateDetection(ctx context.Context, detection *model.Detection) (*model.Detection, error) {
-	id, err := e.generateUnusedPublicId(ctx)
+	id, err := e.GenerateUnusedPublicId(ctx)
 	if err != nil {
 		return nil, err
 	}
diff --git a/server/modules/suricata/validate_test.go b/server/modules/suricata/validate_test.go
index 74341d65..ae8ee19a 100644
--- a/server/modules/suricata/validate_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -215,7 +215,7 @@ func TestGenerateUnusedPublicId(t *testing.T) {
 		isRunning: true,
 	}
 
-	id, err := eng.generateUnusedPublicId(ctx)
+	id, err := eng.GenerateUnusedPublicId(ctx)
 
 	assert.Empty(t, id)
 	assert.Error(t, err)

From e41f8e51a4ce8f046ef927e4c524388004762b4a Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 28 May 2024 16:02:39 -0600
Subject: [PATCH 02/57] GetAll now uses Options for it's Options

Instead of always accepting engine, isEnabled, and isCommunity, GetAllDetections now accepts a variable number of options. Previous call sites have been updated to do the same thing with the new approach. Updated tests.
---
 model/detection_options.go                    | 23 +++++++++++++++++++
 server/detectionstore.go                      |  2 +-
 server/mock/mock_detectionstore.go            | 13 +++++++----
 server/modules/elastalert/elastalert.go       |  4 ++--
 .../modules/elastic/elasticdetectionstore.go  | 14 +++--------
 .../elastic/elasticdetectionstore_test.go     |  5 ++--
 server/modules/strelka/strelka.go             |  6 ++---
 server/modules/strelka/strelka_test.go        |  7 +++---
 server/modules/suricata/migration-2.4.70.go   |  6 ++---
 server/modules/suricata/suricata.go           |  4 ++--
 server/modules/suricata/suricata_test.go      |  5 ++--
 11 files changed, 56 insertions(+), 33 deletions(-)
 create mode 100644 model/detection_options.go

diff --git a/model/detection_options.go b/model/detection_options.go
new file mode 100644
index 00000000..7be55f81
--- /dev/null
+++ b/model/detection_options.go
@@ -0,0 +1,23 @@
+package model
+
+import "fmt"
+
+type GetAllOption func(query string, schemaPrefix string) string
+
+func WithEngine(engine EngineName) GetAllOption {
+	return func(query string, schemaPrefix string) string {
+		return fmt.Sprintf(`%s AND %sdetection.engine:"%s"`, query, schemaPrefix, engine)
+	}
+}
+
+func WithEnabled(isEnabled bool) GetAllOption {
+	return func(query string, schemaPrefix string) string {
+		return fmt.Sprintf(`%s AND %sdetection.isEnabled:"%t"`, query, schemaPrefix, isEnabled)
+	}
+}
+
+func WithCommunity(isCommunity bool) GetAllOption {
+	return func(query string, schemaPrefix string) string {
+		return fmt.Sprintf(`%s AND %sdetection.isCommunity:"%t"`, query, schemaPrefix, isCommunity)
+	}
+}
diff --git a/server/detectionstore.go b/server/detectionstore.go
index 05dd8150..e8ac11ee 100644
--- a/server/detectionstore.go
+++ b/server/detectionstore.go
@@ -19,7 +19,7 @@ type Detectionstore interface {
 	UpdateDetection(ctx context.Context, detect *model.Detection) (*model.Detection, error)
 	UpdateDetectionField(ctx context.Context, id string, fields map[string]interface{}) (*model.Detection, error)
 	DeleteDetection(ctx context.Context, detectID string) (*model.Detection, error)
-	GetAllDetections(ctx context.Context, engine *model.EngineName, isEnabled *bool, isCommunity *bool) (map[string]*model.Detection, error) // map[detection.PublicId]detection
+	GetAllDetections(ctx context.Context, opts ...model.GetAllOption) (map[string]*model.Detection, error) // map[detection.PublicId]detection
 	Query(ctx context.Context, query string, max int) ([]interface{}, error)
 	GetDetectionHistory(ctx context.Context, detectID string) ([]interface{}, error)
 
diff --git a/server/mock/mock_detectionstore.go b/server/mock/mock_detectionstore.go
index 6aa627b6..614d4c9c 100644
--- a/server/mock/mock_detectionstore.go
+++ b/server/mock/mock_detectionstore.go
@@ -114,18 +114,23 @@ func (mr *MockDetectionstoreMockRecorder) DoesTemplateExist(arg0, arg1 any) *gom
 }
 
 // GetAllDetections mocks base method.
-func (m *MockDetectionstore) GetAllDetections(arg0 context.Context, arg1 *model.EngineName, arg2, arg3 *bool) (map[string]*model.Detection, error) {
+func (m *MockDetectionstore) GetAllDetections(arg0 context.Context, arg1 ...model.GetAllOption) (map[string]*model.Detection, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetAllDetections", arg0, arg1, arg2, arg3)
+	varargs := []any{arg0}
+	for _, a := range arg1 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetAllDetections", varargs...)
 	ret0, _ := ret[0].(map[string]*model.Detection)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
 // GetAllDetections indicates an expected call of GetAllDetections.
-func (mr *MockDetectionstoreMockRecorder) GetAllDetections(arg0, arg1, arg2, arg3 any) *gomock.Call {
+func (mr *MockDetectionstoreMockRecorder) GetAllDetections(arg0 any, arg1 ...any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllDetections", reflect.TypeOf((*MockDetectionstore)(nil).GetAllDetections), arg0, arg1, arg2, arg3)
+	varargs := append([]any{arg0}, arg1...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllDetections", reflect.TypeOf((*MockDetectionstore)(nil).GetAllDetections), varargs...)
 }
 
 // GetComment mocks base method.
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 1fdc51db..31ac2ad6 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -990,7 +990,7 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detects
 		return nil, err
 	}
 
-	community, err := e.srv.Detectionstore.GetAllDetections(ctx, util.Ptr(model.EngineNameElastAlert), nil, util.Ptr(true))
+	community, err := e.srv.Detectionstore.GetAllDetections(ctx, model.WithEngine(model.EngineNameElastAlert), model.WithCommunity(true))
 	if err != nil {
 		return nil, err
 	}
@@ -1601,7 +1601,7 @@ func (e *ElastAlertEngine) IntegrityCheck(canInterrupt bool) error {
 		return detections.ErrIntCheckerStopped
 	}
 
-	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameElastAlert), util.Ptr(true), nil)
+	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameElastAlert), model.WithEnabled(true))
 	if err != nil {
 		logger.WithError(err).Error("unable to query for enabled detections")
 		return detections.ErrIntCheckFailed
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 42ec7f18..67e88252 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -619,19 +619,11 @@ func (store *ElasticDetectionstore) DeleteDetection(ctx context.Context, id stri
 	return detect, err
 }
 
-func (store *ElasticDetectionstore) GetAllDetections(ctx context.Context, engine *model.EngineName, isEnabled *bool, isCommunity *bool) (map[string]*model.Detection, error) {
+func (store *ElasticDetectionstore) GetAllDetections(ctx context.Context, opts ...model.GetAllOption) (map[string]*model.Detection, error) {
 	query := fmt.Sprintf(`_index:"%s" AND %skind:"%s"`, store.index, store.schemaPrefix, "detection")
 
-	if engine != nil {
-		query += fmt.Sprintf(` AND %sdetection.engine:"%s"`, store.schemaPrefix, *engine)
-	}
-
-	if isEnabled != nil {
-		query += fmt.Sprintf(` AND %sdetection.isEnabled:%t`, store.schemaPrefix, *isEnabled)
-	}
-
-	if isCommunity != nil {
-		query += fmt.Sprintf(` AND %sdetection.isCommunity:%t`, store.schemaPrefix, *isCommunity)
+	for _, opt := range opts {
+		query = opt(query, store.schemaPrefix)
 	}
 
 	all, err := store.Query(ctx, query, -1)
diff --git a/server/modules/elastic/elasticdetectionstore_test.go b/server/modules/elastic/elasticdetectionstore_test.go
index 6f51b0dd..59f19bcf 100644
--- a/server/modules/elastic/elasticdetectionstore_test.go
+++ b/server/modules/elastic/elasticdetectionstore_test.go
@@ -15,6 +15,7 @@ import (
 	modmock "github.com/security-onion-solutions/securityonion-soc/server/modules/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/tidwall/gjson"
 )
@@ -1091,12 +1092,12 @@ func TestGetAllCommunitySIDs(t *testing.T) {
 
 	ctx := context.WithValue(context.Background(), web.ContextKeyRequestorId, "myRequestorId")
 
-	sids, err := store.GetAllDetections(ctx, nil, nil, nil)
+	sids, err := store.GetAllDetections(ctx)
 	assert.NoError(t, err)
 	assert.Equal(t, 1, len(sids))
 	assert.NotNil(t, sids["ABC123"])
 
-	sids, err = store.GetAllDetections(ctx, util.Ptr(model.EngineName("suricata")), nil, nil)
+	sids, err = store.GetAllDetections(ctx, model.WithEngine(model.EngineNameSuricata))
 	assert.NoError(t, err)
 	assert.Equal(t, 1, len(sids))
 	assert.NotNil(t, sids["ABC123"])
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index b8aaff11..064c4f40 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -445,7 +445,7 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 			}
 		}
 
-		communityDetections, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameStrelka), nil, util.Ptr(true))
+		communityDetections, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameStrelka), model.WithCommunity(true))
 		if err != nil {
 			log.WithError(err).Error("Failed to get all community SIDs")
 
@@ -902,7 +902,7 @@ func buildImportChecker(pkg string) *regexp.Regexp {
 }
 
 func (e *StrelkaEngine) syncDetections(ctx context.Context) (errMap map[string]string, err error) {
-	results, err := e.srv.Detectionstore.GetAllDetections(ctx, util.Ptr(model.EngineNameStrelka), util.Ptr(true), nil)
+	results, err := e.srv.Detectionstore.GetAllDetections(ctx, model.WithEngine(model.EngineNameStrelka), model.WithEnabled(true))
 	if err != nil {
 		return nil, err
 	}
@@ -1064,7 +1064,7 @@ func (e *StrelkaEngine) IntegrityCheck(canInterrupt bool) error {
 		return detections.ErrIntCheckerStopped
 	}
 
-	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameStrelka), util.Ptr(true), nil)
+	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameStrelka), model.WithEnabled(true))
 	if err != nil {
 		logger.WithError(err).Error("unable to query for enabled detections")
 		return detections.ErrIntCheckFailed
diff --git a/server/modules/strelka/strelka_test.go b/server/modules/strelka/strelka_test.go
index 162d5166..5630145f 100644
--- a/server/modules/strelka/strelka_test.go
+++ b/server/modules/strelka/strelka_test.go
@@ -17,6 +17,7 @@ import (
 	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/strelka/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
+
 	"github.com/tj/assert"
 	"go.uber.org/mock/gomock"
 )
@@ -272,14 +273,14 @@ func TestSyncStrelka(t *testing.T) {
 		{
 			Name: "Enable Simple Rules",
 			InitMock: func(mockDetStore *servermock.MockDetectionstore, mio *mock.MockIOManager) {
-				mockDetStore.EXPECT().GetAllDetections(gomock.Any(), util.Ptr(model.EngineNameStrelka), util.Ptr(true), nil).Return(map[string]*model.Detection{
-					"1": &model.Detection{
+				mockDetStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{
+					"1": {
 						PublicID:  "1",
 						Engine:    model.EngineNameStrelka,
 						Content:   simpleRule,
 						IsEnabled: true,
 					},
-					"2": &model.Detection{
+					"2": {
 						PublicID:  "2",
 						Engine:    model.EngineNameStrelka,
 						Content:   simpleRule,
diff --git a/server/modules/suricata/migration-2.4.70.go b/server/modules/suricata/migration-2.4.70.go
index 001f5ecd..297c28b7 100644
--- a/server/modules/suricata/migration-2.4.70.go
+++ b/server/modules/suricata/migration-2.4.70.go
@@ -7,9 +7,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/apex/log"
 	"github.com/security-onion-solutions/securityonion-soc/model"
-	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/apex/log"
 	"gopkg.in/yaml.v3"
 )
 
@@ -45,7 +45,7 @@ func (e *SuricataEngine) Migration2470(statePath string) error {
 	dirty := map[string]struct{}{} // map[sid]X
 
 	// retrieve all suricata rules
-	detects, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameSuricata), nil, nil)
+	detects, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameSuricata))
 	if err != nil {
 		return err
 	}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index fec933b3..56aa6125 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -1208,7 +1208,7 @@ func (e *SuricataEngine) syncCommunityDetections(ctx context.Context, detects []
 		return nil, err
 	}
 
-	commSIDs, err := e.srv.Detectionstore.GetAllDetections(ctx, util.Ptr(model.EngineNameSuricata), nil, util.Ptr(true))
+	commSIDs, err := e.srv.Detectionstore.GetAllDetections(ctx, model.WithEngine(model.EngineNameSuricata), model.WithCommunity(true))
 	if err != nil {
 		return nil, err
 	}
@@ -1654,7 +1654,7 @@ func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 		return detections.ErrIntCheckerStopped
 	}
 
-	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, util.Ptr(model.EngineNameSuricata), util.Ptr(true), util.Ptr(true))
+	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameSuricata), model.WithEnabled(true), model.WithCommunity(true))
 	if err != nil {
 		logger.WithError(err).Error("unable to query for enabled detections")
 		return detections.ErrIntCheckFailed
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 0cd182b2..36fedc99 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -18,6 +18,7 @@ import (
 	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
+
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 )
@@ -777,7 +778,7 @@ func TestSyncCommunitySuricata(t *testing.T) {
 				},
 			},
 			InitMock: func(detStore *servermock.MockDetectionstore) {
-				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{}, nil)
+				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{}, nil)
 				detStore.EXPECT().CreateDetection(gomock.Any(), gomock.Any()).Return(nil, nil)
 			},
 			ExpectedSettings: map[string]string{
@@ -800,7 +801,7 @@ func TestSyncCommunitySuricata(t *testing.T) {
 			},
 			ChangedByUser: true,
 			InitMock: func(detStore *servermock.MockDetectionstore) {
-				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{}, nil)
+				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{}, nil)
 				detStore.EXPECT().CreateDetection(gomock.Any(), gomock.Any()).Return(nil, nil)
 			},
 			ExpectedSettings: map[string]string{

From ab1fa7d7d5e302bee2d238604d27f71e853a0b2d Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 31 May 2024 10:10:36 -0600
Subject: [PATCH 03/57] Tests for the options

---
 model/detection_options_test.go | 45 +++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 model/detection_options_test.go

diff --git a/model/detection_options_test.go b/model/detection_options_test.go
new file mode 100644
index 00000000..90284981
--- /dev/null
+++ b/model/detection_options_test.go
@@ -0,0 +1,45 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestWithEngine(t *testing.T) {
+	queryModder := WithEngine(EngineNameElastAlert)
+	query := queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.engine:"elastalert"`)
+
+	queryModder = WithEngine(EngineNameStrelka)
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.engine:"strelka"`)
+
+	queryModder = WithEngine(EngineNameSuricata)
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.engine:"suricata"`)
+
+	queryModder = WithEngine(EngineName("unknown"))
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.engine:"unknown"`)
+}
+
+func TestWithEnabled(t *testing.T) {
+	queryModder := WithEnabled(true)
+	query := queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.isEnabled:"true"`)
+
+	queryModder = WithEnabled(false)
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.isEnabled:"false"`)
+}
+
+func TestWithCommunity(t *testing.T) {
+	queryModder := WithCommunity(true)
+	query := queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.isCommunity:"true"`)
+
+	queryModder = WithCommunity(false)
+	query = queryModder("query", "schemaPrefix")
+	assert.Equal(t, query, `query AND schemaPrefixdetection.isCommunity:"false"`)
+}

From 0151c9e728f58b0a0011f08d1902e55db1ab561b Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 31 May 2024 11:17:11 -0600
Subject: [PATCH 04/57] Updated go-git

go-git at version v5.11.0 was using a vulnerable version of github.com/cloudflare/circl (v1.3.3). Updating go-git to v5.12.0 updates the dependency to v1.3.8 which is not currently known to have any issues. Also ran go mod tidy.
---
 go.mod | 25 +++++++++++-----------
 go.sum | 65 ++++++++++++++++++++++++++++------------------------------
 2 files changed, 43 insertions(+), 47 deletions(-)

diff --git a/go.mod b/go.mod
index 9406e4c6..d65134af 100644
--- a/go.mod
+++ b/go.mod
@@ -11,31 +11,32 @@ require (
 	github.com/gorilla/websocket v1.5.1
 	github.com/influxdata/influxdb-client-go/v2 v2.13.0
 	github.com/kennygrant/sanitize v1.2.4
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/tidwall/gjson v1.17.0
-	golang.org/x/crypto v0.21.0
-	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/crypto v0.23.0
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	github.com/go-git/go-git/v5 v5.11.0
+	github.com/go-git/go-git/v5 v5.12.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/pierrec/lz4/v4 v4.1.21
 	github.com/pkg/errors v0.9.1
 	github.com/samber/lo v1.39.0
 	github.com/tj/assert v0.0.3
 	go.uber.org/mock v0.3.0
+	golang.org/x/mod v0.17.0
 )
 
 require (
 	dario.cat/mergo v1.0.0 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cloudflare/circl v1.3.8 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.3.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
@@ -49,13 +50,11 @@ require (
 	github.com/oapi-codegen/runtime v1.0.0 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/skeema/knownhosts v1.2.1 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/tools v0.16.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
diff --git a/go.sum b/go.sum
index bb7cb388..9f7f307d 100644
--- a/go.sum
+++ b/go.sum
@@ -1,10 +1,10 @@
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78=
+github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
@@ -21,10 +21,11 @@ github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cloudflare/circl v1.3.8 h1:j+V8jJt09PoeMFIu2uh5JUyEaIHTXVOHslFoLNAKqwI=
+github.com/cloudflare/circl v1.3.8/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
+github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
+github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -38,8 +39,8 @@ github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
+github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE=
+github.com/gliderlabs/ssh v0.3.7/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
@@ -48,8 +49,8 @@ github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+
 github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
-github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
+github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys=
+github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -117,11 +118,11 @@ github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUz
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
-github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
+github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
@@ -131,8 +132,8 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
 github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
@@ -159,16 +160,16 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4=
 golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -178,14 +179,12 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -202,15 +201,15 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
-golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -219,15 +218,13 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
-golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -240,7 +237,7 @@ gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

From 35552b7e7d37e64f0bffa05b818974c7d0e842cf Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 29 May 2024 11:49:30 -0600
Subject: [PATCH 05/57] dateAwareSort for v-data-tables

Some cypress tests fail because the newly added item wasn't added to the top or bottom of a table as expected. This is because those tables aren't sorting their dates as dates, but as strings. This new date aware sort fixes that. It's not actually aware that the data contains a date, it flags off the field being sorted to determine if it should be converted to date before sorting. Currently sorting by "createTime" and "updateTime" will treat their values as dates, everything else is converted to strings.

The new sort has been applied to Case Observables, Case History, and Detection History.

Hunt seems to use a different format for it's timestamps such that when sorted as a string it will sort it chronologically. Leaving that table untouched for now.

Added test. Cypress tests already assume sorts work so they don't need updating.
---
 html/index.html     |  8 ++++----
 html/js/app.js      | 23 ++++++++++++++++++++-
 html/js/app.test.js | 50 +++++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 74 insertions(+), 7 deletions(-)

diff --git a/html/index.html b/html/index.html
index 7c19c14c..770ce1bb 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1426,7 +1426,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                                 {{ i18n.save }}
                               </v-btn>
                             </div>
-                          </span>  
+                          </span>
                         </div>
                         <!-- type (threshold) -->
                         <div v-if="item.type === 'threshold'" @click="startOverrideEdit('override-threshold-type', item, 'thresholdType')" :class="{ clicktoedit: !isOverrideEdit('override-threshold-type') }" data-aid="detection_override_threshold_type_select">
@@ -1584,7 +1584,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                   <v-text-field v-model="historyTableOpts.search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details data-aid="detection_history_filter_input"></v-text-field>
                   <v-data-table ref="historyTable" :sort-by.sync="historyTableOpts.sortBy" :sort-desc.sync="historyTableOpts.sortDesc" :items-per-page.sync="historyTableOpts.itemsPerPage"
                     :search="historyTableOpts.search" :footer-props="historyTableOpts.footerProps" must-sort :headers="historyTableOpts.headers"
-                    :items="history" item-key="id" :loading="historyTableOpts.loading" :expanded="historyTableOpts.expanded" class="history-table">
+                    :items="history" item-key="id" :loading="historyTableOpts.loading" :expanded="historyTableOpts.expanded" class="history-table" :custom-sort="$root.dateAwareSort">
                     <template v-slot:item="{item, index, expand, isExpanded}">
                       <tr>
                         <td class="associated actions">
@@ -3084,7 +3084,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                   <v-text-field v-model="associatedTable['evidence'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details></v-text-field>
                   <v-data-table ref="evidenceTable" :sort-by.sync="associatedTable['evidence'].sortBy" :sort-desc.sync="associatedTable['evidence'].sortDesc" :items-per-page.sync="associatedTable['evidence'].itemsPerPage"
                     :search="associatedTable['evidence'].search" :footer-props="associatedTable['evidence'].footerProps" must-sort :headers="associatedTable['evidence'].headers"
-                    :items="associations['evidence']" item-key="id" :loading="associatedTable['evidence'].loading" :expanded="associatedTable['evidence'].expanded" class="case-table">
+                    :items="associations['evidence']" item-key="id" :loading="associatedTable['evidence'].loading" :expanded="associatedTable['evidence'].expanded" class="case-table" :custom-sort="$root.dateAwareSort">
                     <template v-slot:item="props">
                       <tr>
                         <td class="association actions">
@@ -3433,7 +3433,7 @@ <h3 class="text--primary">{{ i18n.evidenceAdd }}</h3>
                   <v-text-field v-model="associatedTable['history'].search" clearable prepend-icon="fa-filter" :label="i18n.filterResults" single-line hide-details data-aid="case_history_filter_input"></v-text-field>
                   <v-data-table ref="historyTable" :sort-by.sync="associatedTable['history'].sortBy" :sort-desc.sync="associatedTable['history'].sortDesc" :items-per-page.sync="associatedTable['history'].itemsPerPage"
                     :search="associatedTable['history'].search" :footer-props="associatedTable['history'].footerProps" must-sort :headers="associatedTable['history'].headers"
-                    :items="associations['history']" item-key="id" :loading="associatedTable['history'].loading" :expanded="associatedTable['history'].expanded" class="case-table">
+                    :items="associations['history']" item-key="id" :loading="associatedTable['history'].loading" :expanded="associatedTable['history'].expanded" class="case-table" :custom-sort="$root.dateAwareSort">
                     <template v-slot:item="props">
                       <tr>
                         <td class="associated actions">
diff --git a/html/js/app.js b/html/js/app.js
index b9503bc0..fb4ae126 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -1020,7 +1020,7 @@ $(document).ready(function() {
       },
       isDetectionsUpdating() {
         return this.currentStatus != null && this.currentStatus.detections != null &&
-          !this.isDetectionsUnhealthy() && 
+          !this.isDetectionsUnhealthy() &&
           ( this.currentStatus.detections.elastalert.importing === true ||
             this.currentStatus.detections.elastalert.migrating === true ||
             this.currentStatus.detections.elastalert.syncing === true ||
@@ -1142,6 +1142,27 @@ $(document).ready(function() {
 
         return '';
       },
+      dateAwareSort(items, index, isDesc) {
+        items.sort((a, b) => {
+          if (index[0] === 'createTime' || index[0] === 'updateTime') {
+            if (!isDesc[0]) {
+              return new Date(a[index]) - new Date(b[index]);
+            }
+
+            return new Date(b[index]) - new Date(a[index]);
+          }
+
+          if (typeof a[index] !== 'undefined') {
+            if (!isDesc[0]) {
+              return a[index].toLowerCase().localeCompare(b[index].toLowerCase());
+            }
+
+            return b[index].toLowerCase().localeCompare(a[index].toLowerCase());
+          }
+        });
+
+        return items;
+      },
     },
     created() {
       this.log("Initializing application components");
diff --git a/html/js/app.test.js b/html/js/app.test.js
index ad87e4c1..47d5f002 100644
--- a/html/js/app.test.js
+++ b/html/js/app.test.js
@@ -534,7 +534,7 @@ test('isDetectionsUnhealthy', () => {
   verifyEngineFailureStates(false, false, false, false, false, false, true, true, true, true);
   verifyEngineFailureStates(false, false, false, false, false, false, false, true, true, true);
   verifyEngineFailureStates(false, false, false, false, false, false, false, false, true, true);
-  
+
   // Healthy
   verifyEngineFailureStates(false, false, false, false, false, false, false, false, false, false);
 
@@ -658,7 +658,7 @@ test('getDetectionEngineStatus', () => {
 
 test('isAttentionNeeded', () => {
   app.connected =  true;
-  app.currentStatus = { 
+  app.currentStatus = {
     detections: {
       elastalert: {
         integrityFailure: false,
@@ -708,3 +708,49 @@ test('isAttentionNeeded', () => {
   // Back to normal
   expect(app.isAttentionNeeded()).toBe(false);
 })
+
+test('dateAwareSort', () => {
+  let items = [
+    { string: 'May 28, 2024 10:00:00 AM', createTime: 'May 28, 2024 10:00:00 AM', strOrder: 1, dateOrder: 0 },
+    { string: 'May 28, 2024 11:00:00 AM', createTime: 'May 28, 2024 11:00:00 AM', strOrder: 2, dateOrder: 1 },
+    { string: 'May 28, 2024 12:00:00 PM', createTime: 'May 28, 2024 12:00:00 PM', strOrder: 3, dateOrder: 2 },
+    { string: 'May 28, 2024 1:00:00 PM', createTime: 'May 28, 2024 1:00:00 PM', strOrder: 0, dateOrder: 3 },
+    { string: 'May 28, 2024 2:00:00 PM', createTime: 'May 28, 2024 2:00:00 PM', strOrder: 4, dateOrder: 4 },
+  ];
+  let index = ["string"];
+  let isDesc = [false];
+
+  app.dateAwareSort(items, index, isDesc);
+
+  for (let i = 0; i < items.length; i++) {
+    expect(items[i].strOrder).toBe(i);
+  }
+
+  // Reverse the sort
+  isDesc = [true];
+
+  app.dateAwareSort(items, index, isDesc);
+
+  for (let i = 0; i < items.length; i++) {
+    expect(items[i].strOrder).toBe(items.length - i - 1);
+  }
+
+  // revert order, change sortby
+  index = ["createTime"];
+  isDesc = [false];
+
+  app.dateAwareSort(items, index, isDesc);
+
+  for (let i = 0; i < items.length; i++) {
+    expect(items[i].dateOrder).toBe(i);
+  }
+
+  // Reverse the sort
+  isDesc = [true];
+
+  app.dateAwareSort(items, index, isDesc);
+
+  for (let i = 0; i < items.length; i++) {
+    expect(items[i].dateOrder).toBe(items.length - i - 1);
+  }
+});
\ No newline at end of file

From 9b5fbaaedfda9c8b2ed47823230a8548e1fbe62f Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 31 May 2024 15:32:53 -0400
Subject: [PATCH 06/57] gmd work

---
 html/js/i18n.js                               |  1 +
 licensing/license_manager.go                  |  8 +-
 licensing/license_manager_test.go             | 40 +++++-----
 model/node.go                                 |  1 +
 server/modules/influxdb/influxdbmetrics.go    | 10 ++-
 .../modules/influxdb/influxdbmetrics_test.go  | 74 +++++--------------
 6 files changed, 54 insertions(+), 80 deletions(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index f4a3dab8..f55dc6ce 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -432,6 +432,7 @@ const i18n = {
       flags: 'Flags',
       gigabytes: 'GB',
       generate: 'Generate',
+      gmd: 'Guaranteed Message Delivery',
       go: 'GO',
       graphs: 'Graphs',
       grid: 'Grid',
diff --git a/licensing/license_manager.go b/licensing/license_manager.go
index e3a3d7cc..19759542 100644
--- a/licensing/license_manager.go
+++ b/licensing/license_manager.go
@@ -40,10 +40,11 @@ const LICENSE_STATUS_PENDING = "pending"
 const LICENSE_STATUS_UNPROVISIONED = "unprovisioned"
 
 const FEAT_FPS = "fps"
-const FEAT_ODC = "odc"
+const FEAT_GMD = "gmd"
+const FEAT_LKS = "lks"
 const FEAT_NTF = "ntf"
+const FEAT_ODC = "odc"
 const FEAT_STG = "stg"
-const FEAT_LKS = "lks"
 const FEAT_TTR = "ttr"
 
 const PUBLIC_KEY = `
@@ -166,11 +167,12 @@ func verify(key string) (*LicenseKey, error) {
 func CreateAvailableFeatureList() []string {
 	available := make([]string, 0, 0)
 	available = append(available, FEAT_FPS)
+	available = append(available, FEAT_GMD)
 	available = append(available, FEAT_LKS)
+	available = append(available, FEAT_NTF)
 	available = append(available, FEAT_ODC)
 	available = append(available, FEAT_STG)
 	available = append(available, FEAT_TTR)
-	available = append(available, FEAT_NTF)
 	return available
 }
 
diff --git a/licensing/license_manager_test.go b/licensing/license_manager_test.go
index 312f62da..e330bcf9 100644
--- a/licensing/license_manager_test.go
+++ b/licensing/license_manager_test.go
@@ -123,13 +123,14 @@ func TestListAvailableFeatures(tester *testing.T) {
 
 	Init(EXPIRED_KEY)
 	manager.status = LICENSE_STATUS_ACTIVE
-	assert.Len(tester, ListAvailableFeatures(), 6)
+	assert.Len(tester, ListAvailableFeatures(), 7)
 	assert.Equal(tester, ListAvailableFeatures()[0], FEAT_FPS)
-	assert.Equal(tester, ListAvailableFeatures()[1], FEAT_LKS)
-	assert.Equal(tester, ListAvailableFeatures()[2], FEAT_ODC)
-	assert.Equal(tester, ListAvailableFeatures()[3], FEAT_STG)
-	assert.Equal(tester, ListAvailableFeatures()[4], FEAT_TTR)
-	assert.Equal(tester, ListAvailableFeatures()[5], FEAT_NTF)
+	assert.Equal(tester, ListAvailableFeatures()[1], FEAT_GMD)
+	assert.Equal(tester, ListAvailableFeatures()[2], FEAT_LKS)
+	assert.Equal(tester, ListAvailableFeatures()[3], FEAT_NTF)
+	assert.Equal(tester, ListAvailableFeatures()[4], FEAT_ODC)
+	assert.Equal(tester, ListAvailableFeatures()[5], FEAT_STG)
+	assert.Equal(tester, ListAvailableFeatures()[6], FEAT_TTR)
 }
 
 func TestListEnabledFeaturesUnprovisioned(tester *testing.T) {
@@ -139,13 +140,14 @@ func TestListEnabledFeaturesUnprovisioned(tester *testing.T) {
 	assert.Len(tester, ListEnabledFeatures(), 0)
 
 	Init(EXPIRED_KEY)
-	assert.Len(tester, ListEnabledFeatures(), 6)
+	assert.Len(tester, ListEnabledFeatures(), 7)
 	assert.Equal(tester, ListEnabledFeatures()[0], FEAT_FPS)
-	assert.Equal(tester, ListEnabledFeatures()[1], FEAT_LKS)
-	assert.Equal(tester, ListEnabledFeatures()[2], FEAT_ODC)
-	assert.Equal(tester, ListEnabledFeatures()[3], FEAT_STG)
-	assert.Equal(tester, ListEnabledFeatures()[4], FEAT_TTR)
-	assert.Equal(tester, ListEnabledFeatures()[5], FEAT_NTF)
+	assert.Equal(tester, ListEnabledFeatures()[1], FEAT_GMD)
+	assert.Equal(tester, ListEnabledFeatures()[2], FEAT_LKS)
+	assert.Equal(tester, ListEnabledFeatures()[3], FEAT_NTF)
+	assert.Equal(tester, ListEnabledFeatures()[4], FEAT_ODC)
+	assert.Equal(tester, ListEnabledFeatures()[5], FEAT_STG)
+	assert.Equal(tester, ListEnabledFeatures()[6], FEAT_TTR)
 
 	Init(EXPIRED_KEY)
 	manager.licenseKey.Features = append(manager.licenseKey.Features, "foo")
@@ -164,14 +166,14 @@ func TestGetLicenseKey(tester *testing.T) {
 	assert.Equal(tester, key.Nodes, 1)
 	assert.Equal(tester, key.SocUrl, "https://somewhere.invalid")
 	assert.Equal(tester, key.DataUrl, "https://another.place")
-	assert.Len(tester, key.Features, 6)
+	assert.Len(tester, key.Features, 7)
 
 	// Modify the returned object and make sure it doesn't affect the orig object
 	key.Users = 100
 	key.Features = append(key.Features, "foo")
 	assert.Equal(tester, GetLicenseKey().Users, 1)
-	assert.Len(tester, key.Features, 7)
-	assert.Len(tester, GetLicenseKey().Features, 6)
+	assert.Len(tester, key.Features, 8)
+	assert.Len(tester, GetLicenseKey().Features, 7)
 }
 
 func TestGetStatus(tester *testing.T) {
@@ -290,7 +292,8 @@ func TestValidateFeature(tester *testing.T) {
 	assert.Len(tester, manager.limits, 3)
 }
 
-func DisabledDueToJobInstability_TestPillarMonitor(tester *testing.T) {
+/* Disabled licensing tests due to test thread instability (run locally when making changes)
+func TestPillarMonitor(tester *testing.T) {
 	defer setup()()
 
 	Test("stg", 0, 0, "", "")
@@ -307,7 +310,7 @@ features:
 	assert.Contains(tester, string(contents), expected)
 }
 
-func DisabledDueToJobInstability_TestPillarMonitorAllFeatures(tester *testing.T) {
+func TestPillarMonitorAllFeatures(tester *testing.T) {
 	defer setup()()
 
 	Test("", 0, 0, "", "")
@@ -332,7 +335,9 @@ func DisabledDueToJobInstability_TestPillarMonitorAllFeatures(tester *testing.T)
 license_id: test
 features:
 - fps
+- gmd
 - lks
+- ntf
 - odc
 - stg
 - ttr
@@ -340,6 +345,7 @@ features:
 
 	assert.Equal(tester, expected, string(contents))
 }
+*/
 
 func TestPillarMonitor_Fail(tester *testing.T) {
 	defer setup()()
diff --git a/model/node.go b/model/node.go
index 70080c4d..a519b7d0 100644
--- a/model/node.go
+++ b/model/node.go
@@ -69,6 +69,7 @@ type Node struct {
 	DiskUsedElasticGB    float64   `json:"diskUsedElasticGB"`
 	DiskUsedInfluxDbGB   float64   `json:"diskUsedInfluxDbGB"`
 	HighstateAgeSeconds  int       `json:"highstateAgeSeconds"`
+	GmdEnabled           int       `json:"gmdEnabled"`
 	LksEnabled           int       `json:"lksEnabled"`
 	FpsEnabled           int       `json:"fpsEnabled"`
 }
diff --git a/server/modules/influxdb/influxdbmetrics.go b/server/modules/influxdb/influxdbmetrics.go
index 35d35680..9dc5f656 100644
--- a/server/modules/influxdb/influxdbmetrics.go
+++ b/server/modules/influxdb/influxdbmetrics.go
@@ -72,8 +72,9 @@ type InfluxDBMetrics struct {
 	diskUsedElasticGB        map[string]float64
 	diskUsedInfluxDbGB       map[string]float64
 	highstateAgeSeconds      map[string]int
-	lksEnabled               map[string]int
 	fpsEnabled               map[string]int
+	gmdEnabled               map[string]int
+	lksEnabled               map[string]int
 }
 
 func NewInfluxDBMetrics(srv *server.Server) *InfluxDBMetrics {
@@ -303,8 +304,9 @@ func (metrics *InfluxDBMetrics) updateOsStatus() {
 		identity := 1.0
 
 		metrics.osNeedsRestart = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("os", "restart", "", ""))
-		metrics.lksEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "lks", "", ""))
 		metrics.fpsEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "fps", "", ""))
+		metrics.gmdEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "gmd", "", ""))
+		metrics.lksEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "lks", "", ""))
 		metrics.osUptime = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("system", "uptime", "", ""))
 		metrics.diskTotalRootGB = metrics.convertValuesToFloat64(metrics.fetchLatestValuesByHost("disk", "total", "", "|> filter(fn: (r) => r[\"path\"] == \"/\")"), bytesToGB)
 		metrics.diskUsedRootPct = metrics.convertValuesToFloat64(metrics.fetchLatestValuesByHost("disk", "used_percent", "", "|> filter(fn: (r) => r[\"path\"] == \"/\")"), identity)
@@ -495,13 +497,15 @@ func (metrics *InfluxDBMetrics) UpdateNodeMetrics(ctx context.Context, node *mod
 		node.DiskUsedElasticGB = metrics.diskUsedElasticGB[node.Id]
 		node.DiskUsedInfluxDbGB = metrics.diskUsedInfluxDbGB[node.Id]
 		node.HighstateAgeSeconds = metrics.highstateAgeSeconds[node.Id]
-		node.LksEnabled = metrics.lksEnabled[node.Id]
 		node.FpsEnabled = metrics.fpsEnabled[node.Id]
+		node.GmdEnabled = metrics.gmdEnabled[node.Id]
+		node.LksEnabled = metrics.lksEnabled[node.Id]
 
 		enhancedStatusEnabled := (metrics.client != nil)
 		status = node.UpdateOverallStatus(enhancedStatusEnabled)
 
 		licensing.ValidateFeature(licensing.FEAT_FPS, node.FpsEnabled == 1)
+		licensing.ValidateFeature(licensing.FEAT_GMD, node.GmdEnabled == 1)
 		licensing.ValidateFeature(licensing.FEAT_LKS, node.LksEnabled == 1)
 	}
 	return status
diff --git a/server/modules/influxdb/influxdbmetrics_test.go b/server/modules/influxdb/influxdbmetrics_test.go
index eeae84b7..1b8d56a9 100644
--- a/server/modules/influxdb/influxdbmetrics_test.go
+++ b/server/modules/influxdb/influxdbmetrics_test.go
@@ -139,16 +139,10 @@ func TestGetOsNeedsRestart(tester *testing.T) {
 	assert.Equal(tester, 0, metrics.getOsNeedsRestart("missing"))
 }
 
-func DisabledDueToJobInstability_TestUpdateNodeMetricsLksUnlicensed(tester *testing.T) {
-	licensing.Test("odc", 0, 0, "", "")
+func updateNodeMetricsFeature(tester *testing.T, featureId string, metrics *InfluxDBMetrics, expectedStatus string) {
+	licensing.Test(featureId, 0, 0, "", "")
 	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
 
-	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
-	metrics.lastOsUpdateTime = time.Now()
-	metrics.lksEnabled = make(map[string]int)
-	metrics.lksEnabled["id1"] = 1
-	metrics.lksEnabled["id2"] = 0
-
 	node1 := model.NewNode("id1")
 	node2 := model.NewNode("id2")
 	node3 := model.NewNode("id3")
@@ -158,71 +152,37 @@ func DisabledDueToJobInstability_TestUpdateNodeMetricsLksUnlicensed(tester *test
 	metrics.UpdateNodeMetrics(context.Background(), node2)
 	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
 	metrics.UpdateNodeMetrics(context.Background(), node1)
-	assert.Equal(tester, licensing.LICENSE_STATUS_EXCEEDED, licensing.GetStatus())
+	assert.Equal(tester, expectedStatus, licensing.GetStatus())
 }
 
-func DisabledDueToJobInstability_TestUpdateNodeMetricsLksLicensed(tester *testing.T) {
-	licensing.Test("lks", 0, 0, "", "")
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-
+/* Disabled licensing tests due to test thread instability (run locally when making changes)
+func TestUpdateNodeMetricsLksFeatures(tester *testing.T) {
 	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
 	metrics.lastOsUpdateTime = time.Now()
 	metrics.lksEnabled = make(map[string]int)
 	metrics.lksEnabled["id1"] = 1
 	metrics.lksEnabled["id2"] = 0
-
-	node1 := model.NewNode("id1")
-	node2 := model.NewNode("id2")
-	node3 := model.NewNode("id3")
-
-	metrics.UpdateNodeMetrics(context.Background(), node3)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node2)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node1)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
+	updateNodeMetricsFeature(tester, "odc", metrics, licensing.LICENSE_STATUS_EXCEEDED)
+	updateNodeMetricsFeature(tester, "lks", metrics, licensing.LICENSE_STATUS_ACTIVE)
 }
 
-func DisabledDueToJobInstability_TestUpdateNodeMetricsFpsUnlicensed(tester *testing.T) {
-	licensing.Test("odc", 0, 0, "", "")
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-
+func TestUpdateNodeMetricsFpsFeatures(tester *testing.T) {
 	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
 	metrics.lastOsUpdateTime = time.Now()
 	metrics.fpsEnabled = make(map[string]int)
 	metrics.fpsEnabled["id1"] = 1
 	metrics.fpsEnabled["id2"] = 0
-
-	node1 := model.NewNode("id1")
-	node2 := model.NewNode("id2")
-	node3 := model.NewNode("id3")
-
-	metrics.UpdateNodeMetrics(context.Background(), node3)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node2)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node1)
-	assert.Equal(tester, licensing.LICENSE_STATUS_EXCEEDED, licensing.GetStatus())
+	updateNodeMetricsFeature(tester, "odc", metrics, licensing.LICENSE_STATUS_EXCEEDED)
+	updateNodeMetricsFeature(tester, "fps", metrics, licensing.LICENSE_STATUS_ACTIVE)
 }
 
-func DisabledDueToJobInstability_TestUpdateNodeMetricsFpsLicensed(tester *testing.T) {
-	licensing.Test("fps", 0, 0, "", "")
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-
+func TestUpdateNodeMetricsGmdFeatures(tester *testing.T) {
 	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
 	metrics.lastOsUpdateTime = time.Now()
-	metrics.fpsEnabled = make(map[string]int)
-	metrics.fpsEnabled["id1"] = 1
-	metrics.fpsEnabled["id2"] = 0
-
-	node1 := model.NewNode("id1")
-	node2 := model.NewNode("id2")
-	node3 := model.NewNode("id3")
-
-	metrics.UpdateNodeMetrics(context.Background(), node3)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node2)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
-	metrics.UpdateNodeMetrics(context.Background(), node1)
-	assert.Equal(tester, licensing.LICENSE_STATUS_ACTIVE, licensing.GetStatus())
+	metrics.gmdEnabled = make(map[string]int)
+	metrics.gmdEnabled["id1"] = 1
+	metrics.gmdEnabled["id2"] = 0
+	updateNodeMetricsFeature(tester, "odc", metrics, licensing.LICENSE_STATUS_EXCEEDED)
+	updateNodeMetricsFeature(tester, "gmd", metrics, licensing.LICENSE_STATUS_ACTIVE)
 }
+*/

From 3abf673c368055ba5e13beb83968cf41ccc679d7 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 31 May 2024 16:44:37 -0400
Subject: [PATCH 07/57] gmd work

---
 model/node.go                                 | 27 +++++++++++++++++++
 model/node_test.go                            | 11 ++++++++
 server/modules/influxdb/influxdbmetrics.go    |  5 +---
 .../modules/influxdb/influxdbmetrics_test.go  | 12 ++++++---
 4 files changed, 48 insertions(+), 7 deletions(-)

diff --git a/model/node.go b/model/node.go
index a519b7d0..a970b08d 100644
--- a/model/node.go
+++ b/model/node.go
@@ -8,6 +8,8 @@ package model
 
 import (
 	"time"
+
+	"github.com/security-onion-solutions/securityonion-soc/json"
 )
 
 const NodeRoleDesktop = "so-desktop"
@@ -145,3 +147,28 @@ func (node *Node) UpdateOverallStatus(enhancedStatusEnabled bool) bool {
 	node.MetricsEnabled = enhancedStatusEnabled
 	return oldStatus != node.Status
 }
+
+func (node *Node) IsProcessRunning(match string) bool {
+	nodeStatus := NodeStatus{}
+	err := json.LoadJson([]byte(node.ProcessJson), &nodeStatus)
+	if err != nil {
+		return false
+	}
+	for _, process := range nodeStatus.Containers {
+		if process.Name == match {
+			return process.Status == "running"
+		}
+	}
+	return false
+}
+
+type NodeStatus struct {
+	StatusCode string          `json:"status_code"`
+	Containers []ProcessStatus `json:"containers"`
+}
+
+type ProcessStatus struct {
+	Name    string `json:"Name"`
+	Status  string `json:"Status"`
+	Details string `json:"Details"`
+}
diff --git a/model/node_test.go b/model/node_test.go
index 9fb3bf1d..7c0eb347 100644
--- a/model/node_test.go
+++ b/model/node_test.go
@@ -204,3 +204,14 @@ func TestUpdateNodeStatusPending(tester *testing.T) {
 	testStatus(tester, true, NodeStatusOk, NodeStatusOk, NodeStatusOk, NodeStatusOk, NodeStatusOk, 1, NodeStatusRestart)
 	testStatus(tester, true, NodeStatusPending, NodeStatusFault, NodeStatusOk, NodeStatusOk, NodeStatusOk, 1, NodeStatusFault)
 }
+
+func TestIsProcessRunning(tester *testing.T) {
+	node := NewNode("")
+	assert.False(tester, node.IsProcessRunning("so-test"))
+	node.ProcessJson = "{}"
+	assert.False(tester, node.IsProcessRunning("so-test"))
+	node.ProcessJson = `{"containers":[{"Name":"so-foo", "Status":"running"}]}`
+	assert.False(tester, node.IsProcessRunning("so-test"))
+	node.ProcessJson = `{"containers":[{"Name":"so-test", "Status":"running"}]}`
+	assert.True(tester, node.IsProcessRunning("so-test"))
+}
diff --git a/server/modules/influxdb/influxdbmetrics.go b/server/modules/influxdb/influxdbmetrics.go
index 9dc5f656..2ac247e7 100644
--- a/server/modules/influxdb/influxdbmetrics.go
+++ b/server/modules/influxdb/influxdbmetrics.go
@@ -73,7 +73,6 @@ type InfluxDBMetrics struct {
 	diskUsedInfluxDbGB       map[string]float64
 	highstateAgeSeconds      map[string]int
 	fpsEnabled               map[string]int
-	gmdEnabled               map[string]int
 	lksEnabled               map[string]int
 }
 
@@ -305,7 +304,6 @@ func (metrics *InfluxDBMetrics) updateOsStatus() {
 
 		metrics.osNeedsRestart = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("os", "restart", "", ""))
 		metrics.fpsEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "fps", "", ""))
-		metrics.gmdEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "gmd", "", ""))
 		metrics.lksEnabled = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("features", "lks", "", ""))
 		metrics.osUptime = metrics.convertValuesToInt(metrics.fetchLatestValuesByHost("system", "uptime", "", ""))
 		metrics.diskTotalRootGB = metrics.convertValuesToFloat64(metrics.fetchLatestValuesByHost("disk", "total", "", "|> filter(fn: (r) => r[\"path\"] == \"/\")"), bytesToGB)
@@ -498,14 +496,13 @@ func (metrics *InfluxDBMetrics) UpdateNodeMetrics(ctx context.Context, node *mod
 		node.DiskUsedInfluxDbGB = metrics.diskUsedInfluxDbGB[node.Id]
 		node.HighstateAgeSeconds = metrics.highstateAgeSeconds[node.Id]
 		node.FpsEnabled = metrics.fpsEnabled[node.Id]
-		node.GmdEnabled = metrics.gmdEnabled[node.Id]
 		node.LksEnabled = metrics.lksEnabled[node.Id]
 
 		enhancedStatusEnabled := (metrics.client != nil)
 		status = node.UpdateOverallStatus(enhancedStatusEnabled)
 
 		licensing.ValidateFeature(licensing.FEAT_FPS, node.FpsEnabled == 1)
-		licensing.ValidateFeature(licensing.FEAT_GMD, node.GmdEnabled == 1)
+		licensing.ValidateFeature(licensing.FEAT_GMD, node.IsProcessRunning("so-kafka"))
 		licensing.ValidateFeature(licensing.FEAT_LKS, node.LksEnabled == 1)
 	}
 	return status
diff --git a/server/modules/influxdb/influxdbmetrics_test.go b/server/modules/influxdb/influxdbmetrics_test.go
index 1b8d56a9..f144d9b0 100644
--- a/server/modules/influxdb/influxdbmetrics_test.go
+++ b/server/modules/influxdb/influxdbmetrics_test.go
@@ -159,6 +159,8 @@ func updateNodeMetricsFeature(tester *testing.T, featureId string, metrics *Infl
 func TestUpdateNodeMetricsLksFeatures(tester *testing.T) {
 	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
 	metrics.lastOsUpdateTime = time.Now()
+	metrics.lastProcessUpdateTime = time.Now()
+	metrics.cacheExpirationMs = 99999
 	metrics.lksEnabled = make(map[string]int)
 	metrics.lksEnabled["id1"] = 1
 	metrics.lksEnabled["id2"] = 0
@@ -169,6 +171,8 @@ func TestUpdateNodeMetricsLksFeatures(tester *testing.T) {
 func TestUpdateNodeMetricsFpsFeatures(tester *testing.T) {
 	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
 	metrics.lastOsUpdateTime = time.Now()
+	metrics.lastProcessUpdateTime = time.Now()
+	metrics.cacheExpirationMs = 99999
 	metrics.fpsEnabled = make(map[string]int)
 	metrics.fpsEnabled["id1"] = 1
 	metrics.fpsEnabled["id2"] = 0
@@ -179,9 +183,11 @@ func TestUpdateNodeMetricsFpsFeatures(tester *testing.T) {
 func TestUpdateNodeMetricsGmdFeatures(tester *testing.T) {
 	metrics := NewInfluxDBMetrics(server.NewFakeAuthorizedServer(nil))
 	metrics.lastOsUpdateTime = time.Now()
-	metrics.gmdEnabled = make(map[string]int)
-	metrics.gmdEnabled["id1"] = 1
-	metrics.gmdEnabled["id2"] = 0
+	metrics.lastProcessUpdateTime = time.Now()
+	metrics.cacheExpirationMs = 99999
+	metrics.processJson = make(map[string]string)
+	metrics.processJson["id1"] = `{"containers":[{"Name":"so-kafka", "Status":"running"}]}`
+	metrics.processJson["id2"] = `{"containers":[{"Name":"so-kafka", "Status":"stopped"}]}`
 	updateNodeMetricsFeature(tester, "odc", metrics, licensing.LICENSE_STATUS_EXCEEDED)
 	updateNodeMetricsFeature(tester, "gmd", metrics, licensing.LICENSE_STATUS_ACTIVE)
 }

From 7bf37049cd66263c256d7854a1d5c91b3fb5f372 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 31 May 2024 17:03:12 -0400
Subject: [PATCH 08/57] gmd work

---
 model/node.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/model/node.go b/model/node.go
index a970b08d..1edaa4ec 100644
--- a/model/node.go
+++ b/model/node.go
@@ -163,7 +163,7 @@ func (node *Node) IsProcessRunning(match string) bool {
 }
 
 type NodeStatus struct {
-	StatusCode string          `json:"status_code"`
+	StatusCode int             `json:"status_code"`
 	Containers []ProcessStatus `json:"containers"`
 }
 

From 7dc4f85dadfb438ecf967ba6c75f6005907bbb01 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 31 May 2024 15:24:46 -0600
Subject: [PATCH 09/57] Bulk Delete + Confirmation Dialog

---
 html/index.html            | 14 +++++++++++
 html/js/i18n.js            |  5 +++-
 html/js/routes/hunt.js     | 17 +++++++++++--
 server/detectionhandler.go | 49 +++++++++++++++++++++++++++++++-------
 4 files changed, 73 insertions(+), 12 deletions(-)

diff --git a/html/index.html b/html/index.html
index 770ce1bb..8b266c09 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1045,6 +1045,20 @@ <h4 v-if="loaded" :data-aid="'event_total_' + category">{{ i18n.eventTotal }} {{
             </v-card-actions>
           </v-card>
         </v-dialog>
+
+        <v-dialog v-model="showBulkDeleteConfirmDialog" persistent max-width="400" data-aid="bulk_delete_confirmation">
+          <v-card>
+            <v-card-title class="text-h5" v-text="i18n.detectionDeleteConfirmationTitle" />
+            <v-card-text>
+              {{ i18n.detectionDeleteConfirmationBody.replace('{count}', selectedCount) }}
+            </v-card-text>
+            <v-card-actions>
+              <v-spacer></v-spacer>
+              <v-btn text id="detections-bulk-confirm" @click="bulkAction(true)" v-text="i18n.yes" data-aid="detection_bulk_action_confirm" />
+              <v-btn text id="detections-bulk-cancel" @click="bulkDeleteDialogCancel()" v-text="i18n.cancel" data-aid="detection_bulk_action_cancel" />
+            </v-card-actions>
+          </v-card>
+        </v-dialog>
       </v-container>
     </script>
 
diff --git a/html/js/i18n.js b/html/js/i18n.js
index f55dc6ce..7127fd52 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -122,7 +122,8 @@ const i18n = {
       blog: 'Blog',
       bulkAction: 'Bulk Action:',
       bulkError: '',
-      bulkSuccess: 'Bulk update successfully updated {modified} of {total} events. ({time})',
+      bulkSuccessUpdate: 'Bulk update successfully updated {modified} of {total} events. ({time})',
+      bulkSuccessDelete: 'Bulk delete successfully deleted {modified} of {total} events. ({time})',
       bytes: 'Bytes',
       cancel: 'Cancel',
       captureLoss: 'Capture Loss',
@@ -291,6 +292,8 @@ const i18n = {
       detectionDefaultTitle: 'Detection title not yet provided - click here to update this title',
       detectionDefaultDescription: 'Detection description not yet provided',
       detectionDeleteSuccessful: 'Detection deleted. The deleted detection will still appear below until the list is refreshed.',
+      detectionDeleteConfirmationBody: 'Are you sure you want to delete {count} detections?',
+      detectionDeleteConfirmationTitle: 'Delete Detections',
       detectionDescription: 'Detection Description',
       detectionEnabled: 'Enabled',
       detectionEngineHealthy: 'OK',
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 2804ad7a..bd84f02c 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -146,10 +146,12 @@ const huntComponent = {
     bulkActions: [
       { text: this.$root.i18n.enable, value: 'enable' },
       { text: this.$root.i18n.disable, value: 'disable' },
+      { text: this.$root.i18n.delete, value: 'delete' },
     ],
     quickActionDetId: null,
     presets: {},
     manualSyncTargetEngine: null,
+    showBulkDeleteConfirmDialog: false,
   }},
   created() {
     this.$root.initializeCharts();
@@ -2186,9 +2188,16 @@ const huntComponent = {
 
       this.selectedCount = count;
     },
-    async bulkAction() {
+    async bulkAction(confirmed) {
       let payload = {};
 
+      if (this.selectedAction === 'delete' && !confirmed) {
+        this.showBulkDeleteConfirmDialog = true;
+        return;
+      }
+
+      this.showBulkDeleteConfirmDialog = false;
+
       switch (this.selectAllState) {
         case true:
           payload.query = this.query;
@@ -2215,6 +2224,9 @@ const huntComponent = {
         this.hunt(false);
       }
     },
+    bulkDeleteDialogCancel() {
+      this.showBulkDeleteConfirmDialog = false;
+    },
     bulkUpdateReport(stats) {
       if (stats.error > 0) {
         let msg = this.i18n.bulkError;
@@ -2244,7 +2256,8 @@ const huntComponent = {
 
         t += seconds.toFixed(0) + 's';
 
-        let msg = this.i18n.bulkSuccess;
+        let msg = stats.verb === 'delete' ? this.i18n.bulkSuccessDelete : this.i18n.bulkSuccessUpdate;
+
         msg = msg.replaceAll('{modified}', stats.modified.toLocaleString());
         msg = msg.replaceAll('{total}', stats.total.toLocaleString());
         msg = msg.replaceAll('{time}', t);
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 5acd79c2..b7f9bd3c 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -28,6 +28,7 @@ type BulkOp struct {
 	IDs       []string `json:"ids"`
 	Query     *string  `json:"query"`
 	NewStatus bool     `json:"-"`
+	Delete    bool     `json:"-"`
 }
 
 type DetectionHandler struct {
@@ -368,9 +369,12 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	newStatus := chi.URLParam(r, "newStatus") // "enable" or "disable"
 
 	var enabled bool
+	var delete bool
 	switch strings.ToLower(newStatus) {
 	case "enable", "disable":
 		enabled = strings.ToLower(newStatus) == "enable"
+	case "delete":
+		delete = true
 	default:
 		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid status; must be 'enable' or 'disable'"))
 		return
@@ -384,6 +388,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	}
 
 	body.NewStatus = enabled
+	body.Delete = delete
 
 	err = h.server.CheckAuthorized(ctx, "write", "detections")
 	if err != nil {
@@ -408,6 +413,7 @@ func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *B
 	errMap := map[string]string{} // map[id]error
 	IDs := map[string]struct{}{}
 	modified := []*model.Detection{}
+	deleted := []*model.Detection{}
 
 	totalTimeStart := time.Now()
 
@@ -418,15 +424,22 @@ func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *B
 			"error":      len(errMap),
 			"total":      len(IDs),
 			"modified":   len(modified),
+			"deleted":    len(deleted),
 			"updateTime": update.Seconds(),
 			"syncTime":   sync.Seconds(),
 			"totalTime":  totalTime.Seconds(),
 		}).Error("bulk update Detections finished")
 
+		verb := "update"
+		if body.Delete {
+			verb = "delete"
+		}
+
 		h.server.Host.Broadcast("detections:bulkUpdate", "detections", map[string]interface{}{
 			"error":    len(errMap),
+			"verb":     verb,
 			"total":    len(IDs),
-			"modified": len(modified),
+			"modified": len(modified) + len(deleted),
 			"time":     totalTime.Seconds(),
 		})
 	}()
@@ -457,21 +470,39 @@ func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *B
 
 	start := time.Now()
 
-	for id := range IDs {
-		mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": body.NewStatus})
-		if err != nil {
-			errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
+	if !body.Delete {
+		for id := range IDs {
+			mod, err := h.server.Detectionstore.UpdateDetectionField(ctx, id, map[string]interface{}{"IsEnabled": body.NewStatus})
+			if err != nil {
+				errMap[id] = fmt.Sprintf("unable to update detection; reason=%s", err.Error())
 
-			continue
+				continue
+			}
+
+			modified = append(modified, mod)
 		}
+	} else {
+		for id := range IDs {
+			mod, err := h.server.Detectionstore.DeleteDetection(ctx, id)
+			if err != nil {
+				errMap[id] = fmt.Sprintf("unable to delete detection; reason=%s", err.Error())
+
+				continue
+			}
 
-		modified = append(modified, mod)
+			mod.IsEnabled = false
+			mod.PendingDelete = true
+
+			deleted = append(deleted, mod)
+		}
 	}
 
 	update = time.Since(start)
 	start = time.Now()
 
-	addErrMap, err := SyncLocalDetections(ctx, h.server, modified)
+	dirty := append(modified, deleted...)
+
+	addErrMap, err := SyncLocalDetections(ctx, h.server, dirty)
 	if err != nil {
 		return
 	}
@@ -489,7 +520,7 @@ func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *B
 	}
 
 	log.WithFields(log.Fields{
-		"modifiedCount": len(modified),
+		"modifiedCount": len(dirty),
 		"errorCount":    len(errMap),
 	}).Info("bulk update detection")
 

From 8d945e8d315d74ef186394d85085536ef1736792 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 3 Jun 2024 15:39:15 -0600
Subject: [PATCH 10/57] Check for Community Rules

Server side now checks if any included detection is a community detection before hand off to the async process. If 1 detection is a community rule, the request is thrown back with a 400 and an error the UI can show without deleting a single rule.

Also, show proper count when every detection is selected and localize the number (i.e. include thousands separator commas).
---
 html/index.html            |  2 +-
 html/js/i18n.js            |  1 +
 html/js/routes/hunt.js     |  5 ++-
 server/detectionhandler.go | 72 ++++++++++++++++++++++++++------------
 4 files changed, 54 insertions(+), 26 deletions(-)

diff --git a/html/index.html b/html/index.html
index 8b266c09..2e7fd3a3 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1050,7 +1050,7 @@ <h4 v-if="loaded" :data-aid="'event_total_' + category">{{ i18n.eventTotal }} {{
           <v-card>
             <v-card-title class="text-h5" v-text="i18n.detectionDeleteConfirmationTitle" />
             <v-card-text>
-              {{ i18n.detectionDeleteConfirmationBody.replace('{count}', selectedCount) }}
+              {{ i18n.detectionDeleteConfirmationBody.replace('{count}', (selectAllState === true ? totalEvents : selectedCount).toLocaleString()) }}
             </v-card-text>
             <v-card-actions>
               <v-spacer></v-spacer>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 7127fd52..50d8ff88 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -964,6 +964,7 @@ const i18n = {
       ERROR_SALT_SEND_FILE: 'Unable to send file to minion; ensure that salt is running on the manager node and check salt logs.',
       ERROR_SALT_IMPORT: 'Unable to import file on minion; ensure that salt is running on the manager node and check salt logs.',
       ERROR_SALT_STATE: 'Unable to sync settings. Ensure that salt is running on the manager node and check salt logs.',
+      ERROR_BULK_COMMUNITY: 'Unable to complete bulk delete. Batch contains Community rules. No rules were deleted.',
 
       // correct casing
       cc_elastalert: 'ElastAlert',
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index bd84f02c..e50ac4a2 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -2216,12 +2216,11 @@ const huntComponent = {
 
       try {
         await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
-      } catch (e) {
-        this.$root.handleError(e);
-      } finally {
         this.selectAllState = false;
         this.selectedCount = 0;
         this.hunt(false);
+      } catch (e) {
+        this.$root.showError(e);
       }
     },
     bulkDeleteDialogCancel() {
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index b7f9bd3c..b560e25a 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -396,18 +396,62 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 		return
 	}
 
+	IDs := []string{}
+	containsCommunity := false
+
+	if body.Query != nil {
+		query := fmt.Sprintf(`(%s) AND _index:"*:so-detection" AND so_kind:detection`, *body.Query)
+
+		var results []interface{}
+
+		results, err = h.server.Detectionstore.Query(ctx, query, -1)
+		if err != nil {
+			return
+		}
+		for _, d := range results {
+			det := d.(*model.Detection)
+			if det.IsCommunity {
+				containsCommunity = true
+				break
+			}
+
+			IDs = append(IDs, det.Id)
+		}
+	} else {
+		for _, id := range body.IDs {
+			IDs = append(IDs, id)
+			det, err := h.server.Detectionstore.GetDetection(ctx, id)
+			if err != nil {
+				web.Respond(w, r, http.StatusInternalServerError, err)
+				return
+			}
+
+			if det.IsCommunity {
+				containsCommunity = true
+				break
+			}
+		}
+	}
+
+	if containsCommunity {
+		web.Respond(w, r, http.StatusBadRequest, "ERROR_BULK_COMMUNITY")
+		return
+	}
+
 	// new context that doesn't contain a timeout or deadline, but does include
 	// the user we're making requests to ES on behalf of.
 	noTimeOutCtx := context.WithValue(context.Background(), web.ContextKeyRequestor, ctx.Value(web.ContextKeyRequestor).(*model.User))
 	noTimeOutCtx = context.WithValue(noTimeOutCtx, web.ContextKeyRequestorId, ctx.Value(web.ContextKeyRequestorId).(string))
 	noTimeOutCtx = web.MarkChangedByUser(noTimeOutCtx, true)
 
-	go h.bulkUpdateDetectionAsync(noTimeOutCtx, body)
+	go h.bulkUpdateDetectionAsync(noTimeOutCtx, body, IDs)
 
 	web.Respond(w, r, http.StatusAccepted, nil)
 }
 
-func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *BulkOp) {
+// bulkUpdateDetectionAsync is a helper function that performs the bulk update in a separate goroutine.
+// Note that the IdList is SOC Ids, not Public Ids.
+func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *BulkOp, IdList []string) {
 	var err error
 	var update, sync time.Duration
 	errMap := map[string]string{} // map[id]error
@@ -415,6 +459,10 @@ func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *B
 	modified := []*model.Detection{}
 	deleted := []*model.Detection{}
 
+	for _, id := range IdList {
+		IDs[id] = struct{}{}
+	}
+
 	totalTimeStart := time.Now()
 
 	defer func() {
@@ -444,26 +492,6 @@ func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *B
 		})
 	}()
 
-	for _, id := range body.IDs {
-		IDs[id] = struct{}{}
-	}
-
-	if body.Query != nil {
-		query := fmt.Sprintf(`(%s) AND _index:"*:so-detection" AND so_kind:detection`, *body.Query)
-
-		var results []interface{}
-
-		results, err = h.server.Detectionstore.Query(ctx, query, -1)
-		if err != nil {
-			return
-		}
-		for _, d := range results {
-			det := d.(*model.Detection)
-			id := det.Id
-			IDs[id] = struct{}{}
-		}
-	}
-
 	log.WithField("count", len(IDs)).Info("bulk update ID count")
 
 	modified = make([]*model.Detection, 0, len(IDs))

From 0d9c9150c886238522af64c6656353382558ffad Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 3 Jun 2024 16:39:41 -0600
Subject: [PATCH 11/57] bulkAction Jest tests

---
 html/js/routes/hunt.test.js | 89 +++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)

diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index a9412ff6..bde48499 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -1191,3 +1191,92 @@ test('toggleSelectAll', () => {
   expect(comp.selectedCount).toBe(0);
   expect(comp.isPageSelected()).toBe(false);
 });
+
+test('bulkAction - delete - pre-confirm', async () => {
+  comp.selectedAction = 'delete';
+  comp.selectedCount = 2;
+
+  await comp.bulkAction();
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(true);
+  expect(comp.selectedCount).toBe(2);
+});
+
+test('bulkAction - enable', async () => {
+  comp.selectedAction = 'enable';
+  comp.selectedCount = 2;
+  comp.selectAllState = 'indeterminate';
+  comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
+  comp.hunt = jest.fn();
+  const mock = resetPapi().mockPapi('post', { data: {} }, null);
+
+  await comp.bulkAction(true);
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(false);
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  expect(mock).toHaveBeenCalledTimes(1);
+  expect(mock).toHaveBeenCalledWith('detection/bulk/enable', { ids: ["1", "3"] });
+  expect(comp.hunt).toHaveBeenCalledTimes(1);
+  expect(comp.hunt).toHaveBeenCalledWith(false);
+});
+
+test('bulkAction - disable', async () => {
+  comp.selectedAction = 'disable';
+  comp.selectedCount = 2;
+  comp.selectAllState = 'indeterminate';
+  comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
+  comp.hunt = jest.fn();
+  const mock = resetPapi().mockPapi('post', { data: {} }, null);
+
+  await comp.bulkAction(true);
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(false);
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  expect(mock).toHaveBeenCalledTimes(1);
+  expect(mock).toHaveBeenCalledWith('detection/bulk/disable', { ids: ["1", "3"] });
+  expect(comp.hunt).toHaveBeenCalledTimes(1);
+  expect(comp.hunt).toHaveBeenCalledWith(false);
+});
+
+test('bulkAction - delete - confirm - success', async () => {
+  comp.selectedAction = 'delete';
+  comp.showBulkDeleteConfirmDialog = true;
+  comp.selectedCount = 2;
+  comp.selectAllState = 'indeterminate';
+  comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
+  comp.hunt = jest.fn();
+  const mock = resetPapi().mockPapi('post', { data: {} }, null);
+
+  await comp.bulkAction(true);
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(false);
+  expect(comp.selectAllState).toBe(false);
+  expect(comp.selectedCount).toBe(0);
+  expect(mock).toHaveBeenCalledTimes(1);
+  expect(mock).toHaveBeenCalledWith('detection/bulk/delete', { ids: ["1", "3"] });
+  expect(comp.hunt).toHaveBeenCalledTimes(1);
+  expect(comp.hunt).toHaveBeenCalledWith(false);
+});
+
+test('bulkAction - delete - confirm - failure', async () => {
+  comp.selectedAction = 'delete';
+  comp.showBulkDeleteConfirmDialog = true;
+  comp.selectedCount = 2;
+  comp.selectAllState = 'indeterminate';
+  comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
+  comp.$root.showError = jest.fn();
+  const err = { response: { data: "ERROR_BULK_COMMUNITY" } }
+  const mock = resetPapi().mockPapi('post', null, err);
+
+  await comp.bulkAction(true);
+
+  expect(comp.showBulkDeleteConfirmDialog).toBe(false);
+  expect(comp.selectAllState).toBe('indeterminate');
+  expect(comp.selectedCount).toBe(2);
+  expect(mock).toHaveBeenCalledTimes(1);
+  expect(mock).toHaveBeenCalledWith('detection/bulk/delete', { ids: ["1", "3"] });
+  expect(comp.$root.showError).toHaveBeenCalledTimes(1);
+  expect(comp.$root.showError).toHaveBeenCalledWith(err);
+});
\ No newline at end of file

From 8721599924408cd2399988a313217da8a5904cf1 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 4 Jun 2024 14:37:07 -0600
Subject: [PATCH 12/57] Only disallow bulk action w/community rules on Delete

When adding BulkDelete, a check for the involvement of community rules was added since you can't delete community rules. However the check will fail Bulk Enables/Disables too. This is causing Cypress tests to fail.

In the sigma sync process, we had an extra bit of logic to copy over all the detections of existing community rules. This was removed as line 1044 accomplishes the task as well.

Added a coverage folder to the gitignore. Jest coverage reports shouldn't be checked in.
---
 .gitignore                              |  1 +
 server/detectionhandler.go              |  2 +-
 server/modules/elastalert/elastalert.go | 10 ----------
 3 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/.gitignore b/.gitignore
index 07cacdab..46dd202b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@ sensoroni
 jobs/
 logs/
 nsm/
+coverage/
 .vscode/
 .DS_Store
 
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index b560e25a..93dc120c 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -433,7 +433,7 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 		}
 	}
 
-	if containsCommunity {
+	if containsCommunity && body.Delete {
 		web.Respond(w, r, http.StatusBadRequest, "ERROR_BULK_COMMUNITY")
 		return
 	}
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 31ac2ad6..4e4c00d4 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -1006,16 +1006,6 @@ func (e *ElastAlertEngine) syncCommunityDetections(ctx context.Context, detects
 		}
 	}
 
-	// carry forward existing overrides
-	for i := range detects {
-		det := detects[i]
-
-		comDet, exists := community[det.PublicID]
-		if exists {
-			det.Overrides = comDet.Overrides
-		}
-	}
-
 	results := struct {
 		Added     int
 		Updated   int

From 259ebe55a63dc293964604da0d62e50aef13633e Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 4 Jun 2024 15:06:16 -0600
Subject: [PATCH 13/57] Improve Performance

When not performing a delete, don't check for community status.
---
 server/detectionhandler.go | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 93dc120c..ce2386ff 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -420,15 +420,17 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 	} else {
 		for _, id := range body.IDs {
 			IDs = append(IDs, id)
-			det, err := h.server.Detectionstore.GetDetection(ctx, id)
-			if err != nil {
-				web.Respond(w, r, http.StatusInternalServerError, err)
-				return
-			}
-
-			if det.IsCommunity {
-				containsCommunity = true
-				break
+			if body.Delete {
+				det, err := h.server.Detectionstore.GetDetection(ctx, id)
+				if err != nil {
+					web.Respond(w, r, http.StatusInternalServerError, err)
+					return
+				}
+
+				if det.IsCommunity {
+					containsCommunity = true
+					break
+				}
 			}
 		}
 	}

From f1e25c6ad0819bc0c1fe6f60342f148867f22723 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 6 Jun 2024 13:14:35 -0600
Subject: [PATCH 14/57] Use proxy for Repo and Zip network operations

---
 config/serverconfig.go                        |  1 +
 .../modules/detections/detengine_helpers.go   | 42 ++++++++++--
 .../detections/detengine_helpers_test.go      | 68 +++++++++++++++++++
 server/modules/elastalert/elastalert.go       | 36 ++++++++--
 server/modules/strelka/strelka.go             |  2 +-
 5 files changed, 137 insertions(+), 12 deletions(-)

diff --git a/config/serverconfig.go b/config/serverconfig.go
index c1b06b23..c93b3f3c 100644
--- a/config/serverconfig.go
+++ b/config/serverconfig.go
@@ -37,6 +37,7 @@ type ServerConfig struct {
 	IdleConnectionTimeoutMs int                    `json:"idleConnectionTimeoutMs"`
 	TimezoneScript          string                 `json:"timezoneScript"`
 	MaxUploadSizeBytes      int                    `json:"maxUploadSizeBytes"`
+	Proxy                   string                 `json:"proxy"`
 	SrvKey                  string                 `json:"srvKey"`
 	SrvKeyBytes             []byte
 	SrvExpSeconds           int `json:"srvExpSeconds"`
diff --git a/server/modules/detections/detengine_helpers.go b/server/modules/detections/detengine_helpers.go
index a68f3da7..ed2eed8a 100644
--- a/server/modules/detections/detengine_helpers.go
+++ b/server/modules/detections/detengine_helpers.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/apex/log"
 	"github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/plumbing/transport"
 )
 
 var doubleQuoteEscaper = regexp.MustCompile(`\\([\s\S])|(")`)
@@ -111,7 +112,7 @@ type DirtyRepo struct {
 	Repo        *model.RuleRepo
 }
 
-func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo) (allRepos map[string]*DirtyRepo, anythingNew bool, err error) {
+func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo, proxy string) (allRepos map[string]*DirtyRepo, anythingNew bool, err error) {
 	allRepos = map[string]*DirtyRepo{} // map[repoPath]repo
 
 	// read existing repos
@@ -153,6 +154,12 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 		allRepos[repoPath] = dirty
 		reclone := false
 
+		proxyOpts, err := proxyToTransportOptions(proxy)
+		if err != nil {
+			log.WithError(err).WithField("proxy", proxy).Error("failed to parse proxy URL, not using the proxy")
+			// no return here, not a bug
+		}
+
 		_, ok := existingRepos[lastFolder]
 		if ok {
 			var work *git.Worktree
@@ -187,19 +194,19 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 			}
 
 			ctx, cancel = context.WithTimeout(context.Background(), time.Minute*5)
+			defer cancel()
 
 			err = work.PullContext(ctx, &git.PullOptions{
 				Depth:        1,
 				SingleBranch: true,
+				ProxyOptions: proxyOpts,
 			})
 			if err != nil && err != git.NoErrAlreadyUpToDate {
-				cancel()
 				log.WithError(err).WithField("repoPath", repoPath).Error("failed to pull repo, doing nothing with it")
 				reclone = true
 
 				goto skippull
 			}
-			cancel()
 
 			if err == nil {
 				anythingNew = true
@@ -227,6 +234,7 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 				Depth:        1,
 				SingleBranch: true,
 				URL:          repo.Repo,
+				ProxyOptions: proxyOpts,
 			})
 			if err != nil {
 				log.WithError(err).WithField("repoPath", repoPath).Error("failed to clone repo, doing nothing with it")
@@ -252,6 +260,32 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 	return allRepos, anythingNew, nil
 }
 
+func proxyToTransportOptions(proxy string) (transport.ProxyOptions, error) {
+	if proxy == "" {
+		return transport.ProxyOptions{}, nil
+	}
+
+	p, err := url.Parse(proxy)
+	if err != nil {
+		return transport.ProxyOptions{}, err
+	}
+
+	if p.Scheme == "" {
+		p.Scheme = "http"
+	}
+
+	username := p.User.Username()
+	password, _ := p.User.Password()
+
+	p.User = nil
+
+	return transport.ProxyOptions{
+		URL:      p.String(),
+		Username: username,
+		Password: password,
+	}, nil
+}
+
 func CheckWriteNoRead(ctx context.Context, DetStore GetterByPublicId, writeNoRead *string) (shouldFail bool) {
 	if writeNoRead == nil {
 		return false
@@ -312,4 +346,4 @@ func AddUser(previous string, user *model.User, sep string) string {
 
 func EscapeDoubleQuotes(str string) string {
 	return doubleQuoteEscaper.ReplaceAllString(str, "\\$1$2")
-}
\ No newline at end of file
+}
diff --git a/server/modules/detections/detengine_helpers_test.go b/server/modules/detections/detengine_helpers_test.go
index e4d539f5..cec9a4ce 100644
--- a/server/modules/detections/detengine_helpers_test.go
+++ b/server/modules/detections/detengine_helpers_test.go
@@ -12,6 +12,8 @@ import (
 	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/detections/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
+
+	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/tj/assert"
 	"go.uber.org/mock/gomock"
 )
@@ -212,3 +214,69 @@ func TestEscapeDoubleQuotes(t *testing.T) {
 		})
 	}
 }
+
+func TestProxyToTransportOptions(t *testing.T) {
+	tests := []struct {
+		Name     string
+		Proxy    string
+		Opts     transport.ProxyOptions
+		ExpError *string
+	}{
+		{
+			Name:  "Empty",
+			Proxy: "",
+			Opts:  transport.ProxyOptions{},
+		},
+		{
+			Name:  "No Auth",
+			Proxy: "http://localhost:8080",
+			Opts: transport.ProxyOptions{
+				URL: "http://localhost:8080",
+			},
+		},
+		{
+			Name:  "No Port",
+			Proxy: "http://proxyHost",
+			Opts: transport.ProxyOptions{
+				URL: "http://proxyHost",
+			},
+		},
+		{
+			Name:  "With Auth",
+			Proxy: "http://user:pass@proxyHost:3128",
+			Opts: transport.ProxyOptions{
+				URL:      "http://proxyHost:3128",
+				Username: "user",
+				Password: "pass",
+			},
+		},
+		{
+			Name:  "Assume HTTP Schema",
+			Proxy: "proxyHost",
+			Opts: transport.ProxyOptions{
+				URL: "http://proxyHost",
+			},
+		},
+		{
+			Name:     "Invalid URL",
+			Proxy:    "%",
+			ExpError: util.Ptr(`parse "%": invalid URL escape "%"`),
+			Opts:     transport.ProxyOptions{},
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			opts, err := proxyToTransportOptions(test.Proxy)
+			if test.ExpError != nil {
+				assert.Error(t, err)
+				assert.Equal(t, *test.ExpError, err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+
+			assert.Equal(t, test.Opts, opts)
+		})
+	}
+}
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 4e4c00d4..3fec910c 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -17,6 +17,7 @@ import (
 	"io"
 	"io/fs"
 	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -126,10 +127,14 @@ func checkRulesetEnabled(e *ElastAlertEngine, det *model.Detection) {
 }
 
 func NewElastAlertEngine(srv *server.Server) *ElastAlertEngine {
-	return &ElastAlertEngine{
-		srv:       srv,
-		IOManager: &ResourceManager{},
+	engine := &ElastAlertEngine{
+		srv: srv,
 	}
+
+	resMan := &ResourceManager{Engine: engine}
+	engine.IOManager = resMan
+
+	return engine
 }
 
 func (e *ElastAlertEngine) PrerequisiteModules() []string {
@@ -612,7 +617,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 
 		var dirtyRepos map[string]*detections.DirtyRepo
 
-		dirtyRepos, repoChanges, err = detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos)
+		dirtyRepos, repoChanges, err = detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config.Proxy)
 		if err != nil {
 			if strings.Contains(err.Error(), "module stopped") {
 				break
@@ -1656,7 +1661,9 @@ func (e *ElastAlertEngine) getDeployedPublicIds() (publicIds []string, err error
 // go install go.uber.org/mock/mockgen@latest
 //go:generate mockgen -destination mock/mock_iomanager.go -package mock . IOManager
 
-type ResourceManager struct{}
+type ResourceManager struct {
+	Engine *ElastAlertEngine
+}
 
 func (_ *ResourceManager) ReadFile(path string) ([]byte, error) {
 	return os.ReadFile(path)
@@ -1674,8 +1681,23 @@ func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 	return os.ReadDir(path)
 }
 
-func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
-	return http.DefaultClient.Do(req)
+func (resman *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
+	var client *http.Client = http.DefaultClient
+
+	if resman.Engine.srv.Config.Proxy != "" {
+		p, err := url.Parse(resman.Engine.srv.Config.Proxy)
+		if err != nil {
+			log.WithError(err).WithField("proxy", resman.Engine.srv.Config.Proxy).Error("unable to parse proxy URL, not using proxy")
+		} else {
+			client = &http.Client{
+				Transport: &http.Transport{
+					Proxy: http.ProxyURL(p),
+				},
+			}
+		}
+	}
+
+	return client.Do(req)
 }
 
 func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index 064c4f40..588966f9 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -400,7 +400,7 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 
 		upToDate := map[string]*model.RuleRepo{}
 
-		allRepos, anythingNew, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos)
+		allRepos, anythingNew, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config.Proxy)
 		if err != nil {
 			if strings.Contains(err.Error(), "module stopped") {
 				break

From 133052c6734f945e1bd033a529f1b74b76a0f300 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 6 Jun 2024 13:57:37 -0600
Subject: [PATCH 15/57] Test use of proxy

---
 server/modules/elastalert/elastalert.go      |  9 ++-
 server/modules/elastalert/elastalert_test.go | 66 ++++++++++++++++++++
 2 files changed, 73 insertions(+), 2 deletions(-)

diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 3fec910c..cb8107f1 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -1682,7 +1682,12 @@ func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 }
 
 func (resman *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
-	var client *http.Client = http.DefaultClient
+	client := resman.buildHttpClient()
+	return client.Do(req)
+}
+
+func (resman *ResourceManager) buildHttpClient() *http.Client {
+	client := http.DefaultClient
 
 	if resman.Engine.srv.Config.Proxy != "" {
 		p, err := url.Parse(resman.Engine.srv.Config.Proxy)
@@ -1697,7 +1702,7 @@ func (resman *ResourceManager) MakeRequest(req *http.Request) (*http.Response, e
 		}
 	}
 
-	return client.Do(req)
+	return client
 }
 
 func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index e77b29b9..1c6839ea 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -22,6 +22,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/security-onion-solutions/securityonion-soc/config"
 	"github.com/security-onion-solutions/securityonion-soc/licensing"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
@@ -1027,3 +1028,68 @@ func TestGetDeployedPublicIds(t *testing.T) {
 	assert.Contains(t, ids, "00000000-0000-0000-0000-000000000000")
 	assert.Contains(t, ids, "11111111-1111-1111-1111-111111111111")
 }
+
+func TestBuildHttpClient(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		Name                 string
+		Proxy                string
+		ExpectedTransportNil bool
+		ExpProxy             *string
+	}{
+		{
+			Name:                 "Empty",
+			Proxy:                "",
+			ExpectedTransportNil: true,
+		},
+		{
+			Name:                 "Has Proxy",
+			Proxy:                "http://myProxy:3128",
+			ExpectedTransportNil: false,
+			ExpProxy:             util.Ptr("http://myProxy:3128"),
+		},
+		{
+			Name:                 "Invalid Proxy",
+			Proxy:                "%",
+			ExpectedTransportNil: true,
+		},
+	}
+
+	proxy := "http://myProxy:3128"
+
+	resman := &ResourceManager{
+		Engine: &ElastAlertEngine{
+			srv: &server.Server{
+				Config: &config.ServerConfig{
+					Proxy: "",
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+
+			resman.Engine.srv.Config.Proxy = test.Proxy
+
+			client := resman.buildHttpClient()
+
+			if test.ExpectedTransportNil {
+				assert.Nil(t, client.Transport)
+			} else {
+				assert.NotNil(t, client.Transport)
+				assert.IsType(t, &http.Transport{}, client.Transport)
+
+				transport := client.Transport.(*http.Transport)
+				assert.NotNil(t, transport.Proxy)
+
+				proxyURL, err := transport.Proxy(nil)
+				assert.NoError(t, err)
+				assert.Equal(t, proxy, proxyURL.String())
+			}
+		})
+	}
+}

From 4c293d36b30c5250a44ef4c2eb97f4cd61eca983 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 6 Jun 2024 16:35:07 -0600
Subject: [PATCH 16/57] RootCA and InsecureSkipVerify

Detections will use the RootCA if available to make outgoing requests. This is useful for networks behind a proxy that performs SSL Termination.

To help with debugging, an InsecureSkipVerify has been added that will not verify certs during requests.

Expanded tests.
---
 config/serverconfig.go                        |  2 +
 .../modules/detections/detengine_helpers.go   | 25 ++++---
 server/modules/elastalert/elastalert.go       | 44 ++++++++---
 server/modules/elastalert/elastalert_test.go  | 74 ++++++++++++++-----
 server/modules/strelka/strelka.go             |  2 +-
 5 files changed, 108 insertions(+), 39 deletions(-)

diff --git a/config/serverconfig.go b/config/serverconfig.go
index c93b3f3c..c81b81d2 100644
--- a/config/serverconfig.go
+++ b/config/serverconfig.go
@@ -38,6 +38,8 @@ type ServerConfig struct {
 	TimezoneScript          string                 `json:"timezoneScript"`
 	MaxUploadSizeBytes      int                    `json:"maxUploadSizeBytes"`
 	Proxy                   string                 `json:"proxy"`
+	RootCA                  string                 `json:"rootCA"`
+	InsecureSkipVerify      bool                   `json:"insecureSkipVerify"`
 	SrvKey                  string                 `json:"srvKey"`
 	SrvKeyBytes             []byte
 	SrvExpSeconds           int `json:"srvExpSeconds"`
diff --git a/server/modules/detections/detengine_helpers.go b/server/modules/detections/detengine_helpers.go
index ed2eed8a..9db77c8f 100644
--- a/server/modules/detections/detengine_helpers.go
+++ b/server/modules/detections/detengine_helpers.go
@@ -13,6 +13,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/security-onion-solutions/securityonion-soc/config"
 	"github.com/security-onion-solutions/securityonion-soc/model"
 
 	"github.com/apex/log"
@@ -112,7 +113,7 @@ type DirtyRepo struct {
 	Repo        *model.RuleRepo
 }
 
-func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo, proxy string) (allRepos map[string]*DirtyRepo, anythingNew bool, err error) {
+func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo, cfg *config.ServerConfig) (allRepos map[string]*DirtyRepo, anythingNew bool, err error) {
 	allRepos = map[string]*DirtyRepo{} // map[repoPath]repo
 
 	// read existing repos
@@ -154,9 +155,9 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 		allRepos[repoPath] = dirty
 		reclone := false
 
-		proxyOpts, err := proxyToTransportOptions(proxy)
+		proxyOpts, err := proxyToTransportOptions(cfg.Proxy)
 		if err != nil {
-			log.WithError(err).WithField("proxy", proxy).Error("failed to parse proxy URL, not using the proxy")
+			log.WithError(err).WithField("proxy", cfg.Proxy).Error("failed to parse proxy URL, not using the proxy")
 			// no return here, not a bug
 		}
 
@@ -197,9 +198,11 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 			defer cancel()
 
 			err = work.PullContext(ctx, &git.PullOptions{
-				Depth:        1,
-				SingleBranch: true,
-				ProxyOptions: proxyOpts,
+				Depth:           1,
+				SingleBranch:    true,
+				ProxyOptions:    proxyOpts,
+				CABundle:        []byte(cfg.RootCA),
+				InsecureSkipTLS: cfg.InsecureSkipVerify,
 			})
 			if err != nil && err != git.NoErrAlreadyUpToDate {
 				log.WithError(err).WithField("repoPath", repoPath).Error("failed to pull repo, doing nothing with it")
@@ -231,10 +234,12 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 		if !ok || reclone {
 			// repo does not exist or was just deleted, clone
 			_, err = git.PlainClone(repoPath, false, &git.CloneOptions{
-				Depth:        1,
-				SingleBranch: true,
-				URL:          repo.Repo,
-				ProxyOptions: proxyOpts,
+				Depth:           1,
+				SingleBranch:    true,
+				URL:             repo.Repo,
+				ProxyOptions:    proxyOpts,
+				CABundle:        []byte(cfg.RootCA),
+				InsecureSkipTLS: cfg.InsecureSkipVerify,
 			})
 			if err != nil {
 				log.WithError(err).WithField("repoPath", repoPath).Error("failed to clone repo, doing nothing with it")
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index cb8107f1..78750536 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -10,6 +10,8 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@@ -617,7 +619,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 
 		var dirtyRepos map[string]*detections.DirtyRepo
 
-		dirtyRepos, repoChanges, err = detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config.Proxy)
+		dirtyRepos, repoChanges, err = detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config)
 		if err != nil {
 			if strings.Contains(err.Error(), "module stopped") {
 				break
@@ -1662,7 +1664,8 @@ func (e *ElastAlertEngine) getDeployedPublicIds() (publicIds []string, err error
 //go:generate mockgen -destination mock/mock_iomanager.go -package mock . IOManager
 
 type ResourceManager struct {
-	Engine *ElastAlertEngine
+	Engine  *ElastAlertEngine
+	_client *http.Client
 }
 
 func (_ *ResourceManager) ReadFile(path string) ([]byte, error) {
@@ -1682,27 +1685,46 @@ func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 }
 
 func (resman *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
-	client := resman.buildHttpClient()
-	return client.Do(req)
+	if resman._client == nil {
+		// cache for reuse, the config values can't change without a server restart
+		resman._client = resman.buildHttpClient()
+	}
+
+	return resman._client.Do(req)
 }
 
 func (resman *ResourceManager) buildHttpClient() *http.Client {
-	client := http.DefaultClient
+	transport := &http.Transport{}
 
 	if resman.Engine.srv.Config.Proxy != "" {
 		p, err := url.Parse(resman.Engine.srv.Config.Proxy)
 		if err != nil {
 			log.WithError(err).WithField("proxy", resman.Engine.srv.Config.Proxy).Error("unable to parse proxy URL, not using proxy")
 		} else {
-			client = &http.Client{
-				Transport: &http.Transport{
-					Proxy: http.ProxyURL(p),
-				},
-			}
+			transport.Proxy = http.ProxyURL(p)
 		}
 	}
 
-	return client
+	if resman.Engine.srv.Config.InsecureSkipVerify {
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
+	if resman.Engine.srv.Config.RootCA != "" {
+		if transport.TLSClientConfig == nil {
+			transport.TLSClientConfig = &tls.Config{}
+		}
+
+		pool, err := x509.SystemCertPool()
+		if err != nil {
+			pool = x509.NewCertPool()
+		}
+
+		pool.AppendCertsFromPEM([]byte(resman.Engine.srv.Config.RootCA))
+
+		transport.TLSClientConfig.RootCAs = pool
+	}
+
+	return &http.Client{Transport: transport}
 }
 
 func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 1c6839ea..7ce47a0f 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -1035,24 +1035,46 @@ func TestBuildHttpClient(t *testing.T) {
 	tests := []struct {
 		Name                 string
 		Proxy                string
-		ExpectedTransportNil bool
-		ExpProxy             *string
+		RootCA               string
+		InsecureSkipVerify   bool
+		ExpectEmptyTransport bool
 	}{
 		{
 			Name:                 "Empty",
-			Proxy:                "",
-			ExpectedTransportNil: true,
+			ExpectEmptyTransport: true,
 		},
 		{
-			Name:                 "Has Proxy",
-			Proxy:                "http://myProxy:3128",
-			ExpectedTransportNil: false,
-			ExpProxy:             util.Ptr("http://myProxy:3128"),
+			Name:  "Has Proxy",
+			Proxy: "http://myProxy:3128",
+		},
+		{
+			Name:   "Has Root CA",
+			RootCA: "pubkey",
+		},
+		{
+			Name:               "InvalidSkipVerify",
+			InsecureSkipVerify: true,
+		},
+		{
+			Name:   "Proxy + Root CA",
+			Proxy:  "http://myProxy:3128",
+			RootCA: "pubkey",
+		},
+		{
+			Name:               "Proxy + InsecureSkipVerify",
+			Proxy:              "http://myProxy:3128",
+			InsecureSkipVerify: true,
+		},
+		{
+			Name:               "Proxy + Root CA + InsecureSkipVerify",
+			Proxy:              "http://myProxy:3128",
+			RootCA:             "pubkey",
+			InsecureSkipVerify: true,
 		},
 		{
 			Name:                 "Invalid Proxy",
 			Proxy:                "%",
-			ExpectedTransportNil: true,
+			ExpectEmptyTransport: true,
 		},
 	}
 
@@ -1071,25 +1093,43 @@ func TestBuildHttpClient(t *testing.T) {
 	for _, test := range tests {
 		test := test
 		t.Run(test.Name, func(t *testing.T) {
-			t.Parallel()
-
 			resman.Engine.srv.Config.Proxy = test.Proxy
+			resman.Engine.srv.Config.RootCA = test.RootCA
+			resman.Engine.srv.Config.InsecureSkipVerify = test.InsecureSkipVerify
 
 			client := resman.buildHttpClient()
+			transport := client.Transport.(*http.Transport)
 
-			if test.ExpectedTransportNil {
-				assert.Nil(t, client.Transport)
-			} else {
-				assert.NotNil(t, client.Transport)
-				assert.IsType(t, &http.Transport{}, client.Transport)
+			if test.ExpectEmptyTransport {
+				assert.Equal(t, &http.Transport{}, transport)
+				return
+			}
 
-				transport := client.Transport.(*http.Transport)
+			if test.Proxy != "" {
+				assert.NotNil(t, transport)
 				assert.NotNil(t, transport.Proxy)
 
 				proxyURL, err := transport.Proxy(nil)
 				assert.NoError(t, err)
 				assert.Equal(t, proxy, proxyURL.String())
 			}
+
+			if test.RootCA != "" {
+				assert.NotNil(t, transport.TLSClientConfig)
+				assert.NotNil(t, transport.TLSClientConfig.RootCAs)
+			} else {
+				if transport.TLSClientConfig != nil {
+					assert.Nil(t, transport.TLSClientConfig.RootCAs)
+				}
+			}
+
+			if test.InsecureSkipVerify {
+				assert.True(t, transport.TLSClientConfig.InsecureSkipVerify)
+			} else {
+				if transport.TLSClientConfig != nil {
+					assert.False(t, transport.TLSClientConfig.InsecureSkipVerify)
+				}
+			}
 		})
 	}
 }
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index 588966f9..4bf5ac6e 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -400,7 +400,7 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 
 		upToDate := map[string]*model.RuleRepo{}
 
-		allRepos, anythingNew, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config.Proxy)
+		allRepos, anythingNew, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config)
 		if err != nil {
 			if strings.Contains(err.Error(), "module stopped") {
 				break

From 6a558bef233d135cb0ca124175eef0378879f203 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 7 Jun 2024 12:48:51 -0600
Subject: [PATCH 17/57] RootCA => AdditionalCA, some cleanup

RootCA has been renamed to AdditionalCA.

Strelka's IOManager had an unused function on it: MakeRequest. Removed.
---
 config/serverconfig.go                         | 2 +-
 server/modules/detections/detengine_helpers.go | 4 ++--
 server/modules/elastalert/elastalert.go        | 4 ++--
 server/modules/elastalert/elastalert_test.go   | 2 +-
 server/modules/strelka/strelka.go              | 7 -------
 5 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/config/serverconfig.go b/config/serverconfig.go
index c81b81d2..6cec2dcb 100644
--- a/config/serverconfig.go
+++ b/config/serverconfig.go
@@ -38,7 +38,7 @@ type ServerConfig struct {
 	TimezoneScript          string                 `json:"timezoneScript"`
 	MaxUploadSizeBytes      int                    `json:"maxUploadSizeBytes"`
 	Proxy                   string                 `json:"proxy"`
-	RootCA                  string                 `json:"rootCA"`
+	AdditionalCA            string                 `json:"additionalCA"`
 	InsecureSkipVerify      bool                   `json:"insecureSkipVerify"`
 	SrvKey                  string                 `json:"srvKey"`
 	SrvKeyBytes             []byte
diff --git a/server/modules/detections/detengine_helpers.go b/server/modules/detections/detengine_helpers.go
index 9db77c8f..dccde47d 100644
--- a/server/modules/detections/detengine_helpers.go
+++ b/server/modules/detections/detengine_helpers.go
@@ -201,7 +201,7 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 				Depth:           1,
 				SingleBranch:    true,
 				ProxyOptions:    proxyOpts,
-				CABundle:        []byte(cfg.RootCA),
+				CABundle:        []byte(cfg.AdditionalCA),
 				InsecureSkipTLS: cfg.InsecureSkipVerify,
 			})
 			if err != nil && err != git.NoErrAlreadyUpToDate {
@@ -238,7 +238,7 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 				SingleBranch:    true,
 				URL:             repo.Repo,
 				ProxyOptions:    proxyOpts,
-				CABundle:        []byte(cfg.RootCA),
+				CABundle:        []byte(cfg.AdditionalCA),
 				InsecureSkipTLS: cfg.InsecureSkipVerify,
 			})
 			if err != nil {
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 78750536..423c06c3 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -1709,7 +1709,7 @@ func (resman *ResourceManager) buildHttpClient() *http.Client {
 		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 
-	if resman.Engine.srv.Config.RootCA != "" {
+	if resman.Engine.srv.Config.AdditionalCA != "" {
 		if transport.TLSClientConfig == nil {
 			transport.TLSClientConfig = &tls.Config{}
 		}
@@ -1719,7 +1719,7 @@ func (resman *ResourceManager) buildHttpClient() *http.Client {
 			pool = x509.NewCertPool()
 		}
 
-		pool.AppendCertsFromPEM([]byte(resman.Engine.srv.Config.RootCA))
+		pool.AppendCertsFromPEM([]byte(resman.Engine.srv.Config.AdditionalCA))
 
 		transport.TLSClientConfig.RootCAs = pool
 	}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 7ce47a0f..72b64871 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -1094,7 +1094,7 @@ func TestBuildHttpClient(t *testing.T) {
 		test := test
 		t.Run(test.Name, func(t *testing.T) {
 			resman.Engine.srv.Config.Proxy = test.Proxy
-			resman.Engine.srv.Config.RootCA = test.RootCA
+			resman.Engine.srv.Config.AdditionalCA = test.RootCA
 			resman.Engine.srv.Config.InsecureSkipVerify = test.InsecureSkipVerify
 
 			client := resman.buildHttpClient()
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index 4bf5ac6e..a0ef577c 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -14,7 +14,6 @@ import (
 	"errors"
 	"fmt"
 	"io/fs"
-	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -60,7 +59,6 @@ type IOManager interface {
 	WriteFile(path string, contents []byte, perm fs.FileMode) error
 	DeleteFile(path string) error
 	ReadDir(path string) ([]os.DirEntry, error)
-	MakeRequest(*http.Request) (*http.Response, error)
 	ExecCommand(cmd *exec.Cmd) ([]byte, int, time.Duration, error)
 }
 
@@ -1172,11 +1170,6 @@ func (_ *ResourceManager) DeleteFile(path string) error {
 func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 	return os.ReadDir(path)
 }
-
-func (_ *ResourceManager) MakeRequest(req *http.Request) (*http.Response, error) {
-	return http.DefaultClient.Do(req)
-}
-
 func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
 	start := time.Now()
 	output, err = cmd.CombinedOutput()

From c5dc260af5932ab86b94d8ffe0731a83954143a5 Mon Sep 17 00:00:00 2001
From: DefensiveDepth <Josh@defensivedepth.com>
Date: Tue, 11 Jun 2024 10:37:43 -0400
Subject: [PATCH 18/57] Use the all.rules for integrity check

---
 server/modules/suricata/suricata.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 56aa6125..5b8ca009 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -47,6 +47,7 @@ var licenseBySource = map[string]string{
 
 const (
 	DEFAULT_COMMUNITY_RULES_FILE                  = "/nsm/rules/suricata/emerging-all.rules"
+	DEFAULT_ALL_RULES_FILE                        = "/opt/sensoroni/nids/all.rules"
 	DEFAULT_RULES_FINGERPRINT_FILE                = "/opt/sensoroni/fingerprints/emerging-all.fingerprint"
 	DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECS = 86400
 	DEFAULT_STATE_FILE_PATH                       = "/opt/sensoroni/fingerprints/suricataengine.state"
@@ -67,6 +68,7 @@ type IOManager interface {
 type SuricataEngine struct {
 	srv                                  *server.Server
 	communityRulesFile                   string
+	allRulesFile                         string
 	rulesFingerprintFile                 string
 	communityRulesImportFrequencySeconds int
 	communityRulesImportErrorSeconds     int
@@ -113,6 +115,7 @@ func (e *SuricataEngine) Init(config module.ModuleConfig) (err error) {
 	e.IntegrityCheckerData.Interrupt = make(chan bool, 1)
 
 	e.communityRulesFile = module.GetStringDefault(config, "communityRulesFile", DEFAULT_COMMUNITY_RULES_FILE)
+	e.allRulesFile = module.GetStringDefault(config, "allRulesFile", DEFAULT_ALL_RULES_FILE)
 	e.rulesFingerprintFile = module.GetStringDefault(config, "rulesFingerprintFile", DEFAULT_RULES_FINGERPRINT_FILE)
 	e.communityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECS)
 	e.communityRulesImportErrorSeconds = module.GetIntDefault(config, "communityRulesImportErrorSeconds", DEFAULT_COMMUNITY_RULES_IMPORT_ERROR_SECS)
@@ -1598,9 +1601,9 @@ func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 		return detections.ErrIntCheckerStopped
 	}
 
-	commRules, err := e.ReadFile(e.communityRulesFile)
+	allRules, err := e.ReadFile(e.allRulesFile)
 	if err != nil {
-		logger.WithError(err).WithField("path", e.communityRulesFile).Error("unable to read community rules file")
+		logger.WithError(err).WithField("path", e.allRulesFile).Error("unable to read all.rules file")
 		return err
 	}
 
@@ -1628,7 +1631,7 @@ func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 	disabledLines := strings.Split(disabled.Value, "\n")
 	modifyLines := strings.Split(modify.Value, "\n")
 	rulesLines := strings.Split(local.Value, "\n")
-	rulesLines = append(rulesLines, strings.Split(string(commRules), "\n")...)
+	rulesLines = append(rulesLines, strings.Split(string(allRules), "\n")...)
 
 	disabledIndex := indexEnabled(disabledLines, true)
 	modifyIndex := indexModify(modifyLines, true, true)

From b22f727cdbda3887ee6ae62e07cc307718dd8017 Mon Sep 17 00:00:00 2001
From: DefensiveDepth <Josh@defensivedepth.com>
Date: Tue, 11 Jun 2024 12:50:18 -0400
Subject: [PATCH 19/57] Remove local rules config

---
 server/modules/suricata/suricata.go | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 5b8ca009..dd487478 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -1607,11 +1607,6 @@ func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 		return err
 	}
 
-	local := settingByID(allSettings, "idstools.rules.local__rules")
-	if local == nil {
-		return fmt.Errorf("unable to find local rules setting")
-	}
-
 	disabled := settingByID(allSettings, "idstools.sids.disabled")
 	if disabled == nil {
 		return fmt.Errorf("unable to find disabled setting")
@@ -1630,8 +1625,7 @@ func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 	// unpack settings into lines/indices
 	disabledLines := strings.Split(disabled.Value, "\n")
 	modifyLines := strings.Split(modify.Value, "\n")
-	rulesLines := strings.Split(local.Value, "\n")
-	rulesLines = append(rulesLines, strings.Split(string(allRules), "\n")...)
+	rulesLines := strings.Split(string(allRules), "\n")
 
 	disabledIndex := indexEnabled(disabledLines, true)
 	modifyIndex := indexModify(modifyLines, true, true)

From 74a92c418212cfc2a261984b584df7ad75966b13 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Mon, 10 Jun 2024 16:52:20 -0600
Subject: [PATCH 20/57] Suricata, YARA, and Sigma source highlighting

Now importing the Vue Prism Editor and Prism. Their files have been marked as "custom" because the language grammars has to be made special. See https://github.com/coreyogburn/prism

The included languages built into the prism js file: YAML, YARA, Suricata, and Suricata Logic.

The light theme is the default Prism theme. The dark theme is Tomorrow Night.

No plugins.

Updated tests.
---
 html/css/app.css                              | 17 ++++++++++
 .../external/prism-custom-dark-v1.29.0.css    |  3 ++
 .../external/prism-custom-light-v1.29.0.css   |  3 ++
 .../external/vue-prism-editor-v1.3.0.min.css  |  1 +
 html/index.html                               | 11 +++++--
 html/js/app.js                                | 20 ++++++++++++
 html/js/external/prism-custom-v1.29.0.js      |  7 ++++
 ...-prism-editor-v1.3.0.umd.production.min.js |  2 ++
 html/js/routes/detection.js                   | 32 +++++++++++++++++++
 html/js/routes/detection.test.js              |  6 +++-
 10 files changed, 99 insertions(+), 3 deletions(-)
 create mode 100644 html/css/external/prism-custom-dark-v1.29.0.css
 create mode 100644 html/css/external/prism-custom-light-v1.29.0.css
 create mode 100644 html/css/external/vue-prism-editor-v1.3.0.min.css
 create mode 100644 html/js/external/prism-custom-v1.29.0.js
 create mode 100644 html/js/external/vue-prism-editor-v1.3.0.umd.production.min.js

diff --git a/html/css/app.css b/html/css/app.css
index ac039959..a21c496c 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -628,4 +628,21 @@ td {
 #override-filter-edit-buttons {
   display: flex;
   justify-content: end;
+}
+
+.prism {
+  /* you must provide font-family font-size line-height. Example:*/
+  font-family: Fira code, Fira Mono, Consolas, Menlo, Courier, monospace;
+  font-size: 14px;
+  line-height: 1.5;
+  padding: 5px;
+}
+
+/* optional class for removing the outline */
+.prism-editor__textarea:focus {
+  outline: none;
+}
+
+code {
+  background-color: unset !important;
 }
\ No newline at end of file
diff --git a/html/css/external/prism-custom-dark-v1.29.0.css b/html/css/external/prism-custom-dark-v1.29.0.css
new file mode 100644
index 00000000..2c7bd1af
--- /dev/null
+++ b/html/css/external/prism-custom-dark-v1.29.0.css
@@ -0,0 +1,3 @@
+/* PrismJS 1.29.0
+http://localhost:8080/download.html#themes=prism-tomorrow&languages=suricata+yaml+yara */
+code[class*=language-],pre[class*=language-]{color:#ccc;background:0 0;font-family:Consolas,Monaco,'Andale Mono','Ubuntu Mono',monospace;font-size:1em;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none}pre[class*=language-]{padding:1em;margin:.5em 0;overflow:auto}:not(pre)>code[class*=language-],pre[class*=language-]{background:#2d2d2d}:not(pre)>code[class*=language-]{padding:.1em;border-radius:.3em;white-space:normal}.token.block-comment,.token.cdata,.token.comment,.token.doctype,.token.prolog{color:#999}.token.punctuation{color:#ccc}.token.attr-name,.token.deleted,.token.namespace,.token.tag{color:#e2777a}.token.function-name{color:#6196cc}.token.boolean,.token.function,.token.number{color:#f08d49}.token.class-name,.token.constant,.token.property,.token.symbol{color:#f8c555}.token.atrule,.token.builtin,.token.important,.token.keyword,.token.selector{color:#cc99cd}.token.attr-value,.token.char,.token.regex,.token.string,.token.variable{color:#7ec699}.token.entity,.token.operator,.token.url{color:#67cdcc}.token.bold,.token.important{font-weight:700}.token.italic{font-style:italic}.token.entity{cursor:help}.token.inserted{color:green}
diff --git a/html/css/external/prism-custom-light-v1.29.0.css b/html/css/external/prism-custom-light-v1.29.0.css
new file mode 100644
index 00000000..74180531
--- /dev/null
+++ b/html/css/external/prism-custom-light-v1.29.0.css
@@ -0,0 +1,3 @@
+/* PrismJS 1.29.0
+http://localhost:8080/download.html#themes=prism&languages=markup+css+clike+javascript */
+code[class*=language-],pre[class*=language-]{color:#000;background:0 0;text-shadow:0 1px #fff;font-family:Consolas,Monaco,'Andale Mono','Ubuntu Mono',monospace;font-size:1em;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none}code[class*=language-] ::-moz-selection,code[class*=language-]::-moz-selection,pre[class*=language-] ::-moz-selection,pre[class*=language-]::-moz-selection{text-shadow:none;background:#b3d4fc}code[class*=language-] ::selection,code[class*=language-]::selection,pre[class*=language-] ::selection,pre[class*=language-]::selection{text-shadow:none;background:#b3d4fc}@media print{code[class*=language-],pre[class*=language-]{text-shadow:none}}pre[class*=language-]{padding:1em;margin:.5em 0;overflow:auto}:not(pre)>code[class*=language-],pre[class*=language-]{background:#f5f2f0}:not(pre)>code[class*=language-]{padding:.1em;border-radius:.3em;white-space:normal}.token.cdata,.token.comment,.token.doctype,.token.prolog{color:#708090}.token.punctuation{color:#999}.token.namespace{opacity:.7}.token.boolean,.token.constant,.token.deleted,.token.number,.token.property,.token.symbol,.token.tag{color:#905}.token.attr-name,.token.builtin,.token.char,.token.inserted,.token.selector,.token.string{color:#690}.language-css .token.string,.style .token.string,.token.entity,.token.operator,.token.url{color:#9a6e3a;background:hsla(0,0%,100%,.5)}.token.atrule,.token.attr-value,.token.keyword{color:#07a}.token.class-name,.token.function{color:#dd4a68}.token.important,.token.regex,.token.variable{color:#e90}.token.bold,.token.important{font-weight:700}.token.italic{font-style:italic}.token.entity{cursor:help}
diff --git a/html/css/external/vue-prism-editor-v1.3.0.min.css b/html/css/external/vue-prism-editor-v1.3.0.min.css
new file mode 100644
index 00000000..0071160f
--- /dev/null
+++ b/html/css/external/vue-prism-editor-v1.3.0.min.css
@@ -0,0 +1 @@
+.prism-editor-wrapper{width:100%;height:100%;display:flex;align-items:flex-start;overflow:auto;-o-tab-size:1.5em;tab-size:1.5em;-moz-tab-size:1.5em}@media (-ms-high-contrast:active),(-ms-high-contrast:none){.prism-editor-wrapper .prism-editor__textarea{color:transparent!important}.prism-editor-wrapper .prism-editor__textarea::-moz-selection{background-color:#accef7!important;color:transparent!important}.prism-editor-wrapper .prism-editor__textarea::selection{background-color:#accef7!important;color:transparent!important}}.prism-editor-wrapper .prism-editor__container{position:relative;text-align:left;box-sizing:border-box;padding:0;overflow:hidden;width:100%}.prism-editor-wrapper .prism-editor__line-numbers{height:100%;overflow:hidden;flex-shrink:0;padding-top:4px;margin-top:0;margin-right:10px}.prism-editor-wrapper .prism-editor__line-number{text-align:right;white-space:nowrap}.prism-editor-wrapper .prism-editor__textarea{position:absolute;top:0;left:0;height:100%;width:100%;resize:none;color:inherit;overflow:hidden;-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased;-webkit-text-fill-color:transparent}.prism-editor-wrapper .prism-editor__editor,.prism-editor-wrapper .prism-editor__textarea{margin:0;border:0;background:none;box-sizing:inherit;display:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant-ligatures:inherit;font-weight:inherit;letter-spacing:inherit;line-height:inherit;-moz-tab-size:inherit;-o-tab-size:inherit;tab-size:inherit;text-indent:inherit;text-rendering:inherit;text-transform:inherit;white-space:pre-wrap;word-wrap:keep-all;overflow-wrap:break-word;padding:0}.prism-editor-wrapper .prism-editor__textarea--empty{-webkit-text-fill-color:inherit!important}.prism-editor-wrapper .prism-editor__editor{position:relative;pointer-events:none}
\ No newline at end of file
diff --git a/html/index.html b/html/index.html
index 2e7fd3a3..ac058934 100644
--- a/html/index.html
+++ b/html/index.html
@@ -18,6 +18,8 @@
     <link rel="stylesheet" href="css/external/vuetify-v2.7.1.min.css">
     <link rel="stylesheet" href="css/external/all-6.5.1.min.css">
     <link rel="stylesheet" href="css/external/daterangepicker-3.14.1.css">
+    <link rel="stylesheet" href="css/external/vue-prism-editor-v1.3.0.min.css" />
+    <link rel="stylesheet" href="css/external/prism-custom-dark-v1.29.0.css" />
     <link rel="stylesheet" href="css/app.css?v=VERSION_PLACEHOLDER">
     <title>Security Onion</title>
     <script src="js/analytics.js?v=VERSION_PLACEHOLDER"></script>
@@ -1145,7 +1147,7 @@ <h2 id="detection-title">{{ detect.title }}</h2>
                     </div>
                     <div class="header">{{i18n.detectionLogic}}</div>
                     <div class="extracted-content" data-aid="detection_logic_display">
-                      <pre>{{extractedLogic}}</pre>
+                      <pre><code :class="extractedLogicClass">{{extractedLogic}}</code></pre>
                     </div>
                   </v-col>
                 </v-row>
@@ -1277,7 +1279,10 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                 <v-row class="contrast-bg rounded rounded-md pa-4">
                   <v-col>
                     <!-- Signature -->
-                    <v-textarea class="config-editor" :readonly="detect.isCommunity" solo flat v-model="detect.content" auto-grow rows="15" data-aid="detection_source_input" />
+                    <span data-aid="detection_source_input">
+                      <prism-editor class="prism" :highlight="highlighter" v-model="detect.content" :readonly="detect.isCommunity"></prism-editor>
+                    </span>
+                    <!-- <v-textarea class="config-editor" :readonly="detect.isCommunity" solo flat v-model="detect.content" auto-grow rows="15" data-aid="detection_source_input" /> -->
                     <div class="d-flex align-center align-self-end justify-end text-body-2">
                       <div class="d-inline-flex justify-end">
                         <v-btn v-if="canConvert()" id="detection-convert" text small color="primary" class="align-self-end" @click="convertDetection()" data-aid="detection_source_convert">
@@ -5137,6 +5142,8 @@ <h2 v-text="i18n.gridMembers"></h2>
     <script src="js/external/chartjs-adapter-moment-1.0.0.min.js"></script>
     <script src="js/external/js-yaml.4.1.0.min.js"></script>
     <script src="js/external/lz-string.1.5.0.min.js"></script>
+    <script src="js/external/vue-prism-editor-v1.3.0.umd.production.min.js"></script>
+    <script src="js/external/prism-custom-v1.29.0.js"></script>
 
     <script src="js/i18n.js?v=VERSION_PLACEHOLDER"></script>
     <script src="js/app.js?v=VERSION_PLACEHOLDER"></script>
diff --git a/html/js/app.js b/html/js/app.js
index fb4ae126..b61325ee 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -86,6 +86,7 @@ $(document).ready(function() {
       parameterCallback: null,
       parameterSection: null,
       chartsInitialized: false,
+      editorInitialized: false,
       tools: [],
       casesEnabled: false,
       detectionsEnabled: false,
@@ -683,15 +684,25 @@ $(document).ready(function() {
       saveLocalSettings() {
         localStorage['settings.app.dark'] = this.$vuetify.theme.dark;
         localStorage['settings.app.navbar'] = this.toolbar;
+        this.updateEditorTheme();
       },
       loadLocalSettings() {
         if (localStorage['settings.app.dark'] != undefined) {
           this.$vuetify.theme.dark = localStorage['settings.app.dark'] == "true";
+          this.updateEditorTheme();
         }
         if (localStorage['settings.app.navbar'] != undefined) {
           this.toolbar = localStorage['settings.app.navbar'] == "true";
         }
       },
+      updateEditorTheme() {
+        var link = $('link[href^="css/external/prism-custom-"]')[0];
+        if (this.$vuetify.theme.dark) {
+          link.href = "css/external/prism-custom-dark-v1.29.0.css";
+        } else {
+          link.href = "css/external/prism-custom-light-v1.29.0.css";
+        }
+      },
       subscribe(kind, fn) {
         this.ensureConnected();
         var list = this.subscriptions[kind];
@@ -860,6 +871,15 @@ $(document).ready(function() {
 
         this.chartsInitialized = true;
       },
+      registerEditor() {
+        Vue.component('prism-editor', PrismEditor.component);
+      },
+      initializeEditor() {
+        if (this.editorInitialized) return;
+        this.registerEditor();
+
+        this.editorInitialized = true;
+      },
       getColor(colorName, percent = 0) {
         percent = this.$root.$vuetify && this.$root.$vuetify.theme.dark ? percent * -1 : percent;
         var color = colorName;
diff --git a/html/js/external/prism-custom-v1.29.0.js b/html/js/external/prism-custom-v1.29.0.js
new file mode 100644
index 00000000..2de9c922
--- /dev/null
+++ b/html/js/external/prism-custom-v1.29.0.js
@@ -0,0 +1,7 @@
+/* PrismJS 1.29.0
+http://localhost:8080/download.html#themes=prism&languages=suricata+suricata-logic+yaml+yara */
+var _self="undefined"!=typeof window?window:"undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?self:{},Prism=function(e){var n=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,t=0,r={},a={manual:e.Prism&&e.Prism.manual,disableWorkerMessageHandler:e.Prism&&e.Prism.disableWorkerMessageHandler,util:{encode:function e(n){return n instanceof i?new i(n.type,e(n.content),n.alias):Array.isArray(n)?n.map(e):n.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/\u00a0/g," ")},type:function(e){return Object.prototype.toString.call(e).slice(8,-1)},objId:function(e){return e.__id||Object.defineProperty(e,"__id",{value:++t}),e.__id},clone:function e(n,t){var r,i;switch(t=t||{},a.util.type(n)){case"Object":if(i=a.util.objId(n),t[i])return t[i];for(var l in r={},t[i]=r,n)n.hasOwnProperty(l)&&(r[l]=e(n[l],t));return r;case"Array":return i=a.util.objId(n),t[i]?t[i]:(r=[],t[i]=r,n.forEach((function(n,a){r[a]=e(n,t)})),r);default:return n}},getLanguage:function(e){for(;e;){var t=n.exec(e.className);if(t)return t[1].toLowerCase();e=e.parentElement}return"none"},setLanguage:function(e,t){e.className=e.className.replace(RegExp(n,"gi"),""),e.classList.add("language-"+t)},currentScript:function(){if("undefined"==typeof document)return null;if("currentScript"in document)return document.currentScript;try{throw new Error}catch(r){var e=(/at [^(\r\n]*\((.*):[^:]+:[^:]+\)$/i.exec(r.stack)||[])[1];if(e){var n=document.getElementsByTagName("script");for(var t in n)if(n[t].src==e)return n[t]}return null}},isActive:function(e,n,t){for(var r="no-"+n;e;){var a=e.classList;if(a.contains(n))return!0;if(a.contains(r))return!1;e=e.parentElement}return!!t}},languages:{plain:r,plaintext:r,text:r,txt:r,extend:function(e,n){var t=a.util.clone(a.languages[e]);for(var r in n)t[r]=n[r];return t},insertBefore:function(e,n,t,r){var i=(r=r||a.languages)[e],l={};for(var o in i)if(i.hasOwnProperty(o)){if(o==n)for(var s in t)t.hasOwnProperty(s)&&(l[s]=t[s]);t.hasOwnProperty(o)||(l[o]=i[o])}var u=r[e];return r[e]=l,a.languages.DFS(a.languages,(function(n,t){t===u&&n!=e&&(this[n]=l)})),l},DFS:function e(n,t,r,i){i=i||{};var l=a.util.objId;for(var o in n)if(n.hasOwnProperty(o)){t.call(n,o,n[o],r||o);var s=n[o],u=a.util.type(s);"Object"!==u||i[l(s)]?"Array"!==u||i[l(s)]||(i[l(s)]=!0,e(s,t,o,i)):(i[l(s)]=!0,e(s,t,null,i))}}},plugins:{},highlightAll:function(e,n){a.highlightAllUnder(document,e,n)},highlightAllUnder:function(e,n,t){var r={callback:t,container:e,selector:'code[class*="language-"], [class*="language-"] code, code[class*="lang-"], [class*="lang-"] code'};a.hooks.run("before-highlightall",r),r.elements=Array.prototype.slice.apply(r.container.querySelectorAll(r.selector)),a.hooks.run("before-all-elements-highlight",r);for(var i,l=0;i=r.elements[l++];)a.highlightElement(i,!0===n,r.callback)},highlightElement:function(n,t,r){var i=a.util.getLanguage(n),l=a.languages[i];a.util.setLanguage(n,i);var o=n.parentElement;o&&"pre"===o.nodeName.toLowerCase()&&a.util.setLanguage(o,i);var s={element:n,language:i,grammar:l,code:n.textContent};function u(e){s.highlightedCode=e,a.hooks.run("before-insert",s),s.element.innerHTML=s.highlightedCode,a.hooks.run("after-highlight",s),a.hooks.run("complete",s),r&&r.call(s.element)}if(a.hooks.run("before-sanity-check",s),(o=s.element.parentElement)&&"pre"===o.nodeName.toLowerCase()&&!o.hasAttribute("tabindex")&&o.setAttribute("tabindex","0"),!s.code)return a.hooks.run("complete",s),void(r&&r.call(s.element));if(a.hooks.run("before-highlight",s),s.grammar)if(t&&e.Worker){var c=new Worker(a.filename);c.onmessage=function(e){u(e.data)},c.postMessage(JSON.stringify({language:s.language,code:s.code,immediateClose:!0}))}else u(a.highlight(s.code,s.grammar,s.language));else u(a.util.encode(s.code))},highlight:function(e,n,t){var r={code:e,grammar:n,language:t};if(a.hooks.run("before-tokenize",r),!r.grammar)throw new Error('The language "'+r.language+'" has no grammar.');return r.tokens=a.tokenize(r.code,r.grammar),a.hooks.run("after-tokenize",r),i.stringify(a.util.encode(r.tokens),r.language)},tokenize:function(e,n){var t=n.rest;if(t){for(var r in t)n[r]=t[r];delete n.rest}var a=new s;return u(a,a.head,e),o(e,a,n,a.head,0),function(e){for(var n=[],t=e.head.next;t!==e.tail;)n.push(t.value),t=t.next;return n}(a)},hooks:{all:{},add:function(e,n){var t=a.hooks.all;t[e]=t[e]||[],t[e].push(n)},run:function(e,n){var t=a.hooks.all[e];if(t&&t.length)for(var r,i=0;r=t[i++];)r(n)}},Token:i};function i(e,n,t,r){this.type=e,this.content=n,this.alias=t,this.length=0|(r||"").length}function l(e,n,t,r){e.lastIndex=n;var a=e.exec(t);if(a&&r&&a[1]){var i=a[1].length;a.index+=i,a[0]=a[0].slice(i)}return a}function o(e,n,t,r,s,g){for(var f in t)if(t.hasOwnProperty(f)&&t[f]){var h=t[f];h=Array.isArray(h)?h:[h];for(var d=0;d<h.length;++d){if(g&&g.cause==f+","+d)return;var v=h[d],p=v.inside,m=!!v.lookbehind,y=!!v.greedy,k=v.alias;if(y&&!v.pattern.global){var x=v.pattern.toString().match(/[imsuy]*$/)[0];v.pattern=RegExp(v.pattern.source,x+"g")}for(var b=v.pattern||v,w=r.next,A=s;w!==n.tail&&!(g&&A>=g.reach);A+=w.value.length,w=w.next){var E=w.value;if(n.length>e.length)return;if(!(E instanceof i)){var P,L=1;if(y){if(!(P=l(b,A,e,m))||P.index>=e.length)break;var S=P.index,O=P.index+P[0].length,j=A;for(j+=w.value.length;S>=j;)j+=(w=w.next).value.length;if(A=j-=w.value.length,w.value instanceof i)continue;for(var C=w;C!==n.tail&&(j<O||"string"==typeof C.value);C=C.next)L++,j+=C.value.length;L--,E=e.slice(A,j),P.index-=A}else if(!(P=l(b,0,E,m)))continue;S=P.index;var N=P[0],_=E.slice(0,S),M=E.slice(S+N.length),W=A+E.length;g&&W>g.reach&&(g.reach=W);var z=w.prev;if(_&&(z=u(n,z,_),A+=_.length),c(n,z,L),w=u(n,z,new i(f,p?a.tokenize(N,p):N,k,N)),M&&u(n,w,M),L>1){var I={cause:f+","+d,reach:W};o(e,n,t,w.prev,A,I),g&&I.reach>g.reach&&(g.reach=I.reach)}}}}}}function s(){var e={value:null,prev:null,next:null},n={value:null,prev:e,next:null};e.next=n,this.head=e,this.tail=n,this.length=0}function u(e,n,t){var r=n.next,a={value:t,prev:n,next:r};return n.next=a,r.prev=a,e.length++,a}function c(e,n,t){for(var r=n.next,a=0;a<t&&r!==e.tail;a++)r=r.next;n.next=r,r.prev=n,e.length-=a}if(e.Prism=a,i.stringify=function e(n,t){if("string"==typeof n)return n;if(Array.isArray(n)){var r="";return n.forEach((function(n){r+=e(n,t)})),r}var i={type:n.type,content:e(n.content,t),tag:"span",classes:["token",n.type],attributes:{},language:t},l=n.alias;l&&(Array.isArray(l)?Array.prototype.push.apply(i.classes,l):i.classes.push(l)),a.hooks.run("wrap",i);var o="";for(var s in i.attributes)o+=" "+s+'="'+(i.attributes[s]||"").replace(/"/g,"&quot;")+'"';return"<"+i.tag+' class="'+i.classes.join(" ")+'"'+o+">"+i.content+"</"+i.tag+">"},!e.document)return e.addEventListener?(a.disableWorkerMessageHandler||e.addEventListener("message",(function(n){var t=JSON.parse(n.data),r=t.language,i=t.code,l=t.immediateClose;e.postMessage(a.highlight(i,a.languages[r],r)),l&&e.close()}),!1),a):a;var g=a.util.currentScript();function f(){a.manual||a.highlightAll()}if(g&&(a.filename=g.src,g.hasAttribute("data-manual")&&(a.manual=!0)),!a.manual){var h=document.readyState;"loading"===h||"interactive"===h&&g&&g.defer?document.addEventListener("DOMContentLoaded",f):window.requestAnimationFrame?window.requestAnimationFrame(f):window.setTimeout(f,16)}return a}(_self);"undefined"!=typeof module&&module.exports&&(module.exports=Prism),"undefined"!=typeof global&&(global.Prism=Prism);
+Prism.languages.suricata={protocol:{pattern:/(^\w+\s+)(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)/,lookbehind:!0,alias:"selector"},action:{pattern:/^(alert|pass|drop|reject|rejectsrc|rejectdst|rejectboth)/,alias:"namespace"},direction:{pattern:/(->|<>)/,alias:"operator"},options:{pattern:/\(.*\)?/,greedy:!0,alias:"text",inside:{"opening-paren":{pattern:/^\(/,alias:"operator"},"closing-paren":{pattern:/\)$/,alias:"operator"},string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},"option-key":{pattern:/\w+:/,alias:"selector"},"flag-option":{pattern:/(noalert|fast_pattern);/,alias:"tag"}}}};
+Prism.languages["suricata-logic"]={string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},protocol:{pattern:/\b(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)\b/,lookbehind:!0,alias:"selector"},direction:{pattern:/(->|<>)/,alias:"operator"},"flag-option":{pattern:/(noalert|fast_pattern)/,alias:"tag"},"option-key":{pattern:/\w+:/,alias:"selector"}};
+!function(e){var n=/[*&][^\s[\]{},]+/,r=/!(?:<[\w\-%#;/?:@&=+$,.!~*'()[\]]+>|(?:[a-zA-Z\d-]*!)?[\w\-%#;/?:@&=+$.~*'()]+)?/,t="(?:"+r.source+"(?:[ \t]+"+n.source+")?|"+n.source+"(?:[ \t]+"+r.source+")?)",a="(?:[^\\s\\x00-\\x08\\x0e-\\x1f!\"#%&'*,\\-:>?@[\\]`{|}\\x7f-\\x84\\x86-\\x9f\\ud800-\\udfff\\ufffe\\uffff]|[?:-]<PLAIN>)(?:[ \t]*(?:(?![#:])<PLAIN>|:<PLAIN>))*".replace(/<PLAIN>/g,(function(){return"[^\\s\\x00-\\x08\\x0e-\\x1f,[\\]{}\\x7f-\\x84\\x86-\\x9f\\ud800-\\udfff\\ufffe\\uffff]"})),d="\"(?:[^\"\\\\\r\n]|\\\\.)*\"|'(?:[^'\\\\\r\n]|\\\\.)*'";function o(e,n){n=(n||"").replace(/m/g,"")+"m";var r="([:\\-,[{]\\s*(?:\\s<<prop>>[ \t]+)?)(?:<<value>>)(?=[ \t]*(?:$|,|\\]|\\}|(?:[\r\n]\\s*)?#))".replace(/<<prop>>/g,(function(){return t})).replace(/<<value>>/g,(function(){return e}));return RegExp(r,n)}e.languages.yaml={scalar:{pattern:RegExp("([\\-:]\\s*(?:\\s<<prop>>[ \t]+)?[|>])[ \t]*(?:((?:\r?\n|\r)[ \t]+)\\S[^\r\n]*(?:\\2[^\r\n]+)*)".replace(/<<prop>>/g,(function(){return t}))),lookbehind:!0,alias:"string"},comment:/#.*/,key:{pattern:RegExp("((?:^|[:\\-,[{\r\n?])[ \t]*(?:<<prop>>[ \t]+)?)<<key>>(?=\\s*:\\s)".replace(/<<prop>>/g,(function(){return t})).replace(/<<key>>/g,(function(){return"(?:"+a+"|"+d+")"}))),lookbehind:!0,greedy:!0,alias:"atrule"},directive:{pattern:/(^[ \t]*)%.+/m,lookbehind:!0,alias:"important"},datetime:{pattern:o("\\d{4}-\\d\\d?-\\d\\d?(?:[tT]|[ \t]+)\\d\\d?:\\d{2}:\\d{2}(?:\\.\\d*)?(?:[ \t]*(?:Z|[-+]\\d\\d?(?::\\d{2})?))?|\\d{4}-\\d{2}-\\d{2}|\\d\\d?:\\d{2}(?::\\d{2}(?:\\.\\d*)?)?"),lookbehind:!0,alias:"number"},boolean:{pattern:o("false|true","i"),lookbehind:!0,alias:"important"},null:{pattern:o("null|~","i"),lookbehind:!0,alias:"important"},string:{pattern:o(d),lookbehind:!0,greedy:!0},number:{pattern:o("[+-]?(?:0x[\\da-f]+|0o[0-7]+|(?:\\d+(?:\\.\\d*)?|\\.\\d+)(?:e[+-]?\\d+)?|\\.inf|\\.nan)","i"),lookbehind:!0},tag:r,important:n,punctuation:/---|[:[\]{}\-,|>?]|\.\.\./},e.languages.yml=e.languages.yaml}(Prism);
+Prism.languages.yara={comment:[{pattern:/(^|[^\\])\/\*[\s\S]*?(?:\*\/|$)/,lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/"(?:\\.|[^"\\\r\n])*"/,greedy:!0},"rule-signature":{pattern:/(private\s+)?rule\s*[a-z_][a-z0-9_]{0,127}\s*(:(\s*[a-z_][a-z0-9_]{0,50})+)?/i,alias:"text",inside:{"tag-separator":{pattern:/:/,alias:"operator"},identifier:{pattern:/(rule\s+)[a-z_][a-z0-9_]{0,127}/i,lookbehind:!0,alias:"text"},"private-rule":{pattern:/^(private\s+)?rule\b/i,alias:"keyword"},tag:{pattern:/[a-z_][a-z0-9_]{0,50}/i,alias:"property"}}},"category-header":{pattern:/(\n\s*)\w+:/,lookbehind:!0,alias:"keyword"},"byte-sequence":{pattern:/\{[a-f0-9 \[\]\?]*\}/i,alias:"string"},keyword:{pattern:/\b(all|and|any|ascii|at|base64(wide)?|condition|(i)?contains|(i)?endswith|entrypoint|false|filesize|for|fullword|global|import|in|include|(u)?int16(be)?|(u)?int32(be)?|(u)?int8(be)?|iequals|(i)?startswith|matches|meta|nocase|none|not|of|or|private|rule|strings|them|true|wide|xor|defined)\b/i}},Prism.languages.YARA=Prism.languages.yara;
diff --git a/html/js/external/vue-prism-editor-v1.3.0.umd.production.min.js b/html/js/external/vue-prism-editor-v1.3.0.umd.production.min.js
new file mode 100644
index 00000000..244a1515
--- /dev/null
+++ b/html/js/external/vue-prism-editor-v1.3.0.umd.production.min.js
@@ -0,0 +1,2 @@
+!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("vue")):"function"==typeof define&&define.amd?define(["exports","vue"],e):e((t=t||self).PrismEditor={},t.Vue)}(this,(function(t,e){"use strict";var i=void 0!==typeof self?self:this;function s(){return(s=Object.assign||function(t){for(var e=1;e<arguments.length;e++){var i=arguments[e];for(var s in i)Object.prototype.hasOwnProperty.call(i,s)&&(t[s]=i[s])}return t}).apply(this,arguments)}e=e&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e;var n="undefined"!=typeof window&&navigator&&/Win/i.test(navigator.platform),r="undefined"!=typeof window&&navigator&&/(Mac|iPhone|iPod|iPad)/i.test(navigator.platform),o=e.extend({props:{lineNumbers:{type:Boolean,default:!1},autoStyleLineNumbers:{type:Boolean,default:!0},readonly:{type:Boolean,default:!1},value:{type:String,default:""},highlight:{type:Function,required:!0},tabSize:{type:Number,default:2},insertSpaces:{type:Boolean,default:!0},ignoreTabKey:{type:Boolean,default:!1},placeholder:{type:String,default:""}},data:function(){return{capture:!0,history:{stack:[],offset:-1},lineNumbersHeight:"20px",codeData:""}},watch:{value:{immediate:!0,handler:function(t){this.codeData=t||""}},content:{immediate:!0,handler:function(){var t=this;this.lineNumbers&&this.$nextTick((function(){t.setLineNumbersHeight()}))}},lineNumbers:function(){var t=this;this.$nextTick((function(){t.styleLineNumbers(),t.setLineNumbersHeight()}))}},computed:{isEmpty:function(){return 0===this.codeData.length},content:function(){return this.highlight(this.codeData)+"<br />"},lineNumbersCount:function(){return this.codeData.split(/\r\n|\n/).length}},mounted:function(){this._recordCurrentState(),this.styleLineNumbers()},methods:{setLineNumbersHeight:function(){this.lineNumbersHeight=getComputedStyle(this.$refs.pre).height},styleLineNumbers:function(){if(this.lineNumbers&&this.autoStyleLineNumbers){var t=this.$refs.pre,e=this.$el.querySelector(".prism-editor__line-numbers"),i=window.getComputedStyle(t);this.$nextTick((function(){var s="border-top-left-radius",n="border-bottom-left-radius";e&&(e.style[s]=i[s],e.style[n]=i[n],t.style[s]="0",t.style[n]="0",["background-color","margin-top","padding-top","font-family","font-size","line-height"].forEach((function(t){e.style[t]=i[t]})),e.style["margin-bottom"]="-"+i["padding-top"])}))}},_recordCurrentState:function(){var t=this.$refs.textarea;t&&this._recordChange({value:t.value,selectionStart:t.selectionStart,selectionEnd:t.selectionEnd})},_getLines:function(t,e){return t.substring(0,e).split("\n")},_applyEdits:function(t){var e=this.$refs.textarea,i=this.history.stack[this.history.offset];i&&e&&(this.history.stack[this.history.offset]=s({},i,{selectionStart:e.selectionStart,selectionEnd:e.selectionEnd})),this._recordChange(t),this._updateInput(t)},_recordChange:function(t,e){void 0===e&&(e=!1);var i=this.history,n=i.stack,r=i.offset;if(n.length&&r>-1){this.history.stack=n.slice(0,r+1);var o=this.history.stack.length;if(o>100){var a=o-100;this.history.stack=n.slice(a,o),this.history.offset=Math.max(this.history.offset-a,0)}}var l=Date.now();if(e){var h=this.history.stack[this.history.offset];if(h&&l-h.timestamp<3e3){var u,d,c=/[^a-z0-9]([a-z0-9]+)$/i,f=null===(u=this._getLines(h.value,h.selectionStart).pop())||void 0===u?void 0:u.match(c),p=null===(d=this._getLines(t.value,t.selectionStart).pop())||void 0===d?void 0:d.match(c);if(f&&p&&p[1].startsWith(f[1]))return void(this.history.stack[this.history.offset]=s({},t,{timestamp:l}))}}this.history.stack.push(s({},t,{timestamp:l})),this.history.offset++},_updateInput:function(t){var e=this.$refs.textarea;e&&(e.value=t.value,e.selectionStart=t.selectionStart,e.selectionEnd=t.selectionEnd,this.$emit("input",t.value))},handleChange:function(t){var e=t.target,i=e.value;this._recordChange({value:i,selectionStart:e.selectionStart,selectionEnd:e.selectionEnd},!0),this.$emit("input",i)},_undoEdit:function(){var t=this.history,e=t.offset,i=t.stack[e-1];i&&(this._updateInput(i),this.history.offset=Math.max(e-1,0))},_redoEdit:function(){var t=this.history,e=t.stack,i=t.offset,s=e[i+1];s&&(this._updateInput(s),this.history.offset=Math.min(i+1,e.length-1))},handleKeyDown:function(t){var e=this.tabSize,i=this.insertSpaces,s=this.ignoreTabKey;if(!this.$listeners.keydown||(this.$emit("keydown",t),!t.defaultPrevented)){27===t.keyCode&&(t.target.blur(),this.$emit("blur",t));var o=t.target,a=o.value,l=o.selectionStart,h=o.selectionEnd,u=(i?" ":"\t").repeat(e);if(9===t.keyCode&&!s&&this.capture)if(t.preventDefault(),t.shiftKey){var d=this._getLines(a,l),c=d.length-1,f=this._getLines(a,h).length-1,p=a.split("\n").map((function(t,e){return e>=c&&e<=f&&t.startsWith(u)?t.substring(u.length):t})).join("\n");a!==p&&this._applyEdits({value:p,selectionStart:d[c].startsWith(u)?l-u.length:l,selectionEnd:h-(a.length-p.length)})}else if(l!==h){var y=this._getLines(a,l),m=y.length-1,v=this._getLines(a,h).length-1,g=y[m];this._applyEdits({value:a.split("\n").map((function(t,e){return e>=m&&e<=v?u+t:t})).join("\n"),selectionStart:/\S/.test(g)?l+u.length:l,selectionEnd:h+u.length*(v-m+1)})}else{var b=l+u.length;this._applyEdits({value:a.substring(0,l)+u+a.substring(h),selectionStart:b,selectionEnd:b})}else if(8===t.keyCode){var _=l!==h;if(a.substring(0,l).endsWith(u)&&!_){t.preventDefault();var k=l-u.length;this._applyEdits({value:a.substring(0,l-u.length)+a.substring(h),selectionStart:k,selectionEnd:k})}}else if(13===t.keyCode){if(l===h){var C=this._getLines(a,l).pop(),E=null==C?void 0:C.match(/^\s+/);if(E&&E[0]){t.preventDefault();var S="\n"+E[0],w=l+S.length;this._applyEdits({value:a.substring(0,l)+S+a.substring(h),selectionStart:w,selectionEnd:w})}}}else if(57===t.keyCode||219===t.keyCode||222===t.keyCode||192===t.keyCode){var K;57===t.keyCode&&t.shiftKey?K=["(",")"]:219===t.keyCode?K=t.shiftKey?["{","}"]:["[","]"]:222===t.keyCode?K=t.shiftKey?['"','"']:["'","'"]:192!==t.keyCode||t.shiftKey||(K=["`","`"]),l!==h&&K&&(t.preventDefault(),this._applyEdits({value:a.substring(0,l)+K[0]+a.substring(l,h)+K[1]+a.substring(h),selectionStart:l,selectionEnd:h+2}))}else!(r?t.metaKey&&90===t.keyCode:t.ctrlKey&&90===t.keyCode)||t.shiftKey||t.altKey?(r?t.metaKey&&90===t.keyCode&&t.shiftKey:n?t.ctrlKey&&89===t.keyCode:t.ctrlKey&&90===t.keyCode&&t.shiftKey)&&!t.altKey?(t.preventDefault(),this._redoEdit()):77!==t.keyCode||!t.ctrlKey||r&&!t.shiftKey||(t.preventDefault(),this.capture=!this.capture):(t.preventDefault(),this._undoEdit())}}},render:function(t){var e=this,i=t("div",{attrs:{class:"prism-editor__line-width-calc",style:"height: 0px; visibility: hidden; pointer-events: none;"}},"999"),s=t("div",{staticClass:"prism-editor__line-numbers",style:{"min-height":this.lineNumbersHeight},attrs:{"aria-hidden":"true"}},[i,Array.from(Array(this.lineNumbersCount).keys()).map((function(e,i){return t("div",{attrs:{class:"prism-editor__line-number token comment"}},""+ ++i)}))]),n=t("textarea",{ref:"textarea",on:{input:this.handleChange,keydown:this.handleKeyDown,click:function(t){e.$emit("click",t)},keyup:function(t){e.$emit("keyup",t)},focus:function(t){e.$emit("focus",t)},blur:function(t){e.$emit("blur",t)}},staticClass:"prism-editor__textarea",class:{"prism-editor__textarea--empty":this.isEmpty},attrs:{spellCheck:"false",autocapitalize:"off",autocomplete:"off",autocorrect:"off","data-gramm":"false",placeholder:this.placeholder,"data-testid":"textarea",readonly:this.readonly},domProps:{value:this.codeData}}),r=t("pre",{ref:"pre",staticClass:"prism-editor__editor",attrs:{"data-testid":"preview"},domProps:{innerHTML:this.content}}),o=t("div",{staticClass:"prism-editor__container"},[n,r]);return t("div",{staticClass:"prism-editor-wrapper"},[this.lineNumbers&&s,o])}});t.PrismEditor=o,Object.defineProperty(t,"__esModule",{value:!0});let a=null;"undefined"!=typeof window?a=window.Vue:void 0!==i&&(a=i.Vue),a&&a.component("PrismEditor",o)}));
+//# sourceMappingURL=prismeditor.umd.production.min.js.map
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index d5b6cd9f..6b457c02 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -93,6 +93,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			extractedSummary: '',
 			extractedReferences: [],
 			extractedLogic: '',
+			extractedLogicClass: '',
 			history: [],
 			extractedCreated: '',
 			extractedUpdated: '',
@@ -129,6 +130,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			},
 	}},
 	created() {
+		this.$root.initializeEditor();
 		this.onDetectionChange = debounce(this.onDetectionChange, 300);
 	},
 	watch: {
@@ -141,6 +143,9 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			});
 		this.$root.loadParameters('detection', this.initDetection);
 	},
+	updated() {
+		Prism.highlightAll();
+	},
 	methods: {
 		async initDetection(params) {
 			this.params = params;
@@ -311,16 +316,20 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 		},
 		extractLogic() {
 			this.extractedLogic = '';
+			this.extractedLogicClass = '';
 
 			switch (this.detect.engine) {
 				case 'suricata':
 					this.extractSuricataLogic();
+					this.extractedLogicClass = 'language-suricata-logic';
 					break;
 				case 'strelka':
 					this.extractStrelkaLogic();
+					this.extractedLogicClass = 'language-yara';
 					break;
 				case 'elastalert':
 					this.extractElastAlertLogic();
+					this.extractedLogicClass = 'language-yaml';
 					break;
 			}
 		},
@@ -1238,5 +1247,28 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			}
 			return true;
 		},
+		highlighter(code) {
+			let grammar = null;
+			let language = null;
+
+			switch (this.detect.language) {
+				case 'sigma':
+					grammar = Prism.languages.yaml;
+					language = 'yaml';
+					break;
+				case 'suricata':
+					grammar = Prism.languages.suricata;
+					language = 'suricata';
+					break;
+				case 'yara':
+					grammar = Prism.languages.yara;
+					language = 'yara';
+					break;
+				default:
+					return code;
+			}
+
+			return Prism.highlight(code, grammar, language);
+		},
 	}
 }});
diff --git a/html/js/routes/detection.test.js b/html/js/routes/detection.test.js
index 36a7e687..1172844a 100644
--- a/html/js/routes/detection.test.js
+++ b/html/js/routes/detection.test.js
@@ -10,8 +10,9 @@ require('./detection.js');
 let comp;
 
 beforeEach(() => {
-  comp = getComponent("detection");
+	comp = getComponent("detection");
 	resetPapi();
+	comp.$root.initializeEditor = () => { };
 	comp.created();
 });
 
@@ -33,6 +34,7 @@ test('extract suricata', () => {
 		{ type: 'text', text: 'Research' },
 	]);
 	expect(comp.extractedLogic).toBe('any any <> any any');
+	expect(comp.extractedLogicClass).toBe('language-suricata-logic');
 	expect(comp.extractedCreated).toBe('2020-01-01');
 	expect(comp.extractedUpdated).toBe('2020-01-02');
 });
@@ -56,6 +58,7 @@ test('extract strelka', () => {
 		{ type: 'url', text:'example.com', link: 'http://example.com' },
 	]);
 	expect(comp.extractedLogic).toBe('strings:\n$a = "test"\ncondition:\n$a');
+	expect(comp.extractedLogicClass).toBe('language-yara');
 	expect(comp.extractedCreated).toBe('2020-01-01');
 	expect(comp.extractedUpdated).toBe('');
 });
@@ -79,6 +82,7 @@ test('extract elastalert', () => {
 		{ type: 'url', text: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign', link: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign' },
 	]);
 	expect(comp.extractedLogic).toBe('logsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n      - ds7002.lnk\n      - ds7002.pdf\n      - ds7002.zip\n    condition: selection');
+	expect(comp.extractedLogicClass).toBe('language-yaml');
 	expect(comp.extractedCreated).toBe('2018/11/20');
 	expect(comp.extractedUpdated).toBe('2023/02/20');
 });

From 3670e8375e03f37f061927353b2cda7c81d23816 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 11 Jun 2024 12:29:41 -0600
Subject: [PATCH 21/57] Highlighting on New Detection page

Some final styling tweaks.

Toggle the theme of the editor when we toggle the theme of the page.

Fix the highlighter code for an edge case on the new detections page.
---
 html/css/app.css            | 11 ++++++++++
 html/index.html             | 43 ++++++++++++++++++-------------------
 html/js/app.js              |  4 ++--
 html/js/routes/detection.js |  2 +-
 4 files changed, 35 insertions(+), 25 deletions(-)

diff --git a/html/css/app.css b/html/css/app.css
index a21c496c..51bb074f 100644
--- a/html/css/app.css
+++ b/html/css/app.css
@@ -534,6 +534,11 @@ td {
   margin-top: 20px;
 }
 
+.detection-source-button-row {
+  margin-top: 6px;
+  margin-bottom: -8px;
+}
+
 .header {
   font-size: 1.3em;
   font-weight: bold;
@@ -636,6 +641,12 @@ td {
   font-size: 14px;
   line-height: 1.5;
   padding: 5px;
+  border: 1px solid gray;
+  border-radius: 3px;
+}
+
+.prism-editor__container {
+  min-height: 10em;
 }
 
 /* optional class for removing the outline */
diff --git a/html/index.html b/html/index.html
index ac058934..d3322ac7 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1088,7 +1088,9 @@ <h2 id="detection-title">{{ detect.title }}</h2>
 
                   <!-- Signature -->
                   <div class="font-weight-bold mb-1">{{ i18n.signature }}:</div>
-                  <v-textarea id="signature-source" class="config-editor" outlined v-model="detect.content" rows="10" :rules="[rules.required]" @input="onDetectionChange()" data-aid="detection_signature_input" />
+                  <span data-aid="detection_signature_input">
+                    <prism-editor class="prism" :highlight="highlighter" v-model="detect.content"></prism-editor>
+                  </span>
                 </div>
                 <div class="d-flex align-center align-self-end text-body-2 mt-2">
                   <div class="d-inline-flex justify-end">
@@ -1276,28 +1278,25 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
               </v-tab-item>
 
               <v-tab-item value="source" data-aid="detection_source">
-                <v-row class="contrast-bg rounded rounded-md pa-4">
-                  <v-col>
-                    <!-- Signature -->
-                    <span data-aid="detection_source_input">
-                      <prism-editor class="prism" :highlight="highlighter" v-model="detect.content" :readonly="detect.isCommunity"></prism-editor>
-                    </span>
-                    <!-- <v-textarea class="config-editor" :readonly="detect.isCommunity" solo flat v-model="detect.content" auto-grow rows="15" data-aid="detection_source_input" /> -->
-                    <div class="d-flex align-center align-self-end justify-end text-body-2">
-                      <div class="d-inline-flex justify-end">
-                        <v-btn v-if="canConvert()" id="detection-convert" text small color="primary" class="align-self-end" @click="convertDetection()" data-aid="detection_source_convert">
-                          {{ i18n.convert }}
-                        </v-btn>
-                        <v-btn id="detection-cancel" v-if="!detect.isCommunity && isDetectionSourceDirty()" text small color="primary" class="align-self-end" @click="cancelDetection()" data-aid="detection_source_cancel">
-                          {{ i18n.cancel }}
-                        </v-btn>
-                        <v-btn id="detection-update" v-if="!detect.isCommunity && isDetectionSourceDirty()" text small color="primary" class="align-self-end" @click="saveDetection(false, true)" data-aid="detection_source_save">
-                          {{i18n.update}}
-                        </v-btn>
-                      </div>
+                <v-col class="contrast-bg rounded rounded-md pa-4">
+                  <!-- Signature -->
+                  <span data-aid="detection_source_input">
+                    <prism-editor class="prism" :highlight="highlighter" v-model="detect.content" :readonly="detect.isCommunity"></prism-editor>
+                  </span>
+                  <div class="d-flex align-self-end justify-end detection-source-button-row">
+                    <div class="d-inline-flex">
+                      <v-btn v-if="canConvert()" id="detection-convert" text small color="primary" class="align-self-end" @click="convertDetection()" data-aid="detection_source_convert">
+                        {{ i18n.convert }}
+                      </v-btn>
+                      <v-btn id="detection-cancel" v-if="!detect.isCommunity && isDetectionSourceDirty()" text small color="primary" class="align-self-end" @click="cancelDetection()" data-aid="detection_source_cancel">
+                        {{ i18n.cancel }}
+                      </v-btn>
+                      <v-btn id="detection-update" v-if="!detect.isCommunity && isDetectionSourceDirty()" text small color="primary" class="align-self-end" @click="saveDetection(false, true)" data-aid="detection_source_save">
+                        {{i18n.update}}
+                      </v-btn>
                     </div>
-                  </v-col>
-                </v-row>
+                  </div>
+                </v-col>
               </v-tab-item>
 
               <v-tab-item value="tuning" data-aid="detection_tuning">
diff --git a/html/js/app.js b/html/js/app.js
index b61325ee..bcbd5514 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -456,7 +456,8 @@ $(document).ready(function() {
       },
       toggleTheme() {
         this.$vuetify.theme.dark = !this.$vuetify.theme.dark
-        this.timestamp=Date.now();
+        this.timestamp = Date.now();
+        this.updateEditorTheme();
       },
       setFavicon() {
         const colorSchemeString = window.matchMedia && window.matchMedia("(prefers-color-scheme: dark)").matches
@@ -684,7 +685,6 @@ $(document).ready(function() {
       saveLocalSettings() {
         localStorage['settings.app.dark'] = this.$vuetify.theme.dark;
         localStorage['settings.app.navbar'] = this.toolbar;
-        this.updateEditorTheme();
       },
       loadLocalSettings() {
         if (localStorage['settings.app.dark'] != undefined) {
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 6b457c02..26061baa 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -1251,7 +1251,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			let grammar = null;
 			let language = null;
 
-			switch (this.detect.language) {
+			switch ((this.detect.language || '').toLowerCase()) {
 				case 'sigma':
 					grammar = Prism.languages.yaml;
 					language = 'yaml';

From 9fb833bbcc9e888e1472a6b0ad9e0e81a414ff64 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 11 Jun 2024 13:20:16 -0600
Subject: [PATCH 22/57] Extract ElastAlert Description

Check the yaml for an elastalert description. If not present, fall back to the Detection's description, and finally the Detection title.

Updated test for various fallback scenarios.
---
 html/js/routes/detection.js      |  7 +++++++
 html/js/routes/detection.test.js | 17 ++++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 26061baa..c59abc81 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -233,6 +233,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 					}
 
 					break;
+				case 'elastalert':
+					const yaml = jsyaml.load(this.detect.content, { schema: jsyaml.FAILSAFE_SCHEMA });
+					if (yaml.description) {
+						this.extractedSummary = yaml.description;
+						break;
+					}
+					// else fall through
 				default:
 					if (this.detect.description) {
 						this.extractedSummary = this.detect.description;
diff --git a/html/js/routes/detection.test.js b/html/js/routes/detection.test.js
index 1172844a..0b42e565 100644
--- a/html/js/routes/detection.test.js
+++ b/html/js/routes/detection.test.js
@@ -76,7 +76,7 @@ test('extract elastalert', () => {
 	comp.extractLogic();
 	comp.extractDetails();
 
-	expect(comp.extractedSummary).toBe('Title');
+	expect(comp.extractedSummary).toBe('Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant');
 	expect(comp.extractedReferences).toEqual([
 		{ type: 'url', text: 'https://twitter.com/DrunkBinary/status/1063075530180886529', link: 'https://twitter.com/DrunkBinary/status/1063075530180886529' },
 		{ type: 'url', text: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign', link: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign' },
@@ -85,6 +85,21 @@ test('extract elastalert', () => {
 	expect(comp.extractedLogicClass).toBe('language-yaml');
 	expect(comp.extractedCreated).toBe('2018/11/20');
 	expect(comp.extractedUpdated).toBe('2023/02/20');
+
+	// content with no description
+	comp.detect.content = `title: APT29 2018 Phishing Campaign File Indicators\nid: 3a3f81ca-652c-482b-adeb-b1c804727f74\nrelated:\n  - id: 7453575c-a747-40b9-839b-125a0aae324b # ProcessCreation\n    type: derived\nstatus: stable\nreferences:\n  - https://twitter.com/DrunkBinary/status/1063075530180886529\n  - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign\nauthor: '@41thexplorer'\ndate: 2018/11/20\nmodified: 2023/02/20\ntags:\n  - attack.defense_evasion\n  - attack.t1218.011\n  - detection.emerging_threats\nlogsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n      - 'ds7002.lnk'\n      - 'ds7002.pdf'\n      - 'ds7002.zip'\n    condition: selection\nfalsepositives:\n  - Unlikely\nlevel: critical`;
+	comp.detect.description = 'Description'
+	comp.extractSummary();
+
+	// fallback first to detection Description...
+	expect(comp.extractedSummary).toBe('Description');
+
+	comp.detect.description = '';
+
+	comp.extractSummary();
+
+	// ... else fallback to title
+	expect(comp.extractedSummary).toBe('Title');
 });
 
 test('fixProtocol', () => {

From ed955210cc56504692615f5643709e7d9bcd2bdf Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 11 Jun 2024 14:43:00 -0600
Subject: [PATCH 23/57] Show tip when Bulk Action starts

Now shows a tip when a Bulk Action starts showing the number of detections being updated/deleted and with update/delete specific verbiage.
---
 html/js/app.js         | 10 ++++++----
 html/js/i18n.js        |  2 ++
 html/js/routes/hunt.js | 10 ++++++++++
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/html/js/app.js b/html/js/app.js
index bcbd5514..96771d3f 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -697,10 +697,12 @@ $(document).ready(function() {
       },
       updateEditorTheme() {
         var link = $('link[href^="css/external/prism-custom-"]')[0];
-        if (this.$vuetify.theme.dark) {
-          link.href = "css/external/prism-custom-dark-v1.29.0.css";
-        } else {
-          link.href = "css/external/prism-custom-light-v1.29.0.css";
+        if (link) {
+          if (this.$vuetify.theme.dark) {
+            link.href = "css/external/prism-custom-dark-v1.29.0.css";
+          } else {
+            link.href = "css/external/prism-custom-light-v1.29.0.css";
+          }
         }
       },
       subscribe(kind, fn) {
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 50d8ff88..e8e24a70 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -121,6 +121,8 @@ const i18n = {
       betweenOp: 'Between',
       blog: 'Blog',
       bulkAction: 'Bulk Action:',
+      bulkActionStarted: 'Updating {total} detections. This may take awhile.',
+      bulkActionDeleteStarted: 'Deleting {total} detections. This may take awhile.',
       bulkError: '',
       bulkSuccessUpdate: 'Bulk update successfully updated {modified} of {total} events. ({time})',
       bulkSuccessDelete: 'Bulk delete successfully deleted {modified} of {total} events. ({time})',
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index e50ac4a2..471847ea 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -2216,6 +2216,16 @@ const huntComponent = {
 
       try {
         await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
+
+        let msg = this.i18n.bulkActionStarted;
+        if (this.selectedAction === 'delete') {
+          msg = this.i18n.bulkActionDeleteStarted;
+        }
+
+        msg = msg.replace('{total}', this.selectedCount.toLocaleString());
+
+        this.$root.showTip(msg);
+
         this.selectAllState = false;
         this.selectedCount = 0;
         this.hunt(false);

From 81b39bac26082a5c2b17d7b8555150dc519928c3 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 11 Jun 2024 15:52:59 -0600
Subject: [PATCH 24/57] Add tests

---
 html/js/routes/hunt.test.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index bde48499..9ca013fd 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -1200,6 +1200,7 @@ test('bulkAction - delete - pre-confirm', async () => {
 
   expect(comp.showBulkDeleteConfirmDialog).toBe(true);
   expect(comp.selectedCount).toBe(2);
+  expect(comp.$root.tip).toBe(false);
 });
 
 test('bulkAction - enable', async () => {
@@ -1219,6 +1220,8 @@ test('bulkAction - enable', async () => {
   expect(mock).toHaveBeenCalledWith('detection/bulk/enable', { ids: ["1", "3"] });
   expect(comp.hunt).toHaveBeenCalledTimes(1);
   expect(comp.hunt).toHaveBeenCalledWith(false);
+  expect(comp.$root.tip).toBe(true);
+  expect(comp.$root.tipMessage).toBe('Updating 2 detections. This may take awhile.');
 });
 
 test('bulkAction - disable', async () => {
@@ -1238,6 +1241,8 @@ test('bulkAction - disable', async () => {
   expect(mock).toHaveBeenCalledWith('detection/bulk/disable', { ids: ["1", "3"] });
   expect(comp.hunt).toHaveBeenCalledTimes(1);
   expect(comp.hunt).toHaveBeenCalledWith(false);
+  expect(comp.$root.tip).toBe(true);
+  expect(comp.$root.tipMessage).toBe('Updating 2 detections. This may take awhile.');
 });
 
 test('bulkAction - delete - confirm - success', async () => {
@@ -1258,6 +1263,8 @@ test('bulkAction - delete - confirm - success', async () => {
   expect(mock).toHaveBeenCalledWith('detection/bulk/delete', { ids: ["1", "3"] });
   expect(comp.hunt).toHaveBeenCalledTimes(1);
   expect(comp.hunt).toHaveBeenCalledWith(false);
+  expect(comp.$root.tip).toBe(true);
+  expect(comp.$root.tipMessage).toBe('Deleting 2 detections. This may take awhile.');
 });
 
 test('bulkAction - delete - confirm - failure', async () => {

From 2b499bda754a697ab85364ae87835dd315bfa43d Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 12 Jun 2024 12:11:50 -0600
Subject: [PATCH 25/57] Deduplication of Detections by Public Id

To support this properly, engines need to process their rules in a deterministic order. If different detections are marked as duplicates from one sync to the next, you never really know which rules your system is executing.

UpdateRepos has been refactored to return an array instead of an unordered map. The array of RepoOnDisk (formerly DirtyRepo) will be in the same order as the repos listed in the config.

Strelka needed even more refactoring as it would parse each rule from beginning to end before going to the next rule. Now it gathers all the detections, dedupes them, then syncs them. Refactored the call to WalkDir to use the IOManager instead of directly calling filepath.WalkDir.

Some tests needed to be updated to work around the changes to UpdateRepos and other determinism changes. Added a new test for the deduplication process.
---
 .../modules/detections/detengine_helpers.go   |  38 +++-
 .../detections/detengine_helpers_test.go      |  53 +++++
 server/modules/elastalert/elastalert.go       |  35 ++--
 server/modules/elastalert/elastalert_test.go  |  17 +-
 server/modules/strelka/mock/mock_iomanager.go |  30 ++-
 server/modules/strelka/strelka.go             | 183 ++++++++++--------
 server/modules/suricata/suricata.go           |   2 +
 7 files changed, 225 insertions(+), 133 deletions(-)

diff --git a/server/modules/detections/detengine_helpers.go b/server/modules/detections/detengine_helpers.go
index dccde47d..3a277a37 100644
--- a/server/modules/detections/detengine_helpers.go
+++ b/server/modules/detections/detengine_helpers.go
@@ -108,13 +108,14 @@ func WriteStateFile(iom IOManager, path string) {
 	}
 }
 
-type DirtyRepo struct {
-	WasModified bool
+type RepoOnDisk struct {
 	Repo        *model.RuleRepo
+	Path        string
+	WasModified bool
 }
 
-func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo, cfg *config.ServerConfig) (allRepos map[string]*DirtyRepo, anythingNew bool, err error) {
-	allRepos = map[string]*DirtyRepo{} // map[repoPath]repo
+func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo, cfg *config.ServerConfig) (allRepos []*RepoOnDisk, anythingNew bool, err error) {
+	allRepos = make([]*RepoOnDisk, 0, len(rulesRepos))
 
 	// read existing repos
 	entries, err := os.ReadDir(baseRepoFolder)
@@ -148,11 +149,12 @@ func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.Rul
 		_, lastFolder := path.Split(parser.Path)
 		repoPath := filepath.Join(baseRepoFolder, lastFolder)
 
-		dirty := &DirtyRepo{
+		dirty := &RepoOnDisk{
 			Repo: repo,
+			Path: repoPath,
 		}
 
-		allRepos[repoPath] = dirty
+		allRepos = append(allRepos, dirty)
 		reclone := false
 
 		proxyOpts, err := proxyToTransportOptions(cfg.Proxy)
@@ -352,3 +354,27 @@ func AddUser(previous string, user *model.User, sep string) string {
 func EscapeDoubleQuotes(str string) string {
 	return doubleQuoteEscaper.ReplaceAllString(str, "\\$1$2")
 }
+
+func DeduplicateByPublicId(detects []*model.Detection) []*model.Detection {
+	set := map[string]*model.Detection{}
+	deduped := make([]*model.Detection, 0, len(detects))
+
+	for _, detect := range detects {
+		existing, inSet := set[detect.PublicID]
+		if inSet {
+			log.WithFields(log.Fields{
+				"publicId":         detect.PublicID,
+				"engine":           detect.Engine,
+				"existingRuleset":  existing.Ruleset,
+				"duplicateRuleset": detect.Ruleset,
+				"existingTitle":    existing.Title,
+				"duplicateTitle":   detect.Title,
+			}).Warn("duplicate publicId found, skipping")
+		} else {
+			set[detect.PublicID] = detect
+			deduped = append(deduped, detect)
+		}
+	}
+
+	return deduped
+}
diff --git a/server/modules/detections/detengine_helpers_test.go b/server/modules/detections/detengine_helpers_test.go
index cec9a4ce..4a41b75f 100644
--- a/server/modules/detections/detengine_helpers_test.go
+++ b/server/modules/detections/detengine_helpers_test.go
@@ -280,3 +280,56 @@ func TestProxyToTransportOptions(t *testing.T) {
 		})
 	}
 }
+
+func TestDeduplicateByPublicId(t *testing.T) {
+	tests := []struct {
+		Name      string
+		InputIds  []string
+		ExpOutput []string
+	}{
+		{
+			Name:      "Empty",
+			InputIds:  []string{},
+			ExpOutput: []string{},
+		},
+		{
+			Name:      "No Duplicates",
+			InputIds:  []string{"1", "2", "3"},
+			ExpOutput: []string{"1", "2", "3"},
+		},
+		{
+			Name:      "Only Duplicates",
+			InputIds:  []string{"1", "1", "1", "1", "1", "1", "1", "1", "1", "1"},
+			ExpOutput: []string{"1"},
+		},
+		{
+			Name:      "Mixed",
+			InputIds:  []string{"1", "2", "1", "3", "2", "4", "1", "5", "2", "6"},
+			ExpOutput: []string{"1", "2", "3", "4", "5", "6"},
+		},
+		{
+			Name:      "One Duplicate",
+			InputIds:  []string{"1", "2", "3", "4", "5", "6", "1"},
+			ExpOutput: []string{"1", "2", "3", "4", "5", "6"},
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			dets := make([]*model.Detection, 0, len(test.InputIds))
+			for _, id := range test.InputIds {
+				dets = append(dets, &model.Detection{PublicID: id})
+			}
+
+			deduped := DeduplicateByPublicId(dets)
+
+			output := make([]string, 0, len(deduped))
+			for _, det := range deduped {
+				output = append(output, det.PublicID)
+			}
+
+			assert.Equal(t, test.ExpOutput, output)
+		})
+	}
+}
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
index 423c06c3..108daf38 100644
--- a/server/modules/elastalert/elastalert.go
+++ b/server/modules/elastalert/elastalert.go
@@ -579,9 +579,6 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			templateFound = true
 		}
 
-		allRepos := map[string]*model.RuleRepo{}
-		var repoChanges bool
-
 		var zips map[string][]byte
 		var errMap map[string]error
 		var regenNeeded bool
@@ -617,9 +614,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			continue
 		}
 
-		var dirtyRepos map[string]*detections.DirtyRepo
-
-		dirtyRepos, repoChanges, err = detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config)
+		dirtyRepos, repoChanges, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config)
 		if err != nil {
 			if strings.Contains(err.Error(), "module stopped") {
 				break
@@ -637,10 +632,6 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			continue
 		}
 
-		for k, v := range dirtyRepos {
-			allRepos[k] = v.Repo
-		}
-
 		zipHashes := map[string]string{}
 		for pkg, data := range zips {
 			h := sha256.Sum256(data)
@@ -714,7 +705,7 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 			break
 		}
 
-		repoDets, errMap := e.parseRepoRules(allRepos)
+		repoDets, errMap := e.parseRepoRules(dirtyRepos)
 		if errMap != nil {
 			log.WithField("sigmaParseError", errMap).Error("something went wrong while parsing sigma rule files from repos")
 		}
@@ -725,6 +716,8 @@ func (e *ElastAlertEngine) startCommunityRuleImport() {
 
 		detects = append(detects, repoDets...)
 
+		detects = detections.DeduplicateByPublicId(detects)
+
 		errMap, err = e.syncCommunityDetections(ctx, detects)
 		if err != nil {
 			if err == errModuleStopped {
@@ -864,11 +857,13 @@ func (e *ElastAlertEngine) parseZipRules(pkgZips map[string][]byte) (detections
 		}
 	}()
 
-	for pkg, zipData := range pkgZips {
+	for _, pkg := range e.sigmaRulePackages {
 		if !e.isRunning {
 			return nil, map[string]error{"module": errModuleStopped}
 		}
 
+		zipData := pkgZips[pkg]
+
 		reader, err := zip.NewReader(bytes.NewReader(zipData), int64(len(zipData)))
 		if err != nil {
 			errMap[pkg] = err
@@ -925,7 +920,7 @@ func (e *ElastAlertEngine) parseZipRules(pkgZips map[string][]byte) (detections
 	return detections, errMap
 }
 
-func (e *ElastAlertEngine) parseRepoRules(allRepos map[string]*model.RuleRepo) (detections []*model.Detection, errMap map[string]error) {
+func (e *ElastAlertEngine) parseRepoRules(allRepos []*detections.RepoOnDisk) (detections []*model.Detection, errMap map[string]error) {
 	errMap = map[string]error{} // map[repoName]error
 	defer func() {
 		if len(errMap) == 0 {
@@ -933,14 +928,14 @@ func (e *ElastAlertEngine) parseRepoRules(allRepos map[string]*model.RuleRepo) (
 		}
 	}()
 
-	for repopath, repo := range allRepos {
+	for _, repo := range allRepos {
 		if !e.isRunning {
 			return nil, map[string]error{"module": errModuleStopped}
 		}
 
-		baseDir := repopath
-		if repo.Folder != nil {
-			baseDir = filepath.Join(baseDir, *repo.Folder)
+		baseDir := repo.Path
+		if repo.Repo.Folder != nil {
+			baseDir = filepath.Join(baseDir, *repo.Repo.Folder)
 		}
 
 		err := e.WalkDir(baseDir, func(path string, d fs.DirEntry, err error) error {
@@ -974,16 +969,16 @@ func (e *ElastAlertEngine) parseRepoRules(allRepos map[string]*model.RuleRepo) (
 				return nil
 			}
 
-			ruleset := filepath.Base(repopath)
+			ruleset := filepath.Base(repo.Path)
 
-			det := rule.ToDetection(ruleset, repo.License, repo.Community)
+			det := rule.ToDetection(ruleset, repo.Repo.License, repo.Repo.Community)
 
 			detections = append(detections, det)
 
 			return nil
 		})
 		if err != nil {
-			log.WithError(err).WithField("elastAlertRuleRepo", repopath).Error("Failed to walk repo")
+			log.WithError(err).WithField("elastAlertRuleRepo", repo.Path).Error("Failed to walk repo")
 			continue
 		}
 	}
diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
index 72b64871..3d328f0a 100644
--- a/server/modules/elastalert/elastalert_test.go
+++ b/server/modules/elastalert/elastalert_test.go
@@ -27,6 +27,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/model"
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/detections"
 	"github.com/security-onion-solutions/securityonion-soc/server/modules/elastalert/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
 
@@ -529,7 +530,8 @@ level: high
 	}
 
 	engine := ElastAlertEngine{
-		isRunning: true,
+		isRunning:         true,
+		sigmaRulePackages: []string{"all_rules"},
 	}
 	engine.allowRegex = regexp.MustCompile("00000000-0000-0000-0000-00000000")
 	engine.denyRegex = regexp.MustCompile("deny")
@@ -578,11 +580,14 @@ level: high
 license: Elastic-2.0
 `
 
-	repos := map[string]*model.RuleRepo{
-		"repo-path": {
-			Repo:      "github.com/repo-user/repo-path",
-			License:   "DRL",
-			Community: true,
+	repos := []*detections.RepoOnDisk{
+		{
+			Repo: &model.RuleRepo{
+				Repo:      "github.com/repo-user/repo-path",
+				License:   "DRL",
+				Community: true,
+			},
+			Path: "repo-path",
 		},
 	}
 
diff --git a/server/modules/strelka/mock/mock_iomanager.go b/server/modules/strelka/mock/mock_iomanager.go
index e30a25b2..bd06aeae 100644
--- a/server/modules/strelka/mock/mock_iomanager.go
+++ b/server/modules/strelka/mock/mock_iomanager.go
@@ -10,7 +10,6 @@ package mock
 
 import (
 	fs "io/fs"
-	http "net/http"
 	exec "os/exec"
 	reflect "reflect"
 	time "time"
@@ -72,21 +71,6 @@ func (mr *MockIOManagerMockRecorder) ExecCommand(arg0 any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExecCommand", reflect.TypeOf((*MockIOManager)(nil).ExecCommand), arg0)
 }
 
-// MakeRequest mocks base method.
-func (m *MockIOManager) MakeRequest(arg0 *http.Request) (*http.Response, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "MakeRequest", arg0)
-	ret0, _ := ret[0].(*http.Response)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// MakeRequest indicates an expected call of MakeRequest.
-func (mr *MockIOManagerMockRecorder) MakeRequest(arg0 any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MakeRequest", reflect.TypeOf((*MockIOManager)(nil).MakeRequest), arg0)
-}
-
 // ReadDir mocks base method.
 func (m *MockIOManager) ReadDir(arg0 string) ([]fs.DirEntry, error) {
 	m.ctrl.T.Helper()
@@ -117,6 +101,20 @@ func (mr *MockIOManagerMockRecorder) ReadFile(arg0 any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadFile", reflect.TypeOf((*MockIOManager)(nil).ReadFile), arg0)
 }
 
+// WalkDir mocks base method.
+func (m *MockIOManager) WalkDir(arg0 string, arg1 fs.WalkDirFunc) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "WalkDir", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// WalkDir indicates an expected call of WalkDir.
+func (mr *MockIOManagerMockRecorder) WalkDir(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WalkDir", reflect.TypeOf((*MockIOManager)(nil).WalkDir), arg0, arg1)
+}
+
 // WriteFile mocks base method.
 func (m *MockIOManager) WriteFile(arg0 string, arg1 []byte, arg2 fs.FileMode) error {
 	m.ctrl.T.Helper()
diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go
index a0ef577c..51011870 100644
--- a/server/modules/strelka/strelka.go
+++ b/server/modules/strelka/strelka.go
@@ -60,6 +60,7 @@ type IOManager interface {
 	DeleteFile(path string) error
 	ReadDir(path string) ([]os.DirEntry, error)
 	ExecCommand(cmd *exec.Cmd) ([]byte, int, time.Duration, error)
+	WalkDir(root string, fn fs.WalkDirFunc) error
 }
 
 type StrelkaEngine struct {
@@ -396,8 +397,6 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 			templateFound = true
 		}
 
-		upToDate := map[string]*model.RuleRepo{}
-
 		allRepos, anythingNew, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config)
 		if err != nil {
 			if strings.Contains(err.Error(), "module stopped") {
@@ -437,12 +436,6 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 			continue
 		}
 
-		for k, v := range allRepos {
-			if v.WasModified || forceSync {
-				upToDate[k] = v.Repo
-			}
-		}
-
 		communityDetections, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameStrelka), model.WithCommunity(true))
 		if err != nil {
 			log.WithError(err).Error("Failed to get all community SIDs")
@@ -463,20 +456,24 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 		}
 
 		et := detections.NewErrorTracker(e.failAfterConsecutiveErrorCount)
-		failSync := false
+		detects := []*model.Detection{}
 
 		// parse *.yar files in repos
-		for repopath, repo := range upToDate {
+		for repopath, repo := range allRepos {
 			if !e.isRunning {
 				return
 			}
 
-			baseDir := repopath
-			if repo.Folder != nil {
-				baseDir = filepath.Join(baseDir, *repo.Folder)
+			if !repo.WasModified && !forceSync {
+				continue
+			}
+
+			baseDir := repo.Path
+			if repo.Repo.Folder != nil {
+				baseDir = filepath.Join(baseDir, *repo.Repo.Folder)
 			}
 
-			err = filepath.WalkDir(baseDir, func(path string, d fs.DirEntry, err error) error {
+			err = e.WalkDir(baseDir, func(path string, d fs.DirEntry, err error) error {
 				if err != nil {
 					log.WithError(err).WithField("repoPath", path).Error("Failed to walk path")
 					return nil
@@ -508,97 +505,108 @@ func (e *StrelkaEngine) startCommunityRuleImport() {
 				}
 
 				for _, rule := range parsed {
-					det := rule.ToDetection(repo.License, filepath.Base(repopath), repo.Community)
-					log.WithFields(log.Fields{
-						"rule.uuid": det.PublicID,
-						"rule.name": det.Title,
-					}).Info("Strelka community sync - processing YARA rule")
-
-					comRule, exists := communityDetections[det.PublicID]
-					if exists {
-						if comRule.Content != det.Content || comRule.Ruleset != det.Ruleset || len(det.Overrides) != 0 {
-							// pre-existing detection, update it
-							det.IsEnabled = comRule.IsEnabled
-							det.Id = comRule.Id
-							det.Overrides = comRule.Overrides
-							det.CreateTime = comRule.CreateTime
-
-							log.WithFields(log.Fields{
-								"rule.uuid": det.PublicID,
-								"rule.name": det.Title,
-							}).Info("Updating Yara detection")
-
-							_, err = e.srv.Detectionstore.UpdateDetection(e.srv.Context, det)
-							if err != nil && err.Error() == "Object not found" {
-								log.WithField("publicId", det.PublicID).Error("unable to read back successful write")
-
-								writeNoRead = util.Ptr(det.PublicID)
-								failSync = true
-
-								return err
-							}
-
-							eterr := et.AddError(err)
-							if eterr != nil {
-								return eterr
-							}
+					det := rule.ToDetection(repo.Repo.License, filepath.Base(repo.Path), repo.Repo.Community)
+					detects = append(detects, det)
+				}
 
-							if err != nil {
-								log.WithError(err).WithField("publicId", det.PublicID).Error("Failed to update detection")
-								continue
-							}
-						}
+				return nil
+			})
+			if err != nil {
+				log.WithError(err).WithField("strelkaRepo", repopath).Error("failed while walking repo")
 
-						delete(toDelete, det.PublicID)
-					} else {
-						// new detection, create it
-						log.WithFields(log.Fields{
-							"rule.uuid": det.PublicID,
-							"rule.name": det.Title,
-						}).Info("Creating new Yara detection")
+				continue
+			}
+		}
 
-						checkRulesetEnabled(e, det)
+		var eterr error
+		detects = detections.DeduplicateByPublicId(detects)
 
-						_, err = e.srv.Detectionstore.CreateDetection(e.srv.Context, det)
-						if err != nil && err.Error() == "Object not found" {
-							log.WithField("publicId", det.PublicID).Error("unable to read back successful write")
+		for _, det := range detects {
+			log.WithFields(log.Fields{
+				"rule.uuid": det.PublicID,
+				"rule.name": det.Title,
+			}).Info("Strelka community sync - processing YARA rule")
 
-							writeNoRead = util.Ptr(det.PublicID)
-							failSync = true
+			comRule, exists := communityDetections[det.PublicID]
+			if exists {
+				if comRule.Content != det.Content || comRule.Ruleset != det.Ruleset || len(det.Overrides) != 0 {
+					// pre-existing detection, update it
+					det.IsEnabled = comRule.IsEnabled
+					det.Id = comRule.Id
+					det.Overrides = comRule.Overrides
+					det.CreateTime = comRule.CreateTime
 
-							return err
-						}
+					log.WithFields(log.Fields{
+						"rule.uuid": det.PublicID,
+						"rule.name": det.Title,
+					}).Info("Updating Yara detection")
 
-						eterr := et.AddError(err)
-						if eterr != nil {
-							failSync = true
+					_, err = e.srv.Detectionstore.UpdateDetection(e.srv.Context, det)
+					if err != nil && err.Error() == "Object not found" {
+						writeNoRead = util.Ptr(det.PublicID)
+						log.WithField("publicId", det.PublicID).Error("unable to read back successful write")
 
-							return eterr
-						}
+						break
+					}
 
-						if err != nil {
-							log.WithError(err).WithField("publicId", det.PublicID).Error("Failed to create detection")
-							continue
-						}
+					eterr = et.AddError(err)
+					if eterr != nil {
+						break
+					}
 
-						delete(toDelete, det.PublicID)
+					if err != nil {
+						log.WithError(err).WithField("publicId", det.PublicID).Error("Failed to update detection")
+						continue
 					}
 				}
 
-				return nil
-			})
-			if err != nil {
-				log.WithError(err).WithField("strelkaRepo", repopath).Error("failed while walking repo")
+				delete(toDelete, det.PublicID)
+			} else {
+				// new detection, create it
+				log.WithFields(log.Fields{
+					"rule.uuid": det.PublicID,
+					"rule.name": det.Title,
+				}).Info("Creating new Yara detection")
+
+				checkRulesetEnabled(e, det)
+
+				_, err = e.srv.Detectionstore.CreateDetection(e.srv.Context, det)
+				if err != nil && err.Error() == "Object not found" {
+					writeNoRead = util.Ptr(det.PublicID)
+					log.WithField("publicId", det.PublicID).Error("unable to read back successful write")
 
-				if failSync {
 					break
 				}
 
-				continue
+				eterr = et.AddError(err)
+				if eterr != nil {
+					break
+				}
+
+				if err != nil {
+					log.WithError(err).WithField("publicId", det.PublicID).Error("Failed to create detection")
+					continue
+				}
+
+				delete(toDelete, det.PublicID)
 			}
 		}
 
-		if failSync {
+		if eterr != nil || writeNoRead != nil {
+			if eterr != nil {
+				log.WithError(eterr).Error("unable to sync YARA community detections")
+			}
+			if writeNoRead != nil {
+				log.Warn("detection was written but not read back, attempting read before continuing")
+			}
+
+			if e.notify {
+				e.srv.Host.Broadcast("detection-sync", "detections", server.SyncStatus{
+					Engine: model.EngineNameElastAlert,
+					Status: "error",
+				})
+			}
+
 			continue
 		}
 
@@ -1170,6 +1178,7 @@ func (_ *ResourceManager) DeleteFile(path string) error {
 func (_ *ResourceManager) ReadDir(path string) ([]os.DirEntry, error) {
 	return os.ReadDir(path)
 }
+
 func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode int, runtime time.Duration, err error) {
 	start := time.Now()
 	output, err = cmd.CombinedOutput()
@@ -1179,3 +1188,7 @@ func (_ *ResourceManager) ExecCommand(cmd *exec.Cmd) (output []byte, exitCode in
 
 	return output, exitCode, runtime, err
 }
+
+func (_ *ResourceManager) WalkDir(root string, fn fs.WalkDirFunc) error {
+	return filepath.WalkDir(root, fn)
+}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index dd487478..c11593a5 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -509,6 +509,8 @@ func (e *SuricataEngine) watchCommunityRules() {
 			continue
 		}
 
+		commDetections = detections.DeduplicateByPublicId(commDetections)
+
 		for _, d := range commDetections {
 			d.IsCommunity = true
 		}

From a2fa27aa37647ff47c3bc35a55ce1f166a8859cf Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 12 Jun 2024 16:16:45 -0600
Subject: [PATCH 26/57] Slimmed down Detections Configs

Detections was only using about half of the HuntingParameters so instead of embedding them, I added the fields we need. Updated the Verify and added a test inspired by how Hunt's parameters are verified and tested.

While looking for errors in a cypress test, I noticed a log statement that was unconditionally an error log when it didn't always log a problem. Fixed it.
---
 config/clientparameters.go      | 30 ++++++++++++++++++++++++++----
 config/clientparameters_test.go | 14 ++++++++++++++
 server/detectionhandler.go      | 10 ++++++++--
 3 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index df6b7248..b449990a 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -191,8 +191,19 @@ type GridParameters struct {
 }
 
 type DetectionsParameters struct {
-	HuntingParameters
-	DetectionParameters
+	Actions               []*HuntingAction            `json:"actions"`
+	Advanced              bool                        `json:"advanced"`
+	CreateLink            string                      `json:"createLink"`
+	EventFetchLimit       int                         `json:"eventFetchLimit"`
+	EventFields           map[string][]string         `json:"eventFields"`
+	EventItemsPerPage     int                         `json:"eventItemsPerPage"`
+	GroupFetchLimit       int                         `json:"groupFetchLimit"`
+	MostRecentlyUsedLimit int                         `json:"mostRecentlyUsedLimit"`
+	Presets               map[string]PresetParameters `json:"presets"`
+	Queries               []*HuntingQuery             `json:"queries"`
+	QueryBaseFilter       string                      `json:"queryBaseFilter"`
+	SafeStringMaxLength   int                         `json:"safeStringMaxLength"`
+	ViewEnabled           bool                        `json:"viewEnabled"`
 }
 
 type DetectionParameters struct {
@@ -202,9 +213,20 @@ type DetectionParameters struct {
 }
 
 func (params *DetectionsParameters) Verify() error {
-	err := params.HuntingParameters.Verify()
+	if params.GroupFetchLimit <= 0 {
+		params.GroupFetchLimit = DEFAULT_GROUP_FETCH_LIMIT
+	}
+	if params.EventFetchLimit <= 0 {
+		params.EventFetchLimit = DEFAULT_EVENT_FETCH_LIMIT
+	}
+	if params.MostRecentlyUsedLimit < 0 {
+		params.MostRecentlyUsedLimit = 0
+	}
+	if params.SafeStringMaxLength <= 0 {
+		params.SafeStringMaxLength = DEFAULT_SAFE_STRING_MAX_LENGTH
+	}
 
-	return err
+	return nil
 }
 
 func (params *DetectionParameters) Verify() error {
diff --git a/config/clientparameters_test.go b/config/clientparameters_test.go
index 2289de0f..a66d7595 100644
--- a/config/clientparameters_test.go
+++ b/config/clientparameters_test.go
@@ -91,3 +91,17 @@ func TestVerifyCaseParams(tester *testing.T) {
 	assert.Nil(tester, err)
 	assert.Equal(tester, params.MostRecentlyUsedLimit, 0)
 }
+
+func TestVerifyDetectionsParams(t *testing.T) {
+	params := &DetectionsParameters{}
+	err := params.Verify()
+	assert.Nil(t, err)
+	verifyInitialDetectionsParams(t, params)
+}
+
+func verifyInitialDetectionsParams(t *testing.T, params *DetectionsParameters) {
+	assert.Equal(t, DEFAULT_GROUP_FETCH_LIMIT, params.GroupFetchLimit)
+	assert.Equal(t, DEFAULT_EVENT_FETCH_LIMIT, params.EventFetchLimit)
+	assert.Equal(t, DEFAULT_SAFE_STRING_MAX_LENGTH, params.SafeStringMaxLength)
+	assert.Equal(t, 0, params.MostRecentlyUsedLimit)
+}
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index ce2386ff..5235865e 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -470,7 +470,7 @@ func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *B
 	defer func() {
 		totalTime := time.Since(totalTimeStart)
 
-		log.WithFields(log.Fields{
+		withStats := log.WithFields(log.Fields{
 			"error":      len(errMap),
 			"total":      len(IDs),
 			"modified":   len(modified),
@@ -478,7 +478,13 @@ func (h *DetectionHandler) bulkUpdateDetectionAsync(ctx context.Context, body *B
 			"updateTime": update.Seconds(),
 			"syncTime":   sync.Seconds(),
 			"totalTime":  totalTime.Seconds(),
-		}).Error("bulk update Detections finished")
+		})
+
+		if len(errMap) != 0 {
+			withStats.Error("bulk action Detections finished")
+		} else {
+			withStats.Info("bulk action Detections finished")
+		}
 
 		verb := "update"
 		if body.Delete {

From 6ec1ad2c51ce5e75bda745d650375453eed58a19 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Wed, 12 Jun 2024 16:38:12 -0600
Subject: [PATCH 27/57] Revert to HuntingParameters

---
 config/clientparameters.go      | 30 ++++--------------------------
 config/clientparameters_test.go |  9 +--------
 2 files changed, 5 insertions(+), 34 deletions(-)

diff --git a/config/clientparameters.go b/config/clientparameters.go
index b449990a..0e3604eb 100644
--- a/config/clientparameters.go
+++ b/config/clientparameters.go
@@ -191,19 +191,8 @@ type GridParameters struct {
 }
 
 type DetectionsParameters struct {
-	Actions               []*HuntingAction            `json:"actions"`
-	Advanced              bool                        `json:"advanced"`
-	CreateLink            string                      `json:"createLink"`
-	EventFetchLimit       int                         `json:"eventFetchLimit"`
-	EventFields           map[string][]string         `json:"eventFields"`
-	EventItemsPerPage     int                         `json:"eventItemsPerPage"`
-	GroupFetchLimit       int                         `json:"groupFetchLimit"`
-	MostRecentlyUsedLimit int                         `json:"mostRecentlyUsedLimit"`
-	Presets               map[string]PresetParameters `json:"presets"`
-	Queries               []*HuntingQuery             `json:"queries"`
-	QueryBaseFilter       string                      `json:"queryBaseFilter"`
-	SafeStringMaxLength   int                         `json:"safeStringMaxLength"`
-	ViewEnabled           bool                        `json:"viewEnabled"`
+	HuntingParameters
+	Presets              map[string]PresetParameters `json:"presets"`
 }
 
 type DetectionParameters struct {
@@ -213,20 +202,9 @@ type DetectionParameters struct {
 }
 
 func (params *DetectionsParameters) Verify() error {
-	if params.GroupFetchLimit <= 0 {
-		params.GroupFetchLimit = DEFAULT_GROUP_FETCH_LIMIT
-	}
-	if params.EventFetchLimit <= 0 {
-		params.EventFetchLimit = DEFAULT_EVENT_FETCH_LIMIT
-	}
-	if params.MostRecentlyUsedLimit < 0 {
-		params.MostRecentlyUsedLimit = 0
-	}
-	if params.SafeStringMaxLength <= 0 {
-		params.SafeStringMaxLength = DEFAULT_SAFE_STRING_MAX_LENGTH
-	}
+	err := params.HuntingParameters.Verify()
 
-	return nil
+	return err
 }
 
 func (params *DetectionParameters) Verify() error {
diff --git a/config/clientparameters_test.go b/config/clientparameters_test.go
index a66d7595..b9b0e267 100644
--- a/config/clientparameters_test.go
+++ b/config/clientparameters_test.go
@@ -96,12 +96,5 @@ func TestVerifyDetectionsParams(t *testing.T) {
 	params := &DetectionsParameters{}
 	err := params.Verify()
 	assert.Nil(t, err)
-	verifyInitialDetectionsParams(t, params)
-}
-
-func verifyInitialDetectionsParams(t *testing.T, params *DetectionsParameters) {
-	assert.Equal(t, DEFAULT_GROUP_FETCH_LIMIT, params.GroupFetchLimit)
-	assert.Equal(t, DEFAULT_EVENT_FETCH_LIMIT, params.EventFetchLimit)
-	assert.Equal(t, DEFAULT_SAFE_STRING_MAX_LENGTH, params.SafeStringMaxLength)
-	assert.Equal(t, 0, params.MostRecentlyUsedLimit)
+	verifyInitialHuntingParams(t, &params.HuntingParameters)
 }

From 0482c346f3e12ad6decf2dcff703f211f4727ea5 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Thu, 13 Jun 2024 15:11:27 -0400
Subject: [PATCH 28/57] Update i18n.js to add link translations for cold and
 warm ILM phases

---
 html/js/i18n.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index e8e24a70..9fa0e243 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -189,7 +189,9 @@ const i18n = {
       config: 'Configuration',
       configTitle: 'Grid Configuration',
       configQLGridTitle: 'Grid Administration Quick Links',
-      configQLElasticsearchDelete: 'Elasticsearch ILM Deletion',
+      configQLElasticsearchCold: 'Elasticsearch Global Policy for ILM Cold Phase (applies to all indices)',
+      configQLElasticsearchDelete: 'Elasticsearch Global Policy for ILM Delete Phase (applies to all indices)',
+      configQLElasticsearchWarm: 'Elasticsearch Global Policy for ILM Warm Phase (applies to all indices)',
       configQLElasticsearchHeader: 'Elasticsearch',
       configQLNTP: 'Specify custom Network Time Protocol server(s)',
       configQLNTPHeader: 'NTP',

From 6807ef18e31e2cf92e32c1063b27a50640ae4242 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Thu, 13 Jun 2024 15:13:51 -0400
Subject: [PATCH 29/57] Update index.html to add links for Elasticsearch ILM
 Warm and Cold phases

---
 html/index.html | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/html/index.html b/html/index.html
index d3322ac7..ba677456 100644
--- a/html/index.html
+++ b/html/index.html
@@ -4690,6 +4690,12 @@ <h4 v-if="!$root.loading">{{ i18n.settingsCustomized }} {{ settingsCustomized }}
                     <li>
                       {{i18n.configQLElasticsearchHeader}}
                       <ul>
+                        <li>
+                          <router-link data-aid="config_quicklink_es_warm" :to="{ name: 'config', query: {s: 'elasticsearch.index_settings.global_overrides.policy.phases.warm.min_age'}}">{{i18n.configQLElasticsearchWarm}}</router-link>
+                        </li>
+                        <li>
+                          <router-link data-aid="config_quicklink_es_cold" :to="{ name: 'config', query: {s: 'elasticsearch.index_settings.global_overrides.policy.phases.cold.min_age'}}">{{i18n.configQLElasticsearchCold}}</router-link>
+                        </li>
                         <li>
                           <router-link data-aid="config_quicklink_es_delete" :to="{ name: 'config', query: {s: 'elasticsearch.index_settings.global_overrides.policy.phases.delete.min_age'}}">{{i18n.configQLElasticsearchDelete}}</router-link>
                         </li>

From 115d680604abf99303776fd8fa0f1b19cc922c9e Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 13 Jun 2024 15:21:17 -0400
Subject: [PATCH 30/57] toggle full query view

---
 html/index.html             |  7 ++++-
 html/js/i18n.js             |  1 +
 html/js/routes/hunt.js      | 38 ++++++++++++++++++++++--
 html/js/routes/hunt.test.js | 58 +++++++++++++++++++++++++++++++++++++
 4 files changed, 101 insertions(+), 3 deletions(-)

diff --git a/html/index.html b/html/index.html
index d3322ac7..1cec3a2f 100644
--- a/html/index.html
+++ b/html/index.html
@@ -414,7 +414,7 @@ <h4 v-if="loaded" :data-aid="'event_total_' + category">{{ i18n.eventTotal }} {{
         </v-row>
         <v-row align="start">
           <v-col cols="12" :md="isCategory('detections') ? 10 : 7">
-            <v-textarea :clearable="isAdvanced()" :auto-grow="isAdvanced()" :readonly="!isAdvanced()" :disabled="loading()" @change="notifyInputsChanged" class="mx-2" v-model="$data[isAdvanced() ? 'query' : 'queryName']" :hint="isAdvanced() ? i18n.queryHelp : ''" rows="1" persistent-hint prepend-icon="fa-search" @keydown.enter.prevent="hunt" id="hunt-query-input" :data-aid="'query_input_' + category">
+            <v-textarea :clearable="isAdvanced()" :auto-grow="isAdvanced()" :readonly="!isAdvanced()" :disabled="loading()" @input="queryAltered = true" @change="queryModified" class="mx-2" v-model="$data[getDisplayedQueryVar()]" :hint="isAdvanced() ? i18n.queryHelp : ''" rows="1" persistent-hint prepend-icon="fa-search" @keydown.enter.prevent="submitQuery" id="hunt-query-input" :data-aid="'query_input_' + category">
               <template v-slot:prepend-inner>
                 <v-menu dense bottom three-line offset-y>
                   <template v-slot:activator="{ on: menu }">
@@ -449,6 +449,11 @@ <h4 v-if="loaded" :data-aid="'event_total_' + category">{{ i18n.eventTotal }} {{
                   </v-list>
                 </v-menu>
               </template>
+              <template v-if="isAdvanced()" v-slot:append>
+                <v-btn small icon id="toggle-full-query-button" :title="i18n.toggleFullQueryHelp" @click="showFullQuery = !showFullQuery" :disabled="queryAltered" :data-aid="'toggle_full_query_' + category">
+                  <v-icon>fa-ellipsis</v-icon>
+                </v-btn>
+              </template>
               <template v-if="!isCategory('hunt')" v-slot:append-outer>
                 <v-btn small icon id="switch-to-hunt-button" :title="i18n.huntHelp" @click="switchToHunt()" :data-aid="'nav_hunt_' + category">
                   <v-icon>fa-crosshairs</v-icon>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index e8e24a70..b90e6047 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -804,6 +804,7 @@ const i18n = {
       'so-sensor-keywords': 'Forward, Sensor, Sensoroni, Stenographer',
       'so-standalone': 'Standalone',
       'so-standalone-keywords': 'Elastic, Elasticsearch, Fleet, Forward, Ingest, Manager, Master, Search, Sensor, Sensoroni, Soc, Stenographer, Web',
+      toggleFullQueryHelp: 'Toggles between showing the full query or only the search filter. Disabled if query has been modified.',
       showPieChart: 'Show pie chart',
       showBarChart: 'Show bar chart',
       showSankeyChart: 'Show Sankey diagram',
diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 471847ea..bfa40161 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -22,7 +22,10 @@ const huntComponent = {
     params: null,
     category: '',
     advanced: false,
+    queryAltered: false,
     query: '',
+    querySearch: '',
+    queryRemainder: '',
     queries: [],
     queryBaseFilter: "",
     queryName: '',
@@ -99,6 +102,7 @@ const huntComponent = {
     mruCases: [],
 
     autohunt: true,
+    showFullQuery: true,
 
     filterRouteInclude: "",
     filterRouteExclude: "",
@@ -289,6 +293,19 @@ const huntComponent = {
         return [];
       }
     },
+    reconstructQuery() {
+      if (this.isAdvanced() && !this.showFullQuery) {
+        this.query = this.querySearch + " " + this.queryRemainder;
+      }
+    },
+    submitQuery() {
+      this.reconstructQuery();
+      this.hunt();
+    },
+    queryModified() {
+      this.reconstructQuery();
+      return this.notifyInputsChanged();
+    },
     notifyInputsChanged(replaceHistory = false) {
       var hunted = false;
       this.toggleQuickAction();
@@ -725,8 +742,21 @@ const huntComponent = {
       }
       return item;
     },
+    getDisplayedQueryVar() {
+      if (this.isAdvanced()) {
+        if (this.showFullQuery) {
+          return 'query'
+        } else {
+          return 'querySearch'
+        }
+      }
+      return 'queryName'
+    },
     obtainQueryDetails() {
+      this.queryAltered = false;
       this.queryName = "";
+      this.querySearch = "";
+      this.queryRemainder = "";
       this.queryFilters = [];
       this.queryGroupBys = [];
       this.queryGroupByOptions = [];
@@ -765,7 +795,11 @@ const huntComponent = {
         }
 
         if (segments.length > 0) {
-          var search = segments[0].trim();
+          this.querySearch = segments[0].trim();
+          if (segments.length > 1) {
+            // Used for reconstructing full query from simplified filter-only view
+            this.queryRemainder = this.query.substring(segmentDelimIdx);
+          }
           var matchingQueryName = this.i18n.custom;
           for (var i = 0; i < this.queries.length; i++) {
             if (this.query == this.queries[i].query) {
@@ -773,7 +807,7 @@ const huntComponent = {
             }
           }
           this.queryName = matchingQueryName;
-          search.split(" AND ").forEach(function(item, index) {
+          this.querySearch.split(" AND ").forEach(function(item, index) {
             item = item.trim();
             if (item.length > 0 && item != "*") {
               route.queryFilters.push(item);
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index 9ca013fd..15f3c20f 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -700,6 +700,8 @@ test('obtainQueryDetails_blank', () => {
   comp.query = ""
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("");
+  expect(comp.querySearch).toBe("");
+  expect(comp.queryRemainder).toBe("");
   expect(comp.queryFilters).toStrictEqual([]);
   expect(comp.queryGroupBys).toStrictEqual([]);
   expect(comp.queryGroupByOptions).toStrictEqual([]);
@@ -710,6 +712,8 @@ test('obtainQueryDetails_queryOnly', () => {
   comp.query = "foo: bar AND x:1"
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("Custom");
+  expect(comp.querySearch).toBe("foo: bar AND x:1");
+  expect(comp.queryRemainder).toBe("");
   expect(comp.queryFilters).toStrictEqual(["foo: bar", "x:1"]);
   expect(comp.queryGroupBys).toStrictEqual([]);
   expect(comp.queryGroupByOptions).toStrictEqual([]);
@@ -720,6 +724,8 @@ test('obtainQueryDetails_queryGroupedOptionsTableSorted', () => {
   comp.query = "foo: bar AND x:1 | groupby -opt1 z | groupby -optB r^ | sortby y | table x y z"
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("Custom");
+  expect(comp.querySearch).toBe("foo: bar AND x:1");
+  expect(comp.queryRemainder).toBe("| groupby -opt1 z | groupby -optB r^ | sortby y | table x y z");
   expect(comp.queryFilters).toStrictEqual(["foo: bar", "x:1"]);
   expect(comp.queryGroupBys).toStrictEqual([["z"], ["r^"]]);
   expect(comp.queryGroupByOptions).toStrictEqual([["opt1"], ["optB"]]);
@@ -731,6 +737,8 @@ test('obtainQueryDetails_queryGroupedFilterPipe', () => {
   comp.query = "foo: bar AND x:\"with | this\" | groupby z"
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("Custom");
+  expect(comp.querySearch).toBe("foo: bar AND x:\"with | this\"");
+  expect(comp.queryRemainder).toBe("| groupby z");
   expect(comp.queryFilters).toStrictEqual(["foo: bar", "x:\"with | this\""]);
   expect(comp.queryGroupBys).toStrictEqual([["z"]]);
   expect(comp.queryGroupByOptions).toStrictEqual([[]]);
@@ -741,6 +749,8 @@ test('obtainQueryDetails_trickyEscapeSequence', () => {
   comp.query = `process.working_directory:"C:\\\\Windows\\\\system32\\\\" | groupby host.name`;
   comp.obtainQueryDetails();
   expect(comp.queryName).toBe("Custom");
+  expect(comp.querySearch).toBe(`process.working_directory:"C:\\\\Windows\\\\system32\\\\"`);
+  expect(comp.queryRemainder).toBe("| groupby host.name");
   expect(comp.queryFilters).toStrictEqual([`process.working_directory:"C:\\\\Windows\\\\system32\\\\"`]);
   expect(comp.queryGroupBys).toStrictEqual([["host.name"]]);
   expect(comp.queryGroupByOptions).toStrictEqual([[]]);
@@ -1286,4 +1296,52 @@ test('bulkAction - delete - confirm - failure', async () => {
   expect(mock).toHaveBeenCalledWith('detection/bulk/delete', { ids: ["1", "3"] });
   expect(comp.$root.showError).toHaveBeenCalledTimes(1);
   expect(comp.$root.showError).toHaveBeenCalledWith(err);
+});
+
+test('reconstructQuery', () => {
+  comp.query = "bar: 'hi' | groupby x"
+  comp.obtainQueryDetails();
+  comp.reconstructQuery();
+  comp.querySearch = "foo: 1"
+
+  // Advanced mode and showFullQuery false so should reconstruct query using new custom filter
+  comp.advanced = true;
+  comp.showFullQuery = false;
+  comp.queryModified();
+  expect(comp.query).toBe("foo: 1 | groupby x");
+});
+
+test('queryModified', () => {
+  comp.$root.loading = true; // prevent any notification logic from running
+  comp.query = "bar: 'hi' | groupby x"
+  comp.obtainQueryDetails();
+  comp.querySearch = "foo: 1"
+
+  // Basic mode, should not reconstruct query
+  comp.queryModified();
+  expect(comp.query).toBe("bar: 'hi' | groupby x");
+
+  // Advanced mode, but showFullQuery is true so should not reconstruct query
+  comp.advanced = true;
+  comp.showFullQuery = true;
+  comp.queryModified();
+  expect(comp.query).toBe("bar: 'hi' | groupby x");
+
+  // Advanced mode and showFullQuery false so should reconstruct query using new custom filter
+  comp.advanced = true;
+  comp.showFullQuery = false;
+  comp.queryModified();
+  expect(comp.query).toBe("foo: 1 | groupby x");
+});
+
+test('getDisplayedQueryVar', () => {
+  expect(comp.getDisplayedQueryVar()).toBe('queryName');
+
+  comp.advanced = true;
+  comp.showFullQuery = true;
+  expect(comp.getDisplayedQueryVar()).toBe('query');
+
+  comp.advanced = true;
+  comp.showFullQuery = false;
+  expect(comp.getDisplayedQueryVar()).toBe('querySearch');
 });
\ No newline at end of file

From f377f59f3ee8a0e232a804a14bfd9c09808c7610 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Thu, 13 Jun 2024 15:22:44 -0400
Subject: [PATCH 31/57] Update i18n.js with simplified wording

---
 html/js/i18n.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index 9fa0e243..da3f9a17 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -189,10 +189,10 @@ const i18n = {
       config: 'Configuration',
       configTitle: 'Grid Configuration',
       configQLGridTitle: 'Grid Administration Quick Links',
-      configQLElasticsearchCold: 'Elasticsearch Global Policy for ILM Cold Phase (applies to all indices)',
-      configQLElasticsearchDelete: 'Elasticsearch Global Policy for ILM Delete Phase (applies to all indices)',
-      configQLElasticsearchWarm: 'Elasticsearch Global Policy for ILM Warm Phase (applies to all indices)',
-      configQLElasticsearchHeader: 'Elasticsearch',
+      configQLElasticsearchCold: 'Cold Phase',
+      configQLElasticsearchDelete: 'Delete Phase',
+      configQLElasticsearchWarm: 'Warm Phase',
+      configQLElasticsearchHeader: 'Elasticsearch Global ILM Policy (applies to all indices)',
       configQLNTP: 'Specify custom Network Time Protocol server(s)',
       configQLNTPHeader: 'NTP',
       configQLFirewallHeader: 'Firewall',

From f9259d37071d71b44effe73d4d0162618e79731c Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 13 Jun 2024 12:23:15 -0600
Subject: [PATCH 32/57] IP/Var + Suricata Fixes

Suricata Overrides now show an IP/Var column in the tuning table.

The IP validation rules have been expanded to allow for $VARS and !$VARS in addition to IPv4 and IPv6 CIDRs. Hints have been updated to indicate support for vars. Links to where you set those variables have been added to the ip fields.

A bug where Suricata was dropping detection Ids on update has been fixed. Now a second update can happen without refreshing the page.

Updated tests.
---
 html/index.html                               | 20 ++++++--
 html/js/i18n.js                               |  4 +-
 html/js/routes/detection.js                   | 29 +++++++----
 html/js/routes/detection.test.js              | 25 +++++++++
 .../modules/elastic/elasticdetectionstore.go  |  6 +++
 server/modules/suricata/suricata_test.go      | 51 +++++++++++++++++++
 6 files changed, 120 insertions(+), 15 deletions(-)

diff --git a/html/index.html b/html/index.html
index a394a397..526ca21f 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1344,7 +1344,13 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                         <v-select v-if="['threshold', 'suppress'].includes(newOverride.type)" id="new-override-track-edit" v-model="newOverride.track" :items="getTrackOptions(newOverride.type)" :rules="[rules.required]" persistent-hint :hint="i18n.track"></v-select>
                       </span>
                       <!-- ip -->
-                      <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr" data-aid="detection_new_override_suppress_ip_input"></v-text-field>
+                      <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr" data-aid="detection_new_override_suppress_ip_input">
+                        <template v-slot:append-outer>
+                          <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars' }}" target="_blank">
+                            <v-icon>fa-regular fa-circle-question</v-icon>
+                          </router-link>
+                        </template>
+                      </v-text-field>
                       <!-- count -->
                       <v-text-field v-if="newOverride.type === 'threshold'" id="new-override-count-edit" v-model="newOverride.count" :rules="[rules.required, rules.number]" persistent-hint :hint="i18n.count" data-aid="detection_new_override_threshold_count_input"></v-text-field>
                       <!-- seconds -->
@@ -1370,7 +1376,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                     </div>
                   </v-form>
                 </div>
-                <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders"
+                <v-data-table :sort-by.sync="sortBy" :expanded.sync="expanded" :sort-desc.sync="sortDesc" must-sort :headers="overrideHeaders[detect.engine]"
                   :items="detect.overrides" item-key="index" show-expand single-expand :custom-sort="sortOverrides" hide-default-footer="true">
                   <template v-slot:item="{ item, index, expand, isExpanded }">
                     <tr>
@@ -1380,7 +1386,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                           <v-icon v-else :alt="i18n.overrideExpand" :title="i18n.eventExpandHelp" data-aid="detection_overrides_expand">fa-angle-right</v-icon>
                         </v-btn>
                       </td>
-                      <td v-for="field in overrideHeaders" :key="field.value" data-aid="detection_overrides_headers_display">
+                      <td v-for="field in overrideHeaders[detect.engine]" :key="field.value" data-aid="detection_overrides_headers_display">
                         <div class="d-inline-block">
                           <span v-if="!field.format">{{ item[field.value] }}</span>
                           <span v-else v-text="$root.formatLocalTimestamp(item[field.value], zone)"/>
@@ -1481,7 +1487,13 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                           </span>
                           <span v-else>
                             <v-text-field id="override-ip-edit" ref="override-ip" hide-details="auto" outlined v-model="item.ip" :rules="[rules.required, rules.cidrFormat]"
-                              persistent-hint :hint="i18n.cidr" v-on:keyup.enter="isFieldValid('override-ip') && stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)" data-aid="detection_override_suppress_ip_input"></v-text-field>
+                              persistent-hint :hint="i18n.ipCidr" v-on:keyup.enter="isFieldValid('override-ip') && stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)" data-aid="detection_override_suppress_ip_input">
+                            <template v-slot:append-outer>
+                              <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars' }}" target="_blank">
+                                <v-icon>fa-regular fa-circle-question</v-icon>
+                              </router-link>
+                            </template>
+                            </v-text-field>
                             <div id="override-ip-edit-buttons">
                               <v-btn @click.stop="stopOverrideEdit(false)" text small class="align-self-end" data-aid="detection_override_ip_cancel">
                                 {{ i18n.cancel }}
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 03f20e25..a71a25e0 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -524,8 +524,8 @@ const i18n = {
       interval24h: "24 hours",
       invalid: 'Invalid',
       ioWait: 'I/O Wait',
-      invalidCidr: 'Invalid CIDR Notation',
-      ipCidr: 'IP - CIDR Notation',
+      invalidCidrOrVar: 'Invalid CIDR Notation or Suricata Variable',
+      ipCidr: 'IP - CIDR Notation or Suricata Variable',
       job: 'Job',
       jobIncomplete: 'The job was unable to complete and will retry within a few minutes. Details are available below.',
       jobInProgress: 'This job is awaiting completion.',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index c59abc81..c7355177 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -47,9 +47,10 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				fileNotEmpty: value => (value == null || value.size > 0) || this.$root.i18n.fileEmpty,
 				fileRequired: value => (value != null) || this.$root.i18n.required,
 				cidrFormat: value => (!value ||
+					/^!?\$[a-z_][a-z0-9_]*$/i.test(value) || // Suricata variable
 					/^(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\/(3[0-2]|[12]\d|\d)$/.test(value) || // IPv4 CIDR
-					/^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$/.test(value) // IPv6 CIDR
-				) || this.i18n.invalidCidr,
+					/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$/i.test(value) // IPv6 CIDR
+				) || this.i18n.invalidCidrOrVar,
 			},
 			panel: [0, 1, 2],
 			activeTab: '',
@@ -58,13 +59,23 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			sortBy: 'createdAt',
 			sortDesc: false,
 			expanded: [],
-			overrideHeaders: [
-				{ text: 'Enabled', value: 'isEnabled' },
-				{ text: 'Type', value: 'type' },
-				{ text: 'Track', value: 'track' },
-				{ text: 'Created', value: 'createdAt', format: true },
-				{ text: 'Updated', value: 'updatedAt', format: true },
-			],
+			overrideHeaders: {
+				'elastalert': [
+					{ text: 'Enabled', value: 'isEnabled' },
+					{ text: 'Type', value: 'type' },
+					{ text: 'Track', value: 'track' },
+					{ text: 'Created', value: 'createdAt', format: true },
+					{ text: 'Updated', value: 'updatedAt', format: true },
+				],
+				'strelka': [], // no overrides
+				'suricata': [
+					{ text: 'Enabled', value: 'isEnabled' },
+					{ text: 'Type', value: 'type' },
+					{ text: 'IP/Var', value: 'ip' },
+					{ text: 'Created', value: 'createdAt', format: true },
+					{ text: 'Updated', value: 'updatedAt', format: true },
+				],
+			},
 			zone: moment.tz.guess(),
 			newOverride: null,
 			newOverrideValid: false,
diff --git a/html/js/routes/detection.test.js b/html/js/routes/detection.test.js
index 0b42e565..df276d3f 100644
--- a/html/js/routes/detection.test.js
+++ b/html/js/routes/detection.test.js
@@ -450,3 +450,28 @@ test('onNewDetectionLanguageChange', async () => {
 	await comp.onNewDetectionLanguageChange();
 	expect(comp.detect.content).toBe('c X');
 });
+
+test('cidrFormat', () => {
+	const cidrFormat = comp.rules.cidrFormat;
+
+	expect(cidrFormat('$HOME_NET')).toBe(true);
+	expect(cidrFormat('$Home_Net')).toBe(true);
+	expect(cidrFormat('!$DNS')).toBe(true);
+	expect(cidrFormat('!$_')).toBe(true);
+	expect(cidrFormat('0.0.0.0/16')).toBe(true);
+	expect(cidrFormat('0::0/32')).toBe(true);
+	expect(cidrFormat('2001:DB88:3333:4444:CCCC:DDDD:EEEE:FFFF/64')).toBe(true);
+	expect(cidrFormat('2001:db88:3333:4444:cccc:dddd:eeee:ffff/64')).toBe(true);
+
+	expect(cidrFormat('x')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('#')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('!#')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('#1')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('!#1')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('_')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('1.2.3.4')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('0::0')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('256.256.256.256/32')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('0::0::0/16')).toBe(comp.i18n.invalidCidrOrVar);
+	expect(cidrFormat('google.com')).toBe(comp.i18n.invalidCidrOrVar);
+});
diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index 67e88252..f13b7951 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -516,6 +516,12 @@ func (store *ElasticDetectionstore) UpdateDetection(ctx context.Context, detect
 		return nil, err
 	}
 
+	// prepareForSave clears Id creating a side effect for the caller
+	id := detect.Id
+	defer func() {
+		detect.Id = id
+	}()
+
 	results, err := store.save(ctx, detect, "detection", store.prepareForSave(ctx, &detect.Auditable))
 	if err != nil {
 		return nil, err
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 36fedc99..f1cded25 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -771,6 +771,7 @@ func TestSyncCommunitySuricata(t *testing.T) {
 			InitialSettings: emptySettings(),
 			Detections: []*model.Detection{
 				{
+					Auditable:   model.Auditable{Id: "1"},
 					PublicID:    SimpleRuleSID,
 					Content:     SimpleRule,
 					IsEnabled:   true,
@@ -793,6 +794,7 @@ func TestSyncCommunitySuricata(t *testing.T) {
 			InitialSettings: emptySettings(),
 			Detections: []*model.Detection{
 				{
+					Auditable:   model.Auditable{Id: "1"},
 					PublicID:    SimpleRuleSID,
 					Content:     SimpleRule,
 					IsEnabled:   true,
@@ -811,6 +813,51 @@ func TestSyncCommunitySuricata(t *testing.T) {
 				"suricata.thresholding.sids__yaml": "{}\n",
 			},
 		},
+		{
+			Name: "update existing community rule",
+			InitialSettings: []*model.Setting{
+				{Id: "idstools.rules.local__rules", Value: SimpleRule},
+				{Id: "idstools.sids.enabled"},
+				{Id: "idstools.sids.disabled"},
+				{Id: "idstools.sids.modify"},
+				{Id: "suricata.thresholding.sids__yaml"},
+			},
+			Detections: []*model.Detection{
+				{
+					Auditable:   model.Auditable{Id: "1"},
+					PublicID:    SimpleRuleSID,
+					Content:     SimpleRule,
+					IsEnabled:   false,
+					IsCommunity: true,
+				},
+			},
+			ChangedByUser: true,
+			InitMock: func(detStore *servermock.MockDetectionstore) {
+				detStore.EXPECT().GetAllDetections(gomock.Any(), gomock.Any(), gomock.Any()).Return(map[string]*model.Detection{
+					SimpleRuleSID: {
+						Auditable:   model.Auditable{Id: "1"},
+						PublicID:    SimpleRuleSID,
+						Content:     SimpleRule,
+						IsEnabled:   true,
+						IsCommunity: true,
+					},
+				}, nil)
+				detStore.EXPECT().UpdateDetection(gomock.Any(), gomock.Any()).Return(&model.Detection{
+					Auditable:   model.Auditable{Id: "1"},
+					PublicID:    SimpleRuleSID,
+					Content:     SimpleRule,
+					IsEnabled:   false,
+					IsCommunity: true,
+				}, nil)
+			},
+			ExpectedSettings: map[string]string{
+				"idstools.rules.local__rules":      SimpleRule,
+				"idstools.sids.enabled":            "",
+				"idstools.sids.disabled":           SimpleRuleSID,
+				"idstools.sids.modify":             "",
+				"suricata.thresholding.sids__yaml": "{}\n",
+			},
+		},
 	}
 
 	ctrl := gomock.NewController(t)
@@ -840,6 +887,10 @@ func TestSyncCommunitySuricata(t *testing.T) {
 			assert.Equal(t, test.ExpectedErr, err)
 			assert.Equal(t, test.ExpectedErrMap, errMap)
 
+			for _, det := range test.Detections {
+				assert.NotEmpty(t, det.Id)
+			}
+
 			set, err := mCfgStore.GetSettings(ctx)
 			assert.NoError(t, err, "GetSettings should not return an error")
 

From 20321f0ffce4bf4221dbfcc3983d5a084b45a18d Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 13 Jun 2024 12:33:48 -0600
Subject: [PATCH 33/57] Fix a test

---
 server/modules/elastic/elasticdetectionstore_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/modules/elastic/elasticdetectionstore_test.go b/server/modules/elastic/elasticdetectionstore_test.go
index 59f19bcf..56d9a4cb 100644
--- a/server/modules/elastic/elasticdetectionstore_test.go
+++ b/server/modules/elastic/elasticdetectionstore_test.go
@@ -694,6 +694,7 @@ func TestUpdateDetectionValid(t *testing.T) {
 	reqDet.UpdateTime = nil
 	reqDet.Overrides = nil
 	detWithoutId.CreateTime = nil
+	detWithoutId.Id = ""
 	assert.Equal(t, detWithoutId, reqDet)
 
 	body, err := io.ReadAll(reqs[1].Body)

From 3e9e5b654909f6e598aca8c13b626d2d1a28af7d Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 13 Jun 2024 16:20:47 -0600
Subject: [PATCH 34/57] Data-Aid, gear, i18n

Added data-aid properties to the (now) gear icons that take you to suricata's vars in the config.

Updated column definitions to use i18n values.
---
 html/index.html             |  8 ++++----
 html/js/i18n.js             |  4 ++++
 html/js/routes/detection.js | 26 +++++++++++++-------------
 3 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/html/index.html b/html/index.html
index 526ca21f..97dd62c0 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1346,8 +1346,8 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                       <!-- ip -->
                       <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr" data-aid="detection_new_override_suppress_ip_input">
                         <template v-slot:append-outer>
-                          <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars' }}" target="_blank">
-                            <v-icon>fa-regular fa-circle-question</v-icon>
+                          <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars' }}" target="_blank" data-aid="new_override_ip_edit_config_shortcut">
+                            <v-icon>fa fa-gear</v-icon>
                           </router-link>
                         </template>
                       </v-text-field>
@@ -1489,8 +1489,8 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                             <v-text-field id="override-ip-edit" ref="override-ip" hide-details="auto" outlined v-model="item.ip" :rules="[rules.required, rules.cidrFormat]"
                               persistent-hint :hint="i18n.ipCidr" v-on:keyup.enter="isFieldValid('override-ip') && stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)" data-aid="detection_override_suppress_ip_input">
                             <template v-slot:append-outer>
-                              <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars' }}" target="_blank">
-                                <v-icon>fa-regular fa-circle-question</v-icon>
+                              <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars' }}" target="_blank" data-aid="override_ip_edit_config_shortcut">
+                                <v-icon>fa fa-gear</v-icon>
                               </router-link>
                             </template>
                             </v-text-field>
diff --git a/html/js/i18n.js b/html/js/i18n.js
index a71a25e0..7440f834 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -120,6 +120,7 @@ const i18n = {
       beginTimeHelp: 'Filter start time in RFC 3339 format (Ex: 2020-10-16 13:00:00.230-04:00). Unused for imported PCAPs.',
       betweenOp: 'Between',
       blog: 'Blog',
+      both: 'Both',
       bulkAction: 'Bulk Action:',
       bulkActionStarted: 'Updating {total} detections. This may take awhile.',
       bulkActionDeleteStarted: 'Deleting {total} detections. This may take awhile.',
@@ -395,6 +396,7 @@ const i18n = {
       extract: 'Extract',
       incomplete: 'Incomplete',
       invalidHours: 'Hours are not valid. Ex: 1.5',
+      ipVar: 'IP/Var',
       failedEvents: 'Failed Events',
       fault: 'Fault',
       featureRequiresAppliance: 'Feature Unavailable',
@@ -552,6 +554,7 @@ const i18n = {
       licenseShort: 'ELv2',
       licenseStatus: 'Status',
       licenseTerms: 'License Terms',
+      limit: 'Limit',
       lks: 'Encr. Disk',
       loadAverage: 'Load Average',
       loadAverageAbbr: 'Load 1m',
@@ -846,6 +849,7 @@ const i18n = {
       syncFailure: 'Something went wrong attempting to synchronize {engine} community rules. Check SOC logs for details.',
       systemUser: "System",
       tags: 'Tags',
+      threshold: 'Threshold',
       thresholdType: 'Threshold Type',
       throttledLogin: 'Excessive login requests detected. Login requests can resume momentarily.',
       time: 'Time',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index c7355177..45569325 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -61,28 +61,28 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			expanded: [],
 			overrideHeaders: {
 				'elastalert': [
-					{ text: 'Enabled', value: 'isEnabled' },
-					{ text: 'Type', value: 'type' },
-					{ text: 'Track', value: 'track' },
-					{ text: 'Created', value: 'createdAt', format: true },
-					{ text: 'Updated', value: 'updatedAt', format: true },
+					{ text: this.$root.i18n.enabled, value: 'isEnabled' },
+					{ text: this.$root.i18n.type, value: 'type' },
+					{ text: this.$root.i18n.track, value: 'track' },
+					{ text: this.$root.i18n.dateCreated, value: 'createdAt', format: true },
+					{ text: this.$root.i18n.dateModified, value: 'updatedAt', format: true },
 				],
 				'strelka': [], // no overrides
 				'suricata': [
-					{ text: 'Enabled', value: 'isEnabled' },
-					{ text: 'Type', value: 'type' },
-					{ text: 'IP/Var', value: 'ip' },
-					{ text: 'Created', value: 'createdAt', format: true },
-					{ text: 'Updated', value: 'updatedAt', format: true },
+					{ text: this.$root.i18n.enabled, value: 'isEnabled' },
+					{ text: this.$root.i18n.type, value: 'type' },
+					{ text: this.$root.i18n.ipVar, value: 'ip' },
+					{ text: this.$root.i18n.dateCreated, value: 'createdAt', format: true },
+					{ text: this.$root.i18n.dateModified, value: 'updatedAt', format: true },
 				],
 			},
 			zone: moment.tz.guess(),
 			newOverride: null,
 			newOverrideValid: false,
 			thresholdTypes: [
-				{ value: 'threshold', text: 'Threshold' },
-				{ value: 'limit', text: 'Limit' },
-				{ value: 'both', text: 'Both' }
+				{ value: 'threshold', text: this.$root.i18n.threshold },
+				{ value: 'limit', text: this.$root.i18n.limit },
+				{ value: 'both', text: this.$root.i18n.both }
 			],
 			historyTableOpts: {
 				sortBy: 'updateTime',

From bda98f468ea84b517ff60f8b6b4311751f316730 Mon Sep 17 00:00:00 2001
From: unknown <mcwmtg@gmail.com>
Date: Fri, 14 Jun 2024 12:28:42 -0400
Subject: [PATCH 35/57] Updated i18n

---
 html/js/i18n.js             | 2 ++
 html/js/routes/detection.js | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index 7440f834..c73ab44a 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -584,6 +584,7 @@ const i18n = {
       minutes: 'minutes',
       missingPublicIdErr: "This detection is missing its public Id. A public Id is required.",
       model: 'Model',
+      modify: 'Modify',
       module: 'Module',
       months: 'months',
       moreColumns: 'Show additional, sensor-related columns',
@@ -841,6 +842,7 @@ const i18n = {
       stenoLossAbbr: 'Steno Loss',
       stg: 'Security Tech Impl Guides',
       summary: 'Summary',
+      suppress: 'Suppress',
       suricataLoss: 'Suricata Loss',
       suricataLossAbbr: 'Suri Loss',
       swapUsage: 'Swap Usage',
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index 45569325..e647d684 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -929,13 +929,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			switch (engine) {
 				case 'suricata':
 					return [
-						{ value: 'modify', text: 'Modify' },
-						{ value: 'suppress', text: 'Suppress' },
-						{ value: 'threshold', text: 'Threshold' }
+						{ value: 'modify', text: this.i18n.modify },
+						{ value: 'suppress', text: this.i18n.suppress },
+						{ value: 'threshold', text: this.i18n.threshold }
 					];
 				case 'elastalert':
 					return [
-						{ value: 'customFilter', text: 'Custom Filter' }
+						{ value: 'customFilter', text: this.i18n.customFilter }
 					];
 			}
 

From 5d38621527844153cf876a9bed6e866e0151286b Mon Sep 17 00:00:00 2001
From: mc-wright <mcwmtg@gmail.com>
Date: Mon, 17 Jun 2024 14:55:01 -0400
Subject: [PATCH 36/57] Fixed bulk action count bug

---
 html/js/routes/hunt.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index bfa40161..9366eeac 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -2256,7 +2256,7 @@ const huntComponent = {
           msg = this.i18n.bulkActionDeleteStarted;
         }
 
-        msg = msg.replace('{total}', this.selectedCount.toLocaleString());
+        msg = msg.replace('{total}', (this.selectAllState === true ? this.totalEvents : this.selectedCount).toLocaleString());
 
         this.$root.showTip(msg);
 

From 8f7b6e7618435b02a35078f10806841b8c418f8a Mon Sep 17 00:00:00 2001
From: mc-wright <mcwmtg@gmail.com>
Date: Mon, 17 Jun 2024 15:49:41 -0400
Subject: [PATCH 37/57] Get count from server for bulk action tip

---
 html/js/routes/hunt.js     |  4 ++--
 server/detectionhandler.go | 12 +++++++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/html/js/routes/hunt.js b/html/js/routes/hunt.js
index 9366eeac..2827cfb8 100644
--- a/html/js/routes/hunt.js
+++ b/html/js/routes/hunt.js
@@ -2249,14 +2249,14 @@ const huntComponent = {
       }
 
       try {
-        await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
+        const request = await this.$root.papi.post('detection/bulk/' + this.selectedAction, payload);
 
         let msg = this.i18n.bulkActionStarted;
         if (this.selectedAction === 'delete') {
           msg = this.i18n.bulkActionDeleteStarted;
         }
 
-        msg = msg.replace('{total}', (this.selectAllState === true ? this.totalEvents : this.selectedCount).toLocaleString());
+        msg = msg.replace('{total}', request.data.count.toLocaleString());
 
         this.$root.showTip(msg);
 
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 5235865e..6b6b2e6d 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -412,7 +412,9 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 			det := d.(*model.Detection)
 			if det.IsCommunity {
 				containsCommunity = true
-				break
+				if delete {
+					break
+				}
 			}
 
 			IDs = append(IDs, det.Id)
@@ -429,7 +431,9 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 
 				if det.IsCommunity {
 					containsCommunity = true
-					break
+					if delete {
+						break
+					}
 				}
 			}
 		}
@@ -448,7 +452,9 @@ func (h *DetectionHandler) bulkUpdateDetection(w http.ResponseWriter, r *http.Re
 
 	go h.bulkUpdateDetectionAsync(noTimeOutCtx, body, IDs)
 
-	web.Respond(w, r, http.StatusAccepted, nil)
+	web.Respond(w, r, http.StatusAccepted, map[string]interface{}{
+		"count": len(IDs),
+	})
 }
 
 // bulkUpdateDetectionAsync is a helper function that performs the bulk update in a separate goroutine.

From af9d6c3702806dd3196d626fe7110e9ddee28f85 Mon Sep 17 00:00:00 2001
From: mc-wright <mcwmtg@gmail.com>
Date: Mon, 17 Jun 2024 16:48:54 -0400
Subject: [PATCH 38/57] Updated tests to account for bulk action changes

---
 .gitignore                  | 1 +
 html/js/routes/hunt.test.js | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 46dd202b..a7e0b73c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@ nsm/
 coverage/
 .vscode/
 .DS_Store
+node_modules/
 
 # Pytest output
 __pycache__
diff --git a/html/js/routes/hunt.test.js b/html/js/routes/hunt.test.js
index 15f3c20f..ce51d5be 100644
--- a/html/js/routes/hunt.test.js
+++ b/html/js/routes/hunt.test.js
@@ -1219,7 +1219,7 @@ test('bulkAction - enable', async () => {
   comp.selectAllState = 'indeterminate';
   comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
   comp.hunt = jest.fn();
-  const mock = resetPapi().mockPapi('post', { data: {} }, null);
+  const mock = resetPapi().mockPapi('post', { data: { count: 2 }, }, null);
 
   await comp.bulkAction(true);
 
@@ -1240,7 +1240,7 @@ test('bulkAction - disable', async () => {
   comp.selectAllState = 'indeterminate';
   comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
   comp.hunt = jest.fn();
-  const mock = resetPapi().mockPapi('post', { data: {} }, null);
+  const mock = resetPapi().mockPapi('post', { data: { count: 2 } }, null);
 
   await comp.bulkAction(true);
 
@@ -1262,7 +1262,7 @@ test('bulkAction - delete - confirm - success', async () => {
   comp.selectAllState = 'indeterminate';
   comp.eventData = [{ _isSelected: true, soc_id: "1" }, { _isSelected: false, soc_id: "2" }, { _isSelected: true, soc_id: "3" }];
   comp.hunt = jest.fn();
-  const mock = resetPapi().mockPapi('post', { data: {} }, null);
+  const mock = resetPapi().mockPapi('post', { data: { count: 2 } }, null);
 
   await comp.bulkAction(true);
 

From 72d002ab374954e17c890ae4524be8caa25d9928 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Tue, 18 Jun 2024 10:15:51 -0400
Subject: [PATCH 39/57] FEATURE: Add new Process actions
 Security-Onion-Solutions/securityonion#13226

---
 html/js/i18n.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index c73ab44a..e201dc93 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -36,10 +36,14 @@ const i18n = {
       actionHuntHelp: 'Hunt for this field',
       actionPcap: 'PCAP',
       actionPcapHelp: 'Show PCAP for this event',
+      actionProcessAllInfo: 'Process All Info',
+      actionProcessAllInfoHelp: 'Show all logs that include this process\'s entity_id in any field',
       actionProcessAncestors: 'Process Ancestors',
       actionProcessAncestorsHelp: 'Show all parent processes for this process',
+      actionProcessChildInfo: 'Process and Child Info',
+      actionProcessChildInfoHelp: 'Show all logs that include this process\'s entity_id in either the process.entity_id or process.parent.entity_id fields',
       actionProcessInfo: 'Process Info',
-      actionProcessInfoHelp: 'Show all logs for this process',
+      actionProcessInfoHelp: 'Show all logs that include this process\'s entity_id in the entity_id field',
       actionRelatedAlerts: 'Related Alerts',
       actionRelatedAlertsHelp: 'Find alerts related to this detection',
       actionSublime: 'Sublime Platform Email Review',

From 1084f660f574a604061ccbf1ee6f987c6d6bc013 Mon Sep 17 00:00:00 2001
From: mc-wright <mcwmtg@gmail.com>
Date: Tue, 18 Jun 2024 12:54:40 -0400
Subject: [PATCH 40/57] Comment bugfix

---
 .gitignore                  |  1 +
 html/index.html             |  2 +-
 html/js/routes/detection.js | 12 +++++-------
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.gitignore b/.gitignore
index 46dd202b..78e1ef08 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@ nsm/
 coverage/
 .vscode/
 .DS_Store
+node_modules
 
 # Pytest output
 __pycache__
diff --git a/html/index.html b/html/index.html
index 97dd62c0..3ad2ce73 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1166,7 +1166,7 @@ <h2 id="detection-title">{{ detect.title }}</h2>
                       <v-btn :title="i18n.addCommentHelp" color="primary" @click.stop="prepareForInput('comment-input')" id="add-comment-button" data-aid="detection_comments_new">
                         <v-icon>fa-plus</v-icon>
                       </v-btn>
-                      <v-btn class="mx-1" :title="i18n.refreshCommentsHelp" color="secondary" @click.stop="reloadAssociation(true)" id="refresh-comments-button" data-aid="detection_comments_refresh">
+                      <v-btn class="mx-1" :title="i18n.refreshCommentsHelp" color="secondary" @click.stop="loadComments(true)" id="refresh-comments-button" data-aid="detection_comments_refresh">
                         <v-icon>fa-sync</v-icon>
                       </v-btn>
                     </v-toolbar>
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
index e647d684..d10eb51a 100644
--- a/html/js/routes/detection.js
+++ b/html/js/routes/detection.js
@@ -1077,16 +1077,12 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 			el.scrollIntoView()
 			el.focus();
 		},
-		async reloadComments(showLoadingIndicator = false) {
+		async loadComments(showLoadingIndicator = false) {
 			if (showLoadingIndicator) this.$root.startLoading();
-			this.comments = [];
-			await this.loadComments();
-			if (showLoadingIndicator) this.$root.stopLoading();
-		},
-		async loadComments() {
 			try {
 				const response = await this.$root.papi.get(`detection/${this.detect.id}/comment`);
 				if (response && response.data) {
+					this.comments = [];
 					for (var idx = 0; idx < response.data.length; idx++) {
 						const obj = response.data[idx];
 
@@ -1107,6 +1103,8 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 				}
 			} catch (error) {
 				this.$root.showError(error);
+			} finally {
+				if (showLoadingIndicator) this.$root.stopLoading();
 			}
 		},
 		async addComment() {
@@ -1140,7 +1138,7 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 
 				if (response && response.data) {
 					if (isUpdate) {
-						this.reloadComments();
+						this.loadComments();
 					} else {
 						await this.$root.populateUserDetails(response.data, "userId", "owner");
 						this.comments.push(response.data);

From 58f5477084d30e985d29b0233d7aa70137e1b38f Mon Sep 17 00:00:00 2001
From: mc-wright <mcwmtg@gmail.com>
Date: Tue, 18 Jun 2024 16:37:47 -0400
Subject: [PATCH 41/57] Added license dropdown table in detection creation
 screen

---
 html/index.html | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/html/index.html b/html/index.html
index 3ad2ce73..6538f889 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1089,7 +1089,10 @@ <h2 id="detection-title">{{ detect.title }}</h2>
                   </span>
 
                   <!-- License -->
-                  <v-text-field id="detection-license-create" class="mt-0" v-model="detect.license" persistent-hint :hint="i18n.license" data-aid="detection_license_input" />
+                  <span data-aid="detection_new_license_select">
+                    <v-select id="detection-license-create" v-if="!isPresetCustomEnabled('license')" v-model="detect.license" :items="getPresets('license')" persistent-hint :hint="i18n.license" :rules="[rules.required]"/>
+                    <v-combobox id="detection-license-create" v-if="isPresetCustomEnabled('license')" v-model="detect.license" :items="getPresets('license')" persistent-hint :hint="i18n.license" :rules="[rules.required]"/>
+                  </span>
 
                   <!-- Signature -->
                   <div class="font-weight-bold mb-1">{{ i18n.signature }}:</div>

From e4c6d1865ef85bdabe209af8014dbc071d798c1e Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 18 Jun 2024 12:00:55 -0600
Subject: [PATCH 42/57] Suricata Custom Rulesets

New customRulesets config option allowing the specification of download targets or local files for import.

During a sync, the custom rulesets rules are parsed and added deterministically before deduplication. If a ruleset file or target-file can't be read, the sync is aborted otherwise the `delete unreferenced community rules` part of the sync would remove all of them.

Tests.
---
 model/custom_ruleset.go                  | 102 +++++++++++
 model/custom_ruleset_test.go             | 215 +++++++++++++++++++++++
 server/modules/suricata/suricata.go      |  76 +++++++-
 server/modules/suricata/suricata_test.go | 165 +++++++++++++++++
 4 files changed, 556 insertions(+), 2 deletions(-)
 create mode 100644 model/custom_ruleset.go
 create mode 100644 model/custom_ruleset_test.go

diff --git a/model/custom_ruleset.go b/model/custom_ruleset.go
new file mode 100644
index 00000000..3538dbbe
--- /dev/null
+++ b/model/custom_ruleset.go
@@ -0,0 +1,102 @@
+package model
+
+import (
+	"fmt"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/apex/log"
+)
+
+type CustomRuleset struct {
+	Community  bool   `json:"community"`
+	License    string `json:"license"`
+	Url        string `json:"url"`
+	TargetFile string `json:"target-file"`
+	File       string `json:"file"`
+	Ruleset    string `json:"ruleset"`
+}
+
+func GetCustomRulesetsDefault(cfg map[string]interface{}, field string, dflt []*CustomRuleset) ([]*CustomRuleset, error) {
+	cfgInter, ok := cfg[field]
+	if !ok {
+		// config doesn't have any customRulesets, no error, return defaults
+		return dflt, nil
+	}
+
+	ruleMaps, ok := cfgInter.([]interface{})
+	if !ok {
+		return nil, fmt.Errorf(`top level config value "%s" is not an array of objects`, field)
+	}
+
+	rulesets := make([]*CustomRuleset, 0, len(ruleMaps))
+
+	for _, item := range ruleMaps {
+		obj, ok := item.(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf(`"%s" entry is not an object`, field)
+		}
+
+		file, _ := obj["file"].(string)
+		url, _ := obj["url"].(string)
+		target, _ := obj["target-file"].(string)
+
+		if file == "" && url == "" && target == "" {
+			return nil, fmt.Errorf(`missing "file" or "url"+"target-file" from "%s" entry`, field)
+		}
+
+		if url != "" && target == "" {
+			return nil, fmt.Errorf(`missing "target-file" from "%s" entry`, field)
+		}
+		if target != "" && url == "" {
+			return nil, fmt.Errorf(`missing "url" from "%s" entry`, field)
+		}
+
+		ruleset, ok := obj["ruleset"].(string)
+		if !ok {
+			return nil, fmt.Errorf(`missing "ruleset" from "%s" entry`, field)
+		}
+
+		license, ok := obj["license"].(string)
+		if !ok {
+			return nil, fmt.Errorf(`missing "license" from "%s" entry`, field)
+		}
+
+		isCommunity := false
+
+		community := obj["community"]
+		switch c := community.(type) {
+		case bool:
+			isCommunity = c
+		case int:
+			isCommunity = c != 0
+		case string:
+			var err error
+			isCommunity, err = strconv.ParseBool(c)
+			if err != nil {
+				isCommunity = false
+			}
+		}
+
+		ext := filepath.Ext(file)
+		if strings.ToLower(ext) != ".rules" {
+			log.WithFields(log.Fields{
+				"file": file,
+			}).Warn("customRulesets file should have a .rules extension")
+		}
+
+		r := &CustomRuleset{
+			File:       file,
+			Url:        url,
+			TargetFile: target,
+			License:    license,
+			Community:  isCommunity,
+			Ruleset:    ruleset,
+		}
+
+		rulesets = append(rulesets, r)
+	}
+
+	return rulesets, nil
+}
diff --git a/model/custom_ruleset_test.go b/model/custom_ruleset_test.go
new file mode 100644
index 00000000..1972fd8d
--- /dev/null
+++ b/model/custom_ruleset_test.go
@@ -0,0 +1,215 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/tj/assert"
+)
+
+func TestGetCustomRulesetsDefault(t *testing.T) {
+	tests := []struct {
+		Name     string
+		Cfg      map[string]interface{}
+		Default  []*CustomRuleset
+		Expected []*CustomRuleset
+		ExpError string
+	}{
+		{
+			Name: "Missing",
+			Cfg:  map[string]interface{}{},
+			Default: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.rules",
+				},
+			},
+			Expected: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.txt",
+				},
+			},
+		},
+		{
+			Name: "Empty",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{},
+			},
+			Default: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.rules",
+				},
+			},
+			Expected: []*CustomRuleset{},
+		},
+		{
+			Name: "Valid",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"community":   true,
+						"url":         "https://example.com",
+						"target-file": "example.rules",
+						"ruleset":     "example",
+						"license":     "MIT",
+					},
+					map[string]interface{}{
+						"community": 1,
+						"file":      "example2.rules",
+						"ruleset":   "example2",
+						"license":   "MIT",
+					},
+					map[string]interface{}{
+						"community":   "T",
+						"url":         "https://example3.com",
+						"target-file": "example3.rules",
+						"ruleset":     "example3",
+						"license":     "MIT",
+					},
+					map[string]interface{}{
+						"community":   "definitely",
+						"url":         "https://example4.com",
+						"target-file": "example4.rules",
+						"ruleset":     "example4",
+						"license":     "DRL",
+					},
+				},
+			},
+			Default: []*CustomRuleset{},
+			Expected: []*CustomRuleset{
+				{
+					Community:  true,
+					Url:        "https://example.com",
+					TargetFile: "example.rules",
+					Ruleset:    "example",
+					License:    "MIT",
+				},
+				{
+					Community: true,
+					File:      "example2.rules",
+					Ruleset:   "example2",
+					License:   "MIT",
+				},
+				{
+					Community:  true,
+					Url:        "https://example3.com",
+					TargetFile: "example3.rules",
+					Ruleset:    "example3",
+					License:    "MIT",
+				},
+				{
+					Community:  false,
+					Url:        "https://example4.com",
+					TargetFile: "example4.rules",
+					Ruleset:    "example4",
+					License:    "DRL",
+				},
+			},
+		},
+		{
+			Name: "Invalid Type",
+			Cfg: map[string]interface{}{
+				"customRulesets": "invalid",
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `top level config value "customRulesets" is not an array of objects`,
+		},
+		{
+			Name: "Invalid Entry",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					"invalid",
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `"customRulesets" entry is not an object`,
+		},
+		{
+			Name: "Invalid Key/Value Pairs",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"wrong": "key/value",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "file" or "url"+"target-file" from "customRulesets" entry`,
+		},
+		{
+			Name: "Missing URL",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"target-file": "example.rules",
+						"ruleset":     "example",
+						"license":     "MIT",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "url" from "customRulesets" entry`,
+		},
+		{
+			Name: "Missing Target",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"url":     "https://example.com",
+						"ruleset": "example",
+						"license": "MIT",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "target-file" from "customRulesets" entry`,
+		},
+		{
+			Name: "Missing Ruleset",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"url":         "https://example.com",
+						"target-file": "example.rules",
+						"license":     "MIT",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "ruleset" from "customRulesets" entry`,
+		},
+		{
+			Name: "Missing License",
+			Cfg: map[string]interface{}{
+				"customRulesets": []interface{}{
+					map[string]interface{}{
+						"url":         "https://example.com",
+						"target-file": "example.rules",
+						"ruleset":     "example",
+					},
+				},
+			},
+			Default:  []*CustomRuleset{},
+			ExpError: `missing "license" from "customRulesets" entry`,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			out, err := GetCustomRulesetsDefault(test.Cfg, "customRulesets", test.Default)
+			if test.ExpError != "" {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), test.ExpError)
+			} else {
+				assert.NoError(t, err)
+			}
+
+			assert.Equal(t, test.Expected, out)
+		})
+	}
+}
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index c11593a5..26ada71b 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"io"
 	"io/fs"
@@ -56,6 +57,8 @@ const (
 	DEFAULT_COMMUNITY_RULES_IMPORT_ERROR_SECS     = 300
 	DEFAULT_FAIL_AFTER_CONSECUTIVE_ERROR_COUNT    = 10
 	DEFAULT_INTEGRITY_CHECK_FREQUENCY_SECONDS     = 600
+
+	CUSTOM_RULE_LOC = "/nsm/rules/detect-suricata/custom_temp"
 )
 
 type IOManager interface {
@@ -82,6 +85,7 @@ type SuricataEngine struct {
 	notify                               bool
 	stateFilePath                        string
 	migrations                           map[string]func(string) error
+	customRulesets                       []*model.CustomRuleset
 	detections.IntegrityCheckerData
 	model.EngineState
 	IOManager
@@ -142,6 +146,10 @@ func (e *SuricataEngine) Init(config module.ModuleConfig) (err error) {
 	}
 
 	e.stateFilePath = module.GetStringDefault(config, "stateFilePath", DEFAULT_STATE_FILE_PATH)
+	e.customRulesets, err = model.GetCustomRulesetsDefault(config, "customRulesets", []*model.CustomRuleset{})
+	if err != nil {
+		return fmt.Errorf("unable to get custom rulesets: %w", err)
+	}
 
 	return nil
 }
@@ -509,12 +517,28 @@ func (e *SuricataEngine) watchCommunityRules() {
 			continue
 		}
 
-		commDetections = detections.DeduplicateByPublicId(commDetections)
-
 		for _, d := range commDetections {
 			d.IsCommunity = true
 		}
 
+		dets, err := e.ReadCustomRulesets()
+		if err != nil {
+			if e.notify {
+				e.srv.Host.Broadcast("detection-sync", "detections", server.SyncStatus{
+					Engine: model.EngineNameSuricata,
+					Status: "error",
+				})
+			}
+
+			log.WithError(err).Error("unable to parse custom rulesets")
+
+			continue
+		}
+
+		commDetections = append(commDetections, dets...)
+
+		commDetections = detections.DeduplicateByPublicId(commDetections)
+
 		errMap, err := e.syncCommunityDetections(ctx, commDetections, true, allSettings)
 		if err != nil {
 			if err == errModuleStopped {
@@ -1581,6 +1605,54 @@ func (e *SuricataEngine) DuplicateDetection(ctx context.Context, detection *mode
 	return det, nil
 }
 
+func (e *SuricataEngine) ReadCustomRulesets() (detects []*model.Detection, err error) {
+	detects = []*model.Detection{}
+
+	for _, custom := range e.customRulesets {
+		var content []byte
+
+		if custom.File != "" {
+			content, err = e.ReadFile(custom.File)
+			if err != nil {
+				log.WithError(err).WithField("file", custom.File).Error("unable to read custom ruleset File, skipping")
+
+				return nil, err
+			}
+		} else if custom.Url != "" && custom.TargetFile != "" {
+			path := filepath.Join(CUSTOM_RULE_LOC, custom.TargetFile)
+
+			content, err = e.ReadFile(path)
+			if err != nil {
+				log.WithError(err).WithField("file", path).Error("unable to read custom ruleset TargetFile, skipping")
+
+				return nil, err
+			}
+		} else {
+			log.WithFields(log.Fields{
+				"rulesetName": custom.Ruleset,
+			}).Error("invalid custom ruleset, skipping")
+
+			return nil, errors.New("invalid custom ruleset")
+		}
+
+		dets, err := e.ParseRules(string(content), custom.Ruleset, false)
+		if err != nil {
+			log.WithError(err).WithField("rulesetName", custom.Ruleset).Error("unable to parse custom ruleset, skipping")
+
+			return nil, err
+		}
+
+		for _, detect := range dets {
+			detect.IsCommunity = custom.Community
+			detect.License = custom.License
+
+			detects = append(detects, detect)
+		}
+	}
+
+	return detects, nil
+}
+
 func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 	// escape
 	if canInterrupt && !e.IntegrityCheckerData.IsRunning {
diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index f1cded25..09054180 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -7,6 +7,7 @@ package suricata
 
 import (
 	"context"
+	"errors"
 	"regexp"
 	"sort"
 	"strings"
@@ -16,6 +17,7 @@ import (
 	"github.com/security-onion-solutions/securityonion-soc/module"
 	"github.com/security-onion-solutions/securityonion-soc/server"
 	servermock "github.com/security-onion-solutions/securityonion-soc/server/mock"
+	"github.com/security-onion-solutions/securityonion-soc/server/modules/suricata/mock"
 	"github.com/security-onion-solutions/securityonion-soc/util"
 	"github.com/security-onion-solutions/securityonion-soc/web"
 
@@ -1553,3 +1555,166 @@ func TestRemoveFromIndex(t *testing.T) {
 		"300000": 2,
 	}, localIndex)
 }
+
+func TestReadCustomRulesets(t *testing.T) {
+	tests := []struct {
+		Name          string
+		Rulesets      []*model.CustomRuleset
+		InitMock      func(io *mock.MockIOManager)
+		ExpDetections []*model.Detection
+		ExpError      string
+	}{
+		{
+			Name:          "Empty",
+			Rulesets:      []*model.CustomRuleset{},
+			ExpDetections: []*model.Detection{},
+		},
+		{
+			Name: "Simple File",
+			Rulesets: []*model.CustomRuleset{
+				{
+					Community: true,
+					License:   "DRL",
+					File:      "testdata/simple.rules",
+					Ruleset:   "ruleset",
+				},
+			},
+			InitMock: func(io *mock.MockIOManager) {
+				io.EXPECT().ReadFile("testdata/simple.rules").Return([]byte(SimpleRule), nil)
+			},
+			ExpDetections: []*model.Detection{
+				{
+					PublicID: SimpleRuleSID,
+
+					Title:       "GPL ATTACK_RESPONSE id check returned root",
+					Severity:    model.SeverityUnknown,
+					Author:      "ruleset",
+					Category:    "GPL ATTACK_RESPONSE",
+					Content:     "alert http any any -> any any (msg:\"GPL ATTACK_RESPONSE id check returned root\"; content:\"uid=0|28|root|29|\"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)",
+					IsEnabled:   true,
+					IsCommunity: true,
+					Engine:      model.EngineNameSuricata,
+					Language:    model.SigLangSuricata,
+					Ruleset:     "ruleset",
+					License:     "DRL",
+				},
+			},
+		},
+		{
+			Name: "Simple URL",
+			Rulesets: []*model.CustomRuleset{
+				{
+					Community:  true,
+					License:    "DRL",
+					Url:        "x",
+					TargetFile: "target.file",
+					Ruleset:    "ruleset",
+				},
+			},
+			InitMock: func(io *mock.MockIOManager) {
+				io.EXPECT().ReadFile("/nsm/rules/detect-suricata/custom_temp/target.file").Return([]byte(SimpleRule), nil)
+			},
+			ExpDetections: []*model.Detection{
+				{
+					PublicID: SimpleRuleSID,
+
+					Title:       "GPL ATTACK_RESPONSE id check returned root",
+					Severity:    model.SeverityUnknown,
+					Author:      "ruleset",
+					Category:    "GPL ATTACK_RESPONSE",
+					Content:     "alert http any any -> any any (msg:\"GPL ATTACK_RESPONSE id check returned root\"; content:\"uid=0|28|root|29|\"; classtype:bad-unknown; sid:10000; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)",
+					IsEnabled:   true,
+					IsCommunity: true,
+					Engine:      model.EngineNameSuricata,
+					Language:    model.SigLangSuricata,
+					Ruleset:     "ruleset",
+					License:     "DRL",
+				},
+			},
+		},
+		{
+			Name: "Bad File, Good Url",
+			Rulesets: []*model.CustomRuleset{
+				{
+					Community:  true,
+					License:    "DRL",
+					Url:        "x",
+					TargetFile: "target.file",
+					Ruleset:    "ruleset",
+				},
+				{
+					Community: true,
+					License:   "DRL",
+					File:      "testdata/simple.rules",
+					Ruleset:   "ruleset",
+				},
+			},
+			InitMock: func(io *mock.MockIOManager) {
+				io.EXPECT().ReadFile("/nsm/rules/detect-suricata/custom_temp/target.file").Return([]byte(SimpleRule), nil)
+				io.EXPECT().ReadFile("testdata/simple.rules").Return(nil, errors.New("bad file"))
+			},
+			ExpError: "bad file",
+		},
+		{
+			Name: "Bad Url, Good File",
+			Rulesets: []*model.CustomRuleset{
+				{
+					Community: true,
+					License:   "DRL",
+					File:      "testdata/simple.rules",
+					Ruleset:   "ruleset",
+				},
+				{
+					Community:  true,
+					License:    "DRL",
+					Url:        "x",
+					TargetFile: "target.file",
+					Ruleset:    "ruleset",
+				},
+			},
+			InitMock: func(io *mock.MockIOManager) {
+				io.EXPECT().ReadFile("testdata/simple.rules").Return([]byte(SimpleRule), nil)
+				io.EXPECT().ReadFile("/nsm/rules/detect-suricata/custom_temp/target.file").Return(nil, errors.New("bad file"))
+			},
+			ExpError: "bad file",
+		},
+		{
+			Name: "Bad Custom Ruleset",
+			Rulesets: []*model.CustomRuleset{
+				{},
+			},
+			ExpError: "invalid custom ruleset",
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			io := mock.NewMockIOManager(ctrl)
+
+			e := &SuricataEngine{
+				customRulesets: test.Rulesets,
+				IOManager:      io,
+				isRunning:      true,
+			}
+
+			if test.InitMock != nil {
+				test.InitMock(io)
+			}
+
+			detects, err := e.ReadCustomRulesets()
+
+			if test.ExpError != "" {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), test.ExpError)
+			} else {
+				assert.NoError(t, err)
+			}
+
+			assert.Equal(t, test.ExpDetections, detects)
+		})
+	}
+}

From 4751c8bf8bfce862f070f09261db499b4b0350c6 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 18 Jun 2024 15:02:06 -0600
Subject: [PATCH 43/57] Less Generic Log Fields

Gave more descriptive names to some newly added logging statements.
---
 model/custom_ruleset.go             | 2 +-
 server/modules/suricata/suricata.go | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/model/custom_ruleset.go b/model/custom_ruleset.go
index 3538dbbe..33e5055b 100644
--- a/model/custom_ruleset.go
+++ b/model/custom_ruleset.go
@@ -82,7 +82,7 @@ func GetCustomRulesetsDefault(cfg map[string]interface{}, field string, dflt []*
 		ext := filepath.Ext(file)
 		if strings.ToLower(ext) != ".rules" {
 			log.WithFields(log.Fields{
-				"file": file,
+				"customRulesetFile": file,
 			}).Warn("customRulesets file should have a .rules extension")
 		}
 
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 26ada71b..3eac7421 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -1614,7 +1614,7 @@ func (e *SuricataEngine) ReadCustomRulesets() (detects []*model.Detection, err e
 		if custom.File != "" {
 			content, err = e.ReadFile(custom.File)
 			if err != nil {
-				log.WithError(err).WithField("file", custom.File).Error("unable to read custom ruleset File, skipping")
+				log.WithError(err).WithField("customRulesetFilePath", custom.File).Error("unable to read custom ruleset File, skipping")
 
 				return nil, err
 			}
@@ -1623,7 +1623,7 @@ func (e *SuricataEngine) ReadCustomRulesets() (detects []*model.Detection, err e
 
 			content, err = e.ReadFile(path)
 			if err != nil {
-				log.WithError(err).WithField("file", path).Error("unable to read custom ruleset TargetFile, skipping")
+				log.WithError(err).WithField("customRulesetTargetFilePath", path).Error("unable to read custom ruleset TargetFile, skipping")
 
 				return nil, err
 			}
@@ -1637,7 +1637,7 @@ func (e *SuricataEngine) ReadCustomRulesets() (detects []*model.Detection, err e
 
 		dets, err := e.ParseRules(string(content), custom.Ruleset, false)
 		if err != nil {
-			log.WithError(err).WithField("rulesetName", custom.Ruleset).Error("unable to parse custom ruleset, skipping")
+			log.WithError(err).WithField("customRulesetName", custom.Ruleset).Error("unable to parse custom ruleset, skipping")
 
 			return nil, err
 		}

From 70fa1e927415a76b55d8d59263e73147778bca41 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 09:48:58 -0400
Subject: [PATCH 44/57] Update i18n.js to make process.entity_id references
 consistent

---
 html/js/i18n.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/js/i18n.js b/html/js/i18n.js
index e201dc93..3d952f83 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -43,7 +43,7 @@ const i18n = {
       actionProcessChildInfo: 'Process and Child Info',
       actionProcessChildInfoHelp: 'Show all logs that include this process\'s entity_id in either the process.entity_id or process.parent.entity_id fields',
       actionProcessInfo: 'Process Info',
-      actionProcessInfoHelp: 'Show all logs that include this process\'s entity_id in the entity_id field',
+      actionProcessInfoHelp: 'Show all logs that include this process\'s entity_id in the process.entity_id field',
       actionRelatedAlerts: 'Related Alerts',
       actionRelatedAlertsHelp: 'Find alerts related to this detection',
       actionSublime: 'Sublime Platform Email Review',

From fa290352804e7a33ee5f44c6dd65f60a3dedb21a Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 10:11:10 -0400
Subject: [PATCH 45/57] remove unintended apostrophe from data-aid attr

---
 html/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/index.html b/html/index.html
index 6538f889..5922424d 100644
--- a/html/index.html
+++ b/html/index.html
@@ -2253,7 +2253,7 @@ <h4 v-if="!$root.loading">{{ i18n.usersEnabled }} {{ countUsersEnabled() }} / {{
                         <v-col cols="12" lg="4">
                           <v-card>
                             <v-card-title>{{ i18n.roles }}</v-card-title>
-                            <v-card-text data-aid="'users_details_role_toggle">
+                            <v-card-text data-aid="users_details_role_toggle">
                               <v-checkbox v-for="role in roles" :key="role" :id="'role-checkbox-' + role" dense :input-value="hasRole(item, role)" :label="role" @click.stop="return toggleRole(item, role)">
                             </v-card-text>
                           </v-card>

From 4a30d06c9e88962aa92e9e3a7b79bea2a3d83c1c Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 09:07:26 -0600
Subject: [PATCH 46/57] Fix Go Test

Corrected erroneous expected result.
---
 model/custom_ruleset_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/model/custom_ruleset_test.go b/model/custom_ruleset_test.go
index 1972fd8d..609017f1 100644
--- a/model/custom_ruleset_test.go
+++ b/model/custom_ruleset_test.go
@@ -28,7 +28,7 @@ func TestGetCustomRulesetsDefault(t *testing.T) {
 				{
 					Ruleset: "default",
 					License: "DRL",
-					File:    "default.txt",
+					File:    "default.rules",
 				},
 			},
 		},

From e7a3acf6f6d678bb506117acfd79099b079e7f38 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 10:53:24 -0600
Subject: [PATCH 47/57] Account for customRulesets: null

Update GetCustomRulesetsDefault to account for the very probably situation of the field being present but null. Add regression test.
---
 model/custom_ruleset.go      |  2 +-
 model/custom_ruleset_test.go | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/model/custom_ruleset.go b/model/custom_ruleset.go
index 33e5055b..b627e777 100644
--- a/model/custom_ruleset.go
+++ b/model/custom_ruleset.go
@@ -20,7 +20,7 @@ type CustomRuleset struct {
 
 func GetCustomRulesetsDefault(cfg map[string]interface{}, field string, dflt []*CustomRuleset) ([]*CustomRuleset, error) {
 	cfgInter, ok := cfg[field]
-	if !ok {
+	if !ok || cfgInter == nil {
 		// config doesn't have any customRulesets, no error, return defaults
 		return dflt, nil
 	}
diff --git a/model/custom_ruleset_test.go b/model/custom_ruleset_test.go
index 609017f1..5402768e 100644
--- a/model/custom_ruleset_test.go
+++ b/model/custom_ruleset_test.go
@@ -46,6 +46,26 @@ func TestGetCustomRulesetsDefault(t *testing.T) {
 			},
 			Expected: []*CustomRuleset{},
 		},
+		{
+			Name: "Nil",
+			Cfg: map[string]interface{}{
+				"customRulesets": nil,
+			},
+			Default: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.rules",
+				},
+			},
+			Expected: []*CustomRuleset{
+				{
+					Ruleset: "default",
+					License: "DRL",
+					File:    "default.rules",
+				},
+			},
+		},
 		{
 			Name: "Valid",
 			Cfg: map[string]interface{}{

From 693cba9582077bb4eb35093e4c56bc1804932d5e Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 10:49:43 -0600
Subject: [PATCH 48/57] When duplicating a suricata rule, ensure the msg
 option's value is quoted

The msg option must be quoted for suricata to accept the rule. Now we use strconv.Quote to put the quotes we removed back.

However strconv.Quote plays with escape sequences because it tries to convert Target Strings to the source code string that when printed would print the Target String. Because we're still dealing with source (suricata source code) we must unescape everything in the string to get the desired result.
---
 server/modules/suricata/validate.go      | 13 +++--
 server/modules/suricata/validate_test.go | 60 +++++++-----------------
 2 files changed, 27 insertions(+), 46 deletions(-)

diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go
index a01baa09..66bd1708 100644
--- a/server/modules/suricata/validate.go
+++ b/server/modules/suricata/validate.go
@@ -7,6 +7,7 @@ package suricata
 
 import (
 	"fmt"
+	"regexp"
 	"strconv"
 	"strings"
 	"unicode"
@@ -45,6 +46,8 @@ const (
 	stateOptions
 )
 
+var unescaper = regexp.MustCompile(`\\(.)`)
+
 func ParseSuricataRule(rule string) (*SuricataRule, error) {
 	rule = strings.TrimSpace(rule)
 	r := strings.NewReader(rule)
@@ -239,9 +242,13 @@ func (rule *SuricataRule) UpdateForDuplication(publicId string) {
 			setPublicId = true
 		} else if strings.EqualFold(opt.Name, "msg") {
 			if opt.Value != nil {
-				*opt.Value = util.Unquote(*opt.Value) + " (copy)"
+				v := util.Unquote(*opt.Value)
+				v += " (copy)"
+				v = strconv.Quote(v)
+				v = unescaper.ReplaceAllString(v, `$1`)
+				*opt.Value = v
 			} else {
-				opt.Value = util.Ptr("(copy)")
+				opt.Value = util.Ptr(`"(copy)"`)
 			}
 
 			setTitle = true
@@ -249,7 +256,7 @@ func (rule *SuricataRule) UpdateForDuplication(publicId string) {
 	}
 
 	if !setTitle {
-		rule.Options = append([]*RuleOption{{Name: "msg", Value: util.Ptr("(copy)")}}, rule.Options...)
+		rule.Options = append([]*RuleOption{{Name: "msg", Value: util.Ptr(`"(copy)"`)}}, rule.Options...)
 	}
 
 	if !setPublicId {
diff --git a/server/modules/suricata/validate_test.go b/server/modules/suricata/validate_test.go
index ae8ee19a..606f876b 100644
--- a/server/modules/suricata/validate_test.go
+++ b/server/modules/suricata/validate_test.go
@@ -234,37 +234,48 @@ func TestUpdateForDuplication(t *testing.T) {
 	}{
 		{
 			Name:          "Normal Options",
-			Input:         `alert any any <> any any (msg:"test"; sid:1; rev:1;)`,
+			Input:         `alert http any any <> any any (msg:"test"; sid:1; rev:1;)`,
 			OptionsBefore: 3,
 			OptionsAfter:  3,
 			ExpectedOptions: []*RuleOption{
-				{Name: "msg", Value: util.Ptr("test (copy)")},
+				{Name: "msg", Value: util.Ptr(`"test (copy)"`)},
 				{Name: "sid", Value: util.Ptr(publicId)},
 				{Name: "rev", Value: util.Ptr("1")},
 			},
 		},
 		{
 			Name:          "Present but Empty Options",
-			Input:         `alert any any <> any any (msg; sid; rev;)`,
+			Input:         `alert http any any <> any any (msg; sid; rev;)`,
 			OptionsBefore: 3,
 			OptionsAfter:  3,
 			ExpectedOptions: []*RuleOption{
-				{Name: "msg", Value: util.Ptr("(copy)")},
+				{Name: "msg", Value: util.Ptr(`"(copy)"`)},
 				{Name: "sid", Value: util.Ptr(publicId)},
 				{Name: "rev", Value: nil},
 			},
 		},
 		{
 			Name:          "Missing Options",
-			Input:         `alert any any <> any any (rev;)`,
+			Input:         `alert http any any <> any any (rev;)`,
 			OptionsBefore: 1,
 			OptionsAfter:  3,
 			ExpectedOptions: []*RuleOption{
-				{Name: "msg", Value: util.Ptr("(copy)")},
+				{Name: "msg", Value: util.Ptr(`"(copy)"`)},
 				{Name: "sid", Value: util.Ptr(publicId)},
 				{Name: "rev", Value: nil},
 			},
 		},
+		{
+			Name:          "Double Quotes in Title",
+			Input:         `alert http any any <> any any (msg:"\"test\""; sid:1; rev:1;)`,
+			OptionsBefore: 3,
+			OptionsAfter:  3,
+			ExpectedOptions: []*RuleOption{
+				{Name: "msg", Value: util.Ptr(`"\"test\" (copy)"`)},
+				{Name: "sid", Value: util.Ptr(publicId)},
+				{Name: "rev", Value: util.Ptr("1")},
+			},
+		},
 	}
 
 	for _, test := range tests {
@@ -291,41 +302,4 @@ func TestUpdateForDuplication(t *testing.T) {
 			}
 		})
 	}
-
-	// rule, err = ParseSuricataRule(`alert any any <> any any (rev:1;)`)
-	// assert.NoError(t, err)
-	// assert.NotNil(t, rule)
-	//
-	// assert.Equal(t, len(rule.Options), 1)
-	// rev, ok = rule.GetOption("rev")
-	// assert.True(t, ok)
-	// assert.NotNil(t, rev)
-	// assert.Equal(t, "1", *rev)
-	//
-	// sid, ok = rule.GetOption("sid")
-	// assert.False(t, ok)
-	// assert.Nil(t, sid)
-	//
-	// msg, ok = rule.GetOption("msg")
-	// assert.False(t, ok)
-	// assert.Nil(t, msg)
-	//
-	// rule.UpdateForDuplication("1")
-	//
-	// assert.Equal(t, len(rule.Options), 3)
-	//
-	// sid, ok = rule.GetOption("sid")
-	// assert.True(t, ok)
-	// assert.NotNil(t, sid)
-	// assert.Equal(t, "1", *sid)
-	//
-	// msg, ok = rule.GetOption("msg")
-	// assert.True(t, ok)
-	// assert.NotNil(t, msg)
-	// assert.Equal(t, "(copy)", *msg)
-	//
-	// rev, ok = rule.GetOption("rev")
-	// assert.True(t, ok)
-	// assert.NotNil(t, rev)
-	// assert.Equal(t, "1", *rev)
 }

From 737913d20db908d5b143c46f7bd42f3860de3f27 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 12:01:55 -0600
Subject: [PATCH 49/57] Improved Suricata Syntax Highlighting

New syntax highlighting rules now supports # comments and the protocol and action are less dependent on the beginning of the string.
---
 html/js/external/prism-custom-v1.29.0.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/js/external/prism-custom-v1.29.0.js b/html/js/external/prism-custom-v1.29.0.js
index 2de9c922..e756e6c8 100644
--- a/html/js/external/prism-custom-v1.29.0.js
+++ b/html/js/external/prism-custom-v1.29.0.js
@@ -1,7 +1,7 @@
 /* PrismJS 1.29.0
-http://localhost:8080/download.html#themes=prism&languages=suricata+suricata-logic+yaml+yara */
+http://127.0.0.1:8080/download.html#themes=prism&languages=suricata+suricata-logic+yaml+yara */
 var _self="undefined"!=typeof window?window:"undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?self:{},Prism=function(e){var n=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,t=0,r={},a={manual:e.Prism&&e.Prism.manual,disableWorkerMessageHandler:e.Prism&&e.Prism.disableWorkerMessageHandler,util:{encode:function e(n){return n instanceof i?new i(n.type,e(n.content),n.alias):Array.isArray(n)?n.map(e):n.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/\u00a0/g," ")},type:function(e){return Object.prototype.toString.call(e).slice(8,-1)},objId:function(e){return e.__id||Object.defineProperty(e,"__id",{value:++t}),e.__id},clone:function e(n,t){var r,i;switch(t=t||{},a.util.type(n)){case"Object":if(i=a.util.objId(n),t[i])return t[i];for(var l in r={},t[i]=r,n)n.hasOwnProperty(l)&&(r[l]=e(n[l],t));return r;case"Array":return i=a.util.objId(n),t[i]?t[i]:(r=[],t[i]=r,n.forEach((function(n,a){r[a]=e(n,t)})),r);default:return n}},getLanguage:function(e){for(;e;){var t=n.exec(e.className);if(t)return t[1].toLowerCase();e=e.parentElement}return"none"},setLanguage:function(e,t){e.className=e.className.replace(RegExp(n,"gi"),""),e.classList.add("language-"+t)},currentScript:function(){if("undefined"==typeof document)return null;if("currentScript"in document)return document.currentScript;try{throw new Error}catch(r){var e=(/at [^(\r\n]*\((.*):[^:]+:[^:]+\)$/i.exec(r.stack)||[])[1];if(e){var n=document.getElementsByTagName("script");for(var t in n)if(n[t].src==e)return n[t]}return null}},isActive:function(e,n,t){for(var r="no-"+n;e;){var a=e.classList;if(a.contains(n))return!0;if(a.contains(r))return!1;e=e.parentElement}return!!t}},languages:{plain:r,plaintext:r,text:r,txt:r,extend:function(e,n){var t=a.util.clone(a.languages[e]);for(var r in n)t[r]=n[r];return t},insertBefore:function(e,n,t,r){var i=(r=r||a.languages)[e],l={};for(var o in i)if(i.hasOwnProperty(o)){if(o==n)for(var s in t)t.hasOwnProperty(s)&&(l[s]=t[s]);t.hasOwnProperty(o)||(l[o]=i[o])}var u=r[e];return r[e]=l,a.languages.DFS(a.languages,(function(n,t){t===u&&n!=e&&(this[n]=l)})),l},DFS:function e(n,t,r,i){i=i||{};var l=a.util.objId;for(var o in n)if(n.hasOwnProperty(o)){t.call(n,o,n[o],r||o);var s=n[o],u=a.util.type(s);"Object"!==u||i[l(s)]?"Array"!==u||i[l(s)]||(i[l(s)]=!0,e(s,t,o,i)):(i[l(s)]=!0,e(s,t,null,i))}}},plugins:{},highlightAll:function(e,n){a.highlightAllUnder(document,e,n)},highlightAllUnder:function(e,n,t){var r={callback:t,container:e,selector:'code[class*="language-"], [class*="language-"] code, code[class*="lang-"], [class*="lang-"] code'};a.hooks.run("before-highlightall",r),r.elements=Array.prototype.slice.apply(r.container.querySelectorAll(r.selector)),a.hooks.run("before-all-elements-highlight",r);for(var i,l=0;i=r.elements[l++];)a.highlightElement(i,!0===n,r.callback)},highlightElement:function(n,t,r){var i=a.util.getLanguage(n),l=a.languages[i];a.util.setLanguage(n,i);var o=n.parentElement;o&&"pre"===o.nodeName.toLowerCase()&&a.util.setLanguage(o,i);var s={element:n,language:i,grammar:l,code:n.textContent};function u(e){s.highlightedCode=e,a.hooks.run("before-insert",s),s.element.innerHTML=s.highlightedCode,a.hooks.run("after-highlight",s),a.hooks.run("complete",s),r&&r.call(s.element)}if(a.hooks.run("before-sanity-check",s),(o=s.element.parentElement)&&"pre"===o.nodeName.toLowerCase()&&!o.hasAttribute("tabindex")&&o.setAttribute("tabindex","0"),!s.code)return a.hooks.run("complete",s),void(r&&r.call(s.element));if(a.hooks.run("before-highlight",s),s.grammar)if(t&&e.Worker){var c=new Worker(a.filename);c.onmessage=function(e){u(e.data)},c.postMessage(JSON.stringify({language:s.language,code:s.code,immediateClose:!0}))}else u(a.highlight(s.code,s.grammar,s.language));else u(a.util.encode(s.code))},highlight:function(e,n,t){var r={code:e,grammar:n,language:t};if(a.hooks.run("before-tokenize",r),!r.grammar)throw new Error('The language "'+r.language+'" has no grammar.');return r.tokens=a.tokenize(r.code,r.grammar),a.hooks.run("after-tokenize",r),i.stringify(a.util.encode(r.tokens),r.language)},tokenize:function(e,n){var t=n.rest;if(t){for(var r in t)n[r]=t[r];delete n.rest}var a=new s;return u(a,a.head,e),o(e,a,n,a.head,0),function(e){for(var n=[],t=e.head.next;t!==e.tail;)n.push(t.value),t=t.next;return n}(a)},hooks:{all:{},add:function(e,n){var t=a.hooks.all;t[e]=t[e]||[],t[e].push(n)},run:function(e,n){var t=a.hooks.all[e];if(t&&t.length)for(var r,i=0;r=t[i++];)r(n)}},Token:i};function i(e,n,t,r){this.type=e,this.content=n,this.alias=t,this.length=0|(r||"").length}function l(e,n,t,r){e.lastIndex=n;var a=e.exec(t);if(a&&r&&a[1]){var i=a[1].length;a.index+=i,a[0]=a[0].slice(i)}return a}function o(e,n,t,r,s,g){for(var f in t)if(t.hasOwnProperty(f)&&t[f]){var h=t[f];h=Array.isArray(h)?h:[h];for(var d=0;d<h.length;++d){if(g&&g.cause==f+","+d)return;var v=h[d],p=v.inside,m=!!v.lookbehind,y=!!v.greedy,k=v.alias;if(y&&!v.pattern.global){var x=v.pattern.toString().match(/[imsuy]*$/)[0];v.pattern=RegExp(v.pattern.source,x+"g")}for(var b=v.pattern||v,w=r.next,A=s;w!==n.tail&&!(g&&A>=g.reach);A+=w.value.length,w=w.next){var E=w.value;if(n.length>e.length)return;if(!(E instanceof i)){var P,L=1;if(y){if(!(P=l(b,A,e,m))||P.index>=e.length)break;var S=P.index,O=P.index+P[0].length,j=A;for(j+=w.value.length;S>=j;)j+=(w=w.next).value.length;if(A=j-=w.value.length,w.value instanceof i)continue;for(var C=w;C!==n.tail&&(j<O||"string"==typeof C.value);C=C.next)L++,j+=C.value.length;L--,E=e.slice(A,j),P.index-=A}else if(!(P=l(b,0,E,m)))continue;S=P.index;var N=P[0],_=E.slice(0,S),M=E.slice(S+N.length),W=A+E.length;g&&W>g.reach&&(g.reach=W);var z=w.prev;if(_&&(z=u(n,z,_),A+=_.length),c(n,z,L),w=u(n,z,new i(f,p?a.tokenize(N,p):N,k,N)),M&&u(n,w,M),L>1){var I={cause:f+","+d,reach:W};o(e,n,t,w.prev,A,I),g&&I.reach>g.reach&&(g.reach=I.reach)}}}}}}function s(){var e={value:null,prev:null,next:null},n={value:null,prev:e,next:null};e.next=n,this.head=e,this.tail=n,this.length=0}function u(e,n,t){var r=n.next,a={value:t,prev:n,next:r};return n.next=a,r.prev=a,e.length++,a}function c(e,n,t){for(var r=n.next,a=0;a<t&&r!==e.tail;a++)r=r.next;n.next=r,r.prev=n,e.length-=a}if(e.Prism=a,i.stringify=function e(n,t){if("string"==typeof n)return n;if(Array.isArray(n)){var r="";return n.forEach((function(n){r+=e(n,t)})),r}var i={type:n.type,content:e(n.content,t),tag:"span",classes:["token",n.type],attributes:{},language:t},l=n.alias;l&&(Array.isArray(l)?Array.prototype.push.apply(i.classes,l):i.classes.push(l)),a.hooks.run("wrap",i);var o="";for(var s in i.attributes)o+=" "+s+'="'+(i.attributes[s]||"").replace(/"/g,"&quot;")+'"';return"<"+i.tag+' class="'+i.classes.join(" ")+'"'+o+">"+i.content+"</"+i.tag+">"},!e.document)return e.addEventListener?(a.disableWorkerMessageHandler||e.addEventListener("message",(function(n){var t=JSON.parse(n.data),r=t.language,i=t.code,l=t.immediateClose;e.postMessage(a.highlight(i,a.languages[r],r)),l&&e.close()}),!1),a):a;var g=a.util.currentScript();function f(){a.manual||a.highlightAll()}if(g&&(a.filename=g.src,g.hasAttribute("data-manual")&&(a.manual=!0)),!a.manual){var h=document.readyState;"loading"===h||"interactive"===h&&g&&g.defer?document.addEventListener("DOMContentLoaded",f):window.requestAnimationFrame?window.requestAnimationFrame(f):window.setTimeout(f,16)}return a}(_self);"undefined"!=typeof module&&module.exports&&(module.exports=Prism),"undefined"!=typeof global&&(global.Prism=Prism);
-Prism.languages.suricata={protocol:{pattern:/(^\w+\s+)(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)/,lookbehind:!0,alias:"selector"},action:{pattern:/^(alert|pass|drop|reject|rejectsrc|rejectdst|rejectboth)/,alias:"namespace"},direction:{pattern:/(->|<>)/,alias:"operator"},options:{pattern:/\(.*\)?/,greedy:!0,alias:"text",inside:{"opening-paren":{pattern:/^\(/,alias:"operator"},"closing-paren":{pattern:/\)$/,alias:"operator"},string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},"option-key":{pattern:/\w+:/,alias:"selector"},"flag-option":{pattern:/(noalert|fast_pattern);/,alias:"tag"}}}};
+Prism.languages.suricata={protocol:{pattern:/\b(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)\b/,alias:"selector"},action:{pattern:/\b(alert|pass|drop|reject|rejectsrc|rejectdst|rejectboth)\b/,alias:"namespace"},direction:{pattern:/(->|<>)/,alias:"operator"},options:{pattern:/\(.*\)?/,greedy:!0,alias:"text",inside:{"opening-paren":{pattern:/^\(/,alias:"operator"},"closing-paren":{pattern:/\)$/,alias:"operator"},string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},"option-key":{pattern:/\w+:/,alias:"selector"},"flag-option":{pattern:/(noalert|fast_pattern);/,alias:"tag"}}},comment:[{pattern:/#.*/,lookbehind:!0,greedy:!0}]};
 Prism.languages["suricata-logic"]={string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},protocol:{pattern:/\b(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)\b/,lookbehind:!0,alias:"selector"},direction:{pattern:/(->|<>)/,alias:"operator"},"flag-option":{pattern:/(noalert|fast_pattern)/,alias:"tag"},"option-key":{pattern:/\w+:/,alias:"selector"}};
 !function(e){var n=/[*&][^\s[\]{},]+/,r=/!(?:<[\w\-%#;/?:@&=+$,.!~*'()[\]]+>|(?:[a-zA-Z\d-]*!)?[\w\-%#;/?:@&=+$.~*'()]+)?/,t="(?:"+r.source+"(?:[ \t]+"+n.source+")?|"+n.source+"(?:[ \t]+"+r.source+")?)",a="(?:[^\\s\\x00-\\x08\\x0e-\\x1f!\"#%&'*,\\-:>?@[\\]`{|}\\x7f-\\x84\\x86-\\x9f\\ud800-\\udfff\\ufffe\\uffff]|[?:-]<PLAIN>)(?:[ \t]*(?:(?![#:])<PLAIN>|:<PLAIN>))*".replace(/<PLAIN>/g,(function(){return"[^\\s\\x00-\\x08\\x0e-\\x1f,[\\]{}\\x7f-\\x84\\x86-\\x9f\\ud800-\\udfff\\ufffe\\uffff]"})),d="\"(?:[^\"\\\\\r\n]|\\\\.)*\"|'(?:[^'\\\\\r\n]|\\\\.)*'";function o(e,n){n=(n||"").replace(/m/g,"")+"m";var r="([:\\-,[{]\\s*(?:\\s<<prop>>[ \t]+)?)(?:<<value>>)(?=[ \t]*(?:$|,|\\]|\\}|(?:[\r\n]\\s*)?#))".replace(/<<prop>>/g,(function(){return t})).replace(/<<value>>/g,(function(){return e}));return RegExp(r,n)}e.languages.yaml={scalar:{pattern:RegExp("([\\-:]\\s*(?:\\s<<prop>>[ \t]+)?[|>])[ \t]*(?:((?:\r?\n|\r)[ \t]+)\\S[^\r\n]*(?:\\2[^\r\n]+)*)".replace(/<<prop>>/g,(function(){return t}))),lookbehind:!0,alias:"string"},comment:/#.*/,key:{pattern:RegExp("((?:^|[:\\-,[{\r\n?])[ \t]*(?:<<prop>>[ \t]+)?)<<key>>(?=\\s*:\\s)".replace(/<<prop>>/g,(function(){return t})).replace(/<<key>>/g,(function(){return"(?:"+a+"|"+d+")"}))),lookbehind:!0,greedy:!0,alias:"atrule"},directive:{pattern:/(^[ \t]*)%.+/m,lookbehind:!0,alias:"important"},datetime:{pattern:o("\\d{4}-\\d\\d?-\\d\\d?(?:[tT]|[ \t]+)\\d\\d?:\\d{2}:\\d{2}(?:\\.\\d*)?(?:[ \t]*(?:Z|[-+]\\d\\d?(?::\\d{2})?))?|\\d{4}-\\d{2}-\\d{2}|\\d\\d?:\\d{2}(?::\\d{2}(?:\\.\\d*)?)?"),lookbehind:!0,alias:"number"},boolean:{pattern:o("false|true","i"),lookbehind:!0,alias:"important"},null:{pattern:o("null|~","i"),lookbehind:!0,alias:"important"},string:{pattern:o(d),lookbehind:!0,greedy:!0},number:{pattern:o("[+-]?(?:0x[\\da-f]+|0o[0-7]+|(?:\\d+(?:\\.\\d*)?|\\.\\d+)(?:e[+-]?\\d+)?|\\.inf|\\.nan)","i"),lookbehind:!0},tag:r,important:n,punctuation:/---|[:[\]{}\-,|>?]|\.\.\./},e.languages.yml=e.languages.yaml}(Prism);
 Prism.languages.yara={comment:[{pattern:/(^|[^\\])\/\*[\s\S]*?(?:\*\/|$)/,lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/"(?:\\.|[^"\\\r\n])*"/,greedy:!0},"rule-signature":{pattern:/(private\s+)?rule\s*[a-z_][a-z0-9_]{0,127}\s*(:(\s*[a-z_][a-z0-9_]{0,50})+)?/i,alias:"text",inside:{"tag-separator":{pattern:/:/,alias:"operator"},identifier:{pattern:/(rule\s+)[a-z_][a-z0-9_]{0,127}/i,lookbehind:!0,alias:"text"},"private-rule":{pattern:/^(private\s+)?rule\b/i,alias:"keyword"},tag:{pattern:/[a-z_][a-z0-9_]{0,50}/i,alias:"property"}}},"category-header":{pattern:/(\n\s*)\w+:/,lookbehind:!0,alias:"keyword"},"byte-sequence":{pattern:/\{[a-f0-9 \[\]\?]*\}/i,alias:"string"},keyword:{pattern:/\b(all|and|any|ascii|at|base64(wide)?|condition|(i)?contains|(i)?endswith|entrypoint|false|filesize|for|fullword|global|import|in|include|(u)?int16(be)?|(u)?int32(be)?|(u)?int8(be)?|iequals|(i)?startswith|matches|meta|nocase|none|not|of|or|private|rule|strings|them|true|wide|xor|defined)\b/i}},Prism.languages.YARA=Prism.languages.yara;

From b12fc217dcd50749207fa0986c0a4ad6989ebc30 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 16:38:24 -0400
Subject: [PATCH 50/57] provide notice if license is expiring

---
 html/index.html     |  8 ++++++--
 html/js/app.js      | 12 ++++++++++++
 html/js/app.test.js | 12 ++++++++++++
 html/js/i18n.js     |  1 +
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/html/index.html b/html/index.html
index 5922424d..9b334c78 100644
--- a/html/index.html
+++ b/html/index.html
@@ -167,8 +167,12 @@
         <v-spacer></v-spacer>
         <div id="connection-indicator" v-if="!connected || reconnecting">
           <v-icon class="mr-2" color="warning">fa-satellite-dish</v-icon>
-          <span v-if="reconnecting" v-text="i18n.reconnecting"></span>
-          <span v-if="!reconnecting" v-text="i18n.disconnected"></span>
+          <span v-if="reconnecting" v-text="i18n.reconnecting" class="d-none d-md-inline" data-aid="reconnecting_notice"></span>
+          <span v-if="!reconnecting" v-text="i18n.disconnected" class="d-none d-md-inline" data-aid="disconnected_notice"></span>
+        </div>
+        <div id="license-indicator" v-else-if="isLicenseExpiringSoon()">
+          <v-icon class="mr-2" color="warning">fa-key</v-icon>
+          <span v-text="i18n.licenseExpiringSoon" class="d-none d-md-inline" data-aid="license_expiring_notice"></span>
         </div>
         <v-spacer></v-spacer>
         <v-menu bottom left offset-y>
diff --git a/html/js/app.js b/html/js/app.js
index 96771d3f..6ebbf417 100644
--- a/html/js/app.js
+++ b/html/js/app.js
@@ -15,6 +15,8 @@ const LICENSE_STATUS_INVALID = "invalid";
 const LICENSE_STATUS_PENDING = "pending";
 const LICENSE_STATUS_UNPROVISIONED = "unprovisioned";
 
+const LICENSE_EXPIRES_SOON_DAYS = 45;
+
 const UNREALISTIC_AGE = 1700000000; // About 54 years
 
 const USER_PASSWORD_LENGTH_MIN = 8;
@@ -309,6 +311,16 @@ $(document).ready(function() {
           this.removeSearchParam('r');
         }
       },
+      isLicenseExpiringSoon() {
+        if (this.licenseStatus == LICENSE_STATUS_ACTIVE && this.licenseKey.expiration) {
+          const now = Date.now();
+          const exp = Date.parse(this.licenseKey.expiration);
+          const timeToExpirationMs = exp - now;
+          const minTimeToExpirationMs = LICENSE_EXPIRES_SOON_DAYS * 24 * 60 * 60 * 1000;
+          return timeToExpirationMs < minTimeToExpirationMs;
+        }
+        return false;
+      },
       async loadServerSettings(background) {
         // This version element ensures we're passed the login screen.
         if (document.getElementById("version")) {
diff --git a/html/js/app.test.js b/html/js/app.test.js
index 47d5f002..9725b4d7 100644
--- a/html/js/app.test.js
+++ b/html/js/app.test.js
@@ -753,4 +753,16 @@ test('dateAwareSort', () => {
   for (let i = 0; i < items.length; i++) {
     expect(items[i].dateOrder).toBe(items.length - i - 1);
   }
+});
+
+test('licenseExpiringSoon', () => {
+  const date = new Date();
+  app.licenseKey = { expiration: date.toISOString() };
+  expect(app.isLicenseExpiringSoon()).toBe(true);
+  
+  app.licenseKey = { expiration: "2024-01-01T01:01:01Z" };
+  expect(app.isLicenseExpiringSoon()).toBe(true);
+
+  app.licenseKey = { expiration: "2054-01-01T01:01:01Z" };
+  expect(app.isLicenseExpiringSoon()).toBe(false);
 });
\ No newline at end of file
diff --git a/html/js/i18n.js b/html/js/i18n.js
index 3d952f83..8cfc0d9a 100644
--- a/html/js/i18n.js
+++ b/html/js/i18n.js
@@ -551,6 +551,7 @@ const i18n = {
       licensePending: 'This grid is using a license that has not yet become active. If this is unexpected, contact your Security Onion account manager for assistance. Alternatively, make sure your grid is synchronized to the correct time.',
       licenseEffective: 'Effective',
       licenseExpiration: 'Expiration',
+      licenseExpiringSoon: 'This grid\'s Security Onion Pro license expires soon.',
       licenseId: 'ID',
       licensing: 'Licensing',
       licenseKey: 'License Key',

From a6e3d6b6319d2c986d82be1b358ed9880068e5ed Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 13:49:04 -0600
Subject: [PATCH 51/57] New Query Param for Advanced Config

Specifying `a=1` on the query string will now cause the config to load with Advanced already toggled to true.

The nextTick is necessary because on mount, the browser will call processRouterParameters and then loadData. The component is also watching `advanced` and will call refreshTree if it changes.

What happens is that onMounted will call processRouterParameters and set advanced which queues up a refreshTree in the event stack. Then execution exits processRouterParameters and enters loadData. loadData is async so the first half of the function up to the request executes. Then the queued up refreshTree executes. refreshTree checks autoExpand, expands, and then unsets autoExpand. When refreshTree finishes, control is eventually returned to the async part of loadData because the request came back. The second half of loadData calls refreshTree, but this time autoExpand is false so the tree isn't expanded.

With the $nextTick, I queue up the call to refreshTree same as before when I modify advanced in processRouterParameters, then nextTick queues up a function to set autoExpand = true again but after that refreshTree event in the queue. Now when loadData calls refreshTree, autoExpand is set, and the tree expands as expected. We only need to expand on nextTick if we load the page as advanced.
---
 html/index.html          |  2 +-
 html/js/routes/config.js | 12 ++++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/html/index.html b/html/index.html
index 9b334c78..e10e445e 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1353,7 +1353,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                       <!-- ip -->
                       <v-text-field v-if="newOverride.type === 'suppress'" id="new-override-ip-edit" v-model="newOverride.ip" :rules="[rules.required, rules.cidrFormat]" persistent-hint :hint="i18n.ipCidr" data-aid="detection_new_override_suppress_ip_input">
                         <template v-slot:append-outer>
-                          <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars' }}" target="_blank" data-aid="new_override_ip_edit_config_shortcut">
+                          <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars', a: '1', e: '1' }}" target="_blank" data-aid="new_override_ip_edit_config_shortcut">
                             <v-icon>fa fa-gear</v-icon>
                           </router-link>
                         </template>
diff --git a/html/js/routes/config.js b/html/js/routes/config.js
index 82514420..004310ce 100644
--- a/html/js/routes/config.js
+++ b/html/js/routes/config.js
@@ -63,11 +63,19 @@ routes.push({ path: '/config', name: 'config', component: {
   },
   methods: {
     processRouteParameters() {
+      if (this.$route.query.a == "1") {
+        this.advanced = true;
+      }
       if (this.$route.query.f) {
         this.search = this.$route.query.f;
       }
       if (this.$route.query.e == "1") {
         this.autoExpand = true;
+        if (this.advanced) {
+          this.$nextTick(() => {
+            this.autoExpand = true;
+          });
+        }
       }
       if (this.$route.query.s) {
         this.autoSelect = this.$route.query.s;
@@ -326,7 +334,7 @@ routes.push({ path: '/config', name: 'config', component: {
       }
       this.recomputeAvailableNodes(this.findActiveSetting());
       this.activeBackup = [...this.active];
-      this.showDuplicate = false; 
+      this.showDuplicate = false;
       this.showDefault = false;
       window.scrollTo(0,0);
     },
@@ -507,7 +515,7 @@ routes.push({ path: '/config', name: 'config', component: {
     },
     toggleDuplicate(setting) {
       this.duplicateId = this.suggestDuplicateName(setting);
-      this.showDuplicate = !this.showDuplicate; 
+      this.showDuplicate = !this.showDuplicate;
     },
     suggestDuplicateName(setting) {
       return setting.name + "_dup";

From b8aa7e3b3dc039e1855b50d4057add2814358349 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 16:40:07 -0600
Subject: [PATCH 52/57] Suricata Rules can only be 1 Line

New and updated detections now go through a stronger validation process. Verified by the cypress tests.

Fixed a suricata-logic bug with syntax highlighting. Updated here: https://github.com/coreyogburn/prism/commit/9b24b03cd2bf29762e1538a195c4b920d813b44c
---
 html/js/external/prism-custom-v1.29.0.js |  2 +-
 server/detectionhandler.go               | 12 ++++++++++++
 server/modules/suricata/suricata.go      |  9 +++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/html/js/external/prism-custom-v1.29.0.js b/html/js/external/prism-custom-v1.29.0.js
index e756e6c8..43e9de61 100644
--- a/html/js/external/prism-custom-v1.29.0.js
+++ b/html/js/external/prism-custom-v1.29.0.js
@@ -2,6 +2,6 @@
 http://127.0.0.1:8080/download.html#themes=prism&languages=suricata+suricata-logic+yaml+yara */
 var _self="undefined"!=typeof window?window:"undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?self:{},Prism=function(e){var n=/(?:^|\s)lang(?:uage)?-([\w-]+)(?=\s|$)/i,t=0,r={},a={manual:e.Prism&&e.Prism.manual,disableWorkerMessageHandler:e.Prism&&e.Prism.disableWorkerMessageHandler,util:{encode:function e(n){return n instanceof i?new i(n.type,e(n.content),n.alias):Array.isArray(n)?n.map(e):n.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/\u00a0/g," ")},type:function(e){return Object.prototype.toString.call(e).slice(8,-1)},objId:function(e){return e.__id||Object.defineProperty(e,"__id",{value:++t}),e.__id},clone:function e(n,t){var r,i;switch(t=t||{},a.util.type(n)){case"Object":if(i=a.util.objId(n),t[i])return t[i];for(var l in r={},t[i]=r,n)n.hasOwnProperty(l)&&(r[l]=e(n[l],t));return r;case"Array":return i=a.util.objId(n),t[i]?t[i]:(r=[],t[i]=r,n.forEach((function(n,a){r[a]=e(n,t)})),r);default:return n}},getLanguage:function(e){for(;e;){var t=n.exec(e.className);if(t)return t[1].toLowerCase();e=e.parentElement}return"none"},setLanguage:function(e,t){e.className=e.className.replace(RegExp(n,"gi"),""),e.classList.add("language-"+t)},currentScript:function(){if("undefined"==typeof document)return null;if("currentScript"in document)return document.currentScript;try{throw new Error}catch(r){var e=(/at [^(\r\n]*\((.*):[^:]+:[^:]+\)$/i.exec(r.stack)||[])[1];if(e){var n=document.getElementsByTagName("script");for(var t in n)if(n[t].src==e)return n[t]}return null}},isActive:function(e,n,t){for(var r="no-"+n;e;){var a=e.classList;if(a.contains(n))return!0;if(a.contains(r))return!1;e=e.parentElement}return!!t}},languages:{plain:r,plaintext:r,text:r,txt:r,extend:function(e,n){var t=a.util.clone(a.languages[e]);for(var r in n)t[r]=n[r];return t},insertBefore:function(e,n,t,r){var i=(r=r||a.languages)[e],l={};for(var o in i)if(i.hasOwnProperty(o)){if(o==n)for(var s in t)t.hasOwnProperty(s)&&(l[s]=t[s]);t.hasOwnProperty(o)||(l[o]=i[o])}var u=r[e];return r[e]=l,a.languages.DFS(a.languages,(function(n,t){t===u&&n!=e&&(this[n]=l)})),l},DFS:function e(n,t,r,i){i=i||{};var l=a.util.objId;for(var o in n)if(n.hasOwnProperty(o)){t.call(n,o,n[o],r||o);var s=n[o],u=a.util.type(s);"Object"!==u||i[l(s)]?"Array"!==u||i[l(s)]||(i[l(s)]=!0,e(s,t,o,i)):(i[l(s)]=!0,e(s,t,null,i))}}},plugins:{},highlightAll:function(e,n){a.highlightAllUnder(document,e,n)},highlightAllUnder:function(e,n,t){var r={callback:t,container:e,selector:'code[class*="language-"], [class*="language-"] code, code[class*="lang-"], [class*="lang-"] code'};a.hooks.run("before-highlightall",r),r.elements=Array.prototype.slice.apply(r.container.querySelectorAll(r.selector)),a.hooks.run("before-all-elements-highlight",r);for(var i,l=0;i=r.elements[l++];)a.highlightElement(i,!0===n,r.callback)},highlightElement:function(n,t,r){var i=a.util.getLanguage(n),l=a.languages[i];a.util.setLanguage(n,i);var o=n.parentElement;o&&"pre"===o.nodeName.toLowerCase()&&a.util.setLanguage(o,i);var s={element:n,language:i,grammar:l,code:n.textContent};function u(e){s.highlightedCode=e,a.hooks.run("before-insert",s),s.element.innerHTML=s.highlightedCode,a.hooks.run("after-highlight",s),a.hooks.run("complete",s),r&&r.call(s.element)}if(a.hooks.run("before-sanity-check",s),(o=s.element.parentElement)&&"pre"===o.nodeName.toLowerCase()&&!o.hasAttribute("tabindex")&&o.setAttribute("tabindex","0"),!s.code)return a.hooks.run("complete",s),void(r&&r.call(s.element));if(a.hooks.run("before-highlight",s),s.grammar)if(t&&e.Worker){var c=new Worker(a.filename);c.onmessage=function(e){u(e.data)},c.postMessage(JSON.stringify({language:s.language,code:s.code,immediateClose:!0}))}else u(a.highlight(s.code,s.grammar,s.language));else u(a.util.encode(s.code))},highlight:function(e,n,t){var r={code:e,grammar:n,language:t};if(a.hooks.run("before-tokenize",r),!r.grammar)throw new Error('The language "'+r.language+'" has no grammar.');return r.tokens=a.tokenize(r.code,r.grammar),a.hooks.run("after-tokenize",r),i.stringify(a.util.encode(r.tokens),r.language)},tokenize:function(e,n){var t=n.rest;if(t){for(var r in t)n[r]=t[r];delete n.rest}var a=new s;return u(a,a.head,e),o(e,a,n,a.head,0),function(e){for(var n=[],t=e.head.next;t!==e.tail;)n.push(t.value),t=t.next;return n}(a)},hooks:{all:{},add:function(e,n){var t=a.hooks.all;t[e]=t[e]||[],t[e].push(n)},run:function(e,n){var t=a.hooks.all[e];if(t&&t.length)for(var r,i=0;r=t[i++];)r(n)}},Token:i};function i(e,n,t,r){this.type=e,this.content=n,this.alias=t,this.length=0|(r||"").length}function l(e,n,t,r){e.lastIndex=n;var a=e.exec(t);if(a&&r&&a[1]){var i=a[1].length;a.index+=i,a[0]=a[0].slice(i)}return a}function o(e,n,t,r,s,g){for(var f in t)if(t.hasOwnProperty(f)&&t[f]){var h=t[f];h=Array.isArray(h)?h:[h];for(var d=0;d<h.length;++d){if(g&&g.cause==f+","+d)return;var v=h[d],p=v.inside,m=!!v.lookbehind,y=!!v.greedy,k=v.alias;if(y&&!v.pattern.global){var x=v.pattern.toString().match(/[imsuy]*$/)[0];v.pattern=RegExp(v.pattern.source,x+"g")}for(var b=v.pattern||v,w=r.next,A=s;w!==n.tail&&!(g&&A>=g.reach);A+=w.value.length,w=w.next){var E=w.value;if(n.length>e.length)return;if(!(E instanceof i)){var P,L=1;if(y){if(!(P=l(b,A,e,m))||P.index>=e.length)break;var S=P.index,O=P.index+P[0].length,j=A;for(j+=w.value.length;S>=j;)j+=(w=w.next).value.length;if(A=j-=w.value.length,w.value instanceof i)continue;for(var C=w;C!==n.tail&&(j<O||"string"==typeof C.value);C=C.next)L++,j+=C.value.length;L--,E=e.slice(A,j),P.index-=A}else if(!(P=l(b,0,E,m)))continue;S=P.index;var N=P[0],_=E.slice(0,S),M=E.slice(S+N.length),W=A+E.length;g&&W>g.reach&&(g.reach=W);var z=w.prev;if(_&&(z=u(n,z,_),A+=_.length),c(n,z,L),w=u(n,z,new i(f,p?a.tokenize(N,p):N,k,N)),M&&u(n,w,M),L>1){var I={cause:f+","+d,reach:W};o(e,n,t,w.prev,A,I),g&&I.reach>g.reach&&(g.reach=I.reach)}}}}}}function s(){var e={value:null,prev:null,next:null},n={value:null,prev:e,next:null};e.next=n,this.head=e,this.tail=n,this.length=0}function u(e,n,t){var r=n.next,a={value:t,prev:n,next:r};return n.next=a,r.prev=a,e.length++,a}function c(e,n,t){for(var r=n.next,a=0;a<t&&r!==e.tail;a++)r=r.next;n.next=r,r.prev=n,e.length-=a}if(e.Prism=a,i.stringify=function e(n,t){if("string"==typeof n)return n;if(Array.isArray(n)){var r="";return n.forEach((function(n){r+=e(n,t)})),r}var i={type:n.type,content:e(n.content,t),tag:"span",classes:["token",n.type],attributes:{},language:t},l=n.alias;l&&(Array.isArray(l)?Array.prototype.push.apply(i.classes,l):i.classes.push(l)),a.hooks.run("wrap",i);var o="";for(var s in i.attributes)o+=" "+s+'="'+(i.attributes[s]||"").replace(/"/g,"&quot;")+'"';return"<"+i.tag+' class="'+i.classes.join(" ")+'"'+o+">"+i.content+"</"+i.tag+">"},!e.document)return e.addEventListener?(a.disableWorkerMessageHandler||e.addEventListener("message",(function(n){var t=JSON.parse(n.data),r=t.language,i=t.code,l=t.immediateClose;e.postMessage(a.highlight(i,a.languages[r],r)),l&&e.close()}),!1),a):a;var g=a.util.currentScript();function f(){a.manual||a.highlightAll()}if(g&&(a.filename=g.src,g.hasAttribute("data-manual")&&(a.manual=!0)),!a.manual){var h=document.readyState;"loading"===h||"interactive"===h&&g&&g.defer?document.addEventListener("DOMContentLoaded",f):window.requestAnimationFrame?window.requestAnimationFrame(f):window.setTimeout(f,16)}return a}(_self);"undefined"!=typeof module&&module.exports&&(module.exports=Prism),"undefined"!=typeof global&&(global.Prism=Prism);
 Prism.languages.suricata={protocol:{pattern:/\b(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)\b/,alias:"selector"},action:{pattern:/\b(alert|pass|drop|reject|rejectsrc|rejectdst|rejectboth)\b/,alias:"namespace"},direction:{pattern:/(->|<>)/,alias:"operator"},options:{pattern:/\(.*\)?/,greedy:!0,alias:"text",inside:{"opening-paren":{pattern:/^\(/,alias:"operator"},"closing-paren":{pattern:/\)$/,alias:"operator"},string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},"option-key":{pattern:/\w+:/,alias:"selector"},"flag-option":{pattern:/(noalert|fast_pattern);/,alias:"tag"}}},comment:[{pattern:/#.*/,lookbehind:!0,greedy:!0}]};
-Prism.languages["suricata-logic"]={string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},protocol:{pattern:/\b(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)\b/,lookbehind:!0,alias:"selector"},direction:{pattern:/(->|<>)/,alias:"operator"},"flag-option":{pattern:/(noalert|fast_pattern)/,alias:"tag"},"option-key":{pattern:/\w+:/,alias:"selector"}};
+Prism.languages["suricata-logic"]={string:{pattern:/(["'])(?:\\(?:\r\n|[\s\S])|(?!\1)[^\\\r\n])*\1/,greedy:!0},protocol:{pattern:/\b(tcp|udp|icmp|ip|all|any|tcp-pkt|tcp-stream|http[12]?|ftp|tls|smb|dns|dcerpc|dhcp|ssh|smtp|imap|pop3|modbus|dnp3|enip|nfs|ike|krb5|bittorrent-dht|ntp|dhcp|rfb|rdp|snmp|tftp|sip|websocket)\b/,alias:"selector"},direction:{pattern:/(->|<>)/,alias:"operator"},"flag-option":{pattern:/(noalert|fast_pattern)/,alias:"tag"},"option-key":{pattern:/\w+:/,alias:"selector"}};
 !function(e){var n=/[*&][^\s[\]{},]+/,r=/!(?:<[\w\-%#;/?:@&=+$,.!~*'()[\]]+>|(?:[a-zA-Z\d-]*!)?[\w\-%#;/?:@&=+$.~*'()]+)?/,t="(?:"+r.source+"(?:[ \t]+"+n.source+")?|"+n.source+"(?:[ \t]+"+r.source+")?)",a="(?:[^\\s\\x00-\\x08\\x0e-\\x1f!\"#%&'*,\\-:>?@[\\]`{|}\\x7f-\\x84\\x86-\\x9f\\ud800-\\udfff\\ufffe\\uffff]|[?:-]<PLAIN>)(?:[ \t]*(?:(?![#:])<PLAIN>|:<PLAIN>))*".replace(/<PLAIN>/g,(function(){return"[^\\s\\x00-\\x08\\x0e-\\x1f,[\\]{}\\x7f-\\x84\\x86-\\x9f\\ud800-\\udfff\\ufffe\\uffff]"})),d="\"(?:[^\"\\\\\r\n]|\\\\.)*\"|'(?:[^'\\\\\r\n]|\\\\.)*'";function o(e,n){n=(n||"").replace(/m/g,"")+"m";var r="([:\\-,[{]\\s*(?:\\s<<prop>>[ \t]+)?)(?:<<value>>)(?=[ \t]*(?:$|,|\\]|\\}|(?:[\r\n]\\s*)?#))".replace(/<<prop>>/g,(function(){return t})).replace(/<<value>>/g,(function(){return e}));return RegExp(r,n)}e.languages.yaml={scalar:{pattern:RegExp("([\\-:]\\s*(?:\\s<<prop>>[ \t]+)?[|>])[ \t]*(?:((?:\r?\n|\r)[ \t]+)\\S[^\r\n]*(?:\\2[^\r\n]+)*)".replace(/<<prop>>/g,(function(){return t}))),lookbehind:!0,alias:"string"},comment:/#.*/,key:{pattern:RegExp("((?:^|[:\\-,[{\r\n?])[ \t]*(?:<<prop>>[ \t]+)?)<<key>>(?=\\s*:\\s)".replace(/<<prop>>/g,(function(){return t})).replace(/<<key>>/g,(function(){return"(?:"+a+"|"+d+")"}))),lookbehind:!0,greedy:!0,alias:"atrule"},directive:{pattern:/(^[ \t]*)%.+/m,lookbehind:!0,alias:"important"},datetime:{pattern:o("\\d{4}-\\d\\d?-\\d\\d?(?:[tT]|[ \t]+)\\d\\d?:\\d{2}:\\d{2}(?:\\.\\d*)?(?:[ \t]*(?:Z|[-+]\\d\\d?(?::\\d{2})?))?|\\d{4}-\\d{2}-\\d{2}|\\d\\d?:\\d{2}(?::\\d{2}(?:\\.\\d*)?)?"),lookbehind:!0,alias:"number"},boolean:{pattern:o("false|true","i"),lookbehind:!0,alias:"important"},null:{pattern:o("null|~","i"),lookbehind:!0,alias:"important"},string:{pattern:o(d),lookbehind:!0,greedy:!0},number:{pattern:o("[+-]?(?:0x[\\da-f]+|0o[0-7]+|(?:\\d+(?:\\.\\d*)?|\\.\\d+)(?:e[+-]?\\d+)?|\\.inf|\\.nan)","i"),lookbehind:!0},tag:r,important:n,punctuation:/---|[:[\]{}\-,|>?]|\.\.\./},e.languages.yml=e.languages.yaml}(Prism);
 Prism.languages.yara={comment:[{pattern:/(^|[^\\])\/\*[\s\S]*?(?:\*\/|$)/,lookbehind:!0,greedy:!0},{pattern:/(^|[^\\:])\/\/.*/,lookbehind:!0,greedy:!0}],string:{pattern:/"(?:\\.|[^"\\\r\n])*"/,greedy:!0},"rule-signature":{pattern:/(private\s+)?rule\s*[a-z_][a-z0-9_]{0,127}\s*(:(\s*[a-z_][a-z0-9_]{0,50})+)?/i,alias:"text",inside:{"tag-separator":{pattern:/:/,alias:"operator"},identifier:{pattern:/(rule\s+)[a-z_][a-z0-9_]{0,127}/i,lookbehind:!0,alias:"text"},"private-rule":{pattern:/^(private\s+)?rule\b/i,alias:"keyword"},tag:{pattern:/[a-z_][a-z0-9_]{0,50}/i,alias:"property"}}},"category-header":{pattern:/(\n\s*)\w+:/,lookbehind:!0,alias:"keyword"},"byte-sequence":{pattern:/\{[a-f0-9 \[\]\?]*\}/i,alias:"string"},keyword:{pattern:/\b(all|and|any|ascii|at|base64(wide)?|condition|(i)?contains|(i)?endswith|entrypoint|false|filesize|for|fullword|global|import|in|include|(u)?int16(be)?|(u)?int32(be)?|(u)?int8(be)?|iequals|(i)?startswith|matches|meta|nocase|none|not|of|or|private|rule|strings|them|true|wide|xor|defined)\b/i}},Prism.languages.YARA=Prism.languages.yara;
diff --git a/server/detectionhandler.go b/server/detectionhandler.go
index 6b6b2e6d..e18d215c 100644
--- a/server/detectionhandler.go
+++ b/server/detectionhandler.go
@@ -159,6 +159,12 @@ func (h *DetectionHandler) createDetection(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
+	_, err = engine.ValidateRule(detect.Content)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid rule: %w", err))
+		return
+	}
+
 	err = engine.ExtractDetails(detect)
 	if err != nil {
 		if err.Error() == "rule does not contain a public Id" {
@@ -277,6 +283,12 @@ func (h *DetectionHandler) updateDetection(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
+	_, err = engine.ValidateRule(detect.Content)
+	if err != nil {
+		web.Respond(w, r, http.StatusBadRequest, fmt.Errorf("invalid rule: %w", err))
+		return
+	}
+
 	err = h.PrepareForSave(ctx, detect, engine)
 	if err != nil {
 		if err.Error() == "Object not found" {
diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 3eac7421..0f65c93d 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -725,6 +725,15 @@ func readFingerprint(path string) (fingerprint *string, ok bool, err error) {
 }
 
 func (e *SuricataEngine) ValidateRule(rule string) (string, error) {
+	lines := strings.Split(rule, "\n")
+	nonEmpty := lo.Filter(lines, func(line string, _ int) bool {
+		return strings.TrimSpace(line) != ""
+	})
+
+	if len(nonEmpty) != 1 {
+		return "", fmt.Errorf("suricata rules must be a single line")
+	}
+
 	parsed, err := ParseSuricataRule(rule)
 	if err != nil {
 		return rule, err

From 4b95bf6990b38a0332153d516044aefa53c84da3 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 20 Jun 2024 16:40:21 -0600
Subject: [PATCH 53/57] Added test

---
 html/js/routes/config.test.js | 165 +++++++++++++++++++++++-----------
 1 file changed, 113 insertions(+), 52 deletions(-)

diff --git a/html/js/routes/config.test.js b/html/js/routes/config.test.js
index 160833ce..3405f347 100644
--- a/html/js/routes/config.test.js
+++ b/html/js/routes/config.test.js
@@ -9,11 +9,11 @@ require('./config.js');
 
 global.GridMemberAccepted = "accepted";
 
-const a = { 
-  category: 'general', 
-  id: 'fake.setting.foo', 
-  description: 'Nearby', 
-  title: 'Farout', 
+const a = {
+  category: 'general',
+  id: 'fake.setting.foo',
+  description: 'Nearby',
+  title: 'Farout',
   nodeValues: new Map(),
   regex: "True|False",
   regexFailureMessage: "Wrong!",
@@ -50,7 +50,7 @@ test('loadData', async () => {
   const expectedSettings = [{
       "advanced": undefined,
       "default": null,
-      "defaultAvailable": false, 
+      "defaultAvailable": false,
       "description": "Nearby",
       "duplicates": undefined,
       "file": undefined,
@@ -73,7 +73,7 @@ test('loadData', async () => {
     {
       "advanced": undefined,
       "default": undefined,
-      "defaultAvailable": undefined, 
+      "defaultAvailable": undefined,
       "description": "NADA",
       "duplicates": undefined,
       "file": undefined,
@@ -96,7 +96,7 @@ test('loadData', async () => {
     {
       "advanced": undefined,
       "default": undefined,
-      "defaultAvailable": undefined, 
+      "defaultAvailable": undefined,
       "description": "Cocoa",
       "duplicates": undefined,
       "file": undefined,
@@ -125,79 +125,79 @@ test('loadData', async () => {
           "children": [
             {
               "advanced": undefined,
-              "default": null, 
-              "defaultAvailable": false, 
-              "description": "Nearby", 
+              "default": null,
+              "defaultAvailable": false,
+              "description": "Nearby",
               "duplicates": undefined,
               "file": undefined,
-              "global": false, 
+              "global": false,
               "helpLink": undefined,
-              "id": "fake.setting.foo", 
-              "multiline": undefined, 
-              "name": "foo", 
-              "node": undefined, 
-              "nodeValues": m1, 
-              "readonly": undefined, 
+              "id": "fake.setting.foo",
+              "multiline": undefined,
+              "name": "foo",
+              "node": undefined,
+              "nodeValues": m1,
+              "readonly": undefined,
               "readonlyUi": undefined,
               "regex": "True|False",
               "regexFailureMessage": "Wrong!",
-              "sensitive": undefined, 
+              "sensitive": undefined,
               "syntax": undefined,
-              "title": "Farout", 
+              "title": "Farout",
               "value": null
-            }, 
+            },
             {
               "advanced": undefined,
               "default": undefined,
-              "defaultAvailable": undefined, 
-              "description": "Cocoa", 
+              "defaultAvailable": undefined,
+              "description": "Cocoa",
               "duplicates": undefined,
               "file": undefined,
-              "global": undefined, 
+              "global": undefined,
               "helpLink": undefined,
-              "id": "fake.setting.bar", 
-              "multiline": undefined, 
-              "name": "bar", 
-              "node": false, 
-              "nodeValues": new Map(), 
-              "readonly": undefined, 
+              "id": "fake.setting.bar",
+              "multiline": undefined,
+              "name": "bar",
+              "node": false,
+              "nodeValues": new Map(),
+              "readonly": undefined,
               "readonlyUi": undefined,
               "regex": undefined,
               "regexFailureMessage": undefined,
-              "sensitive": undefined, 
+              "sensitive": undefined,
               "syntax": undefined,
-              "title": "Barley", 
+              "title": "Barley",
               "value": undefined
             }
-          ], 
-          "id": "fake.setting", 
+          ],
+          "id": "fake.setting",
           "name": "setting"
         }
-      ], 
-      "id": "fake", 
+      ],
+      "id": "fake",
       "name": "fake"
-    }, 
+    },
     {
       "advanced": undefined,
       "default": undefined,
-      "defaultAvailable": undefined, 
-      "description": "NADA", 
+      "defaultAvailable": undefined,
+      "description": "NADA",
       "duplicates": undefined,
       "file": undefined,
-      "global": undefined, 
+      "global": undefined,
       "helpLink": undefined,
-      "id": "car", 
-      "multiline": undefined, 
-      "name": "car", 
-      "node": false, 
-      "nodeValues": new Map(), 
-      "readonly": undefined, 
+      "id": "car",
+      "multiline": undefined,
+      "name": "car",
+      "node": false,
+      "nodeValues": new Map(),
+      "readonly": undefined,
       "readonlyUi": undefined,
       "regex": undefined,
       "regexFailureMessage": undefined,
-      "sensitive": undefined, 
+      "sensitive": undefined,
       "syntax": undefined,
-      "title": "CCA", 
+      "title": "CCA",
       "value": undefined
     }
   ];
@@ -258,7 +258,7 @@ test('isPendingSave', () => {
   const values = new Map();
   values.set('bar', '123');
   const setting = { id: 'foo', value: "something", nodeValues: values};
-  
+
   // Form key is null, nothing pending
   var nodeId = null;
   expect(comp.isPendingSave(setting, nodeId)).toBe(false);
@@ -294,7 +294,7 @@ test('reset', () => {
 
 setupSettings = () => {
   comp.cancelDialog = true;
-  comp.nodes = [{id: "n1", status: GridMemberAccepted }, {id: "n1a", status: GridMemberAccepted }, 
+  comp.nodes = [{id: "n1", status: GridMemberAccepted }, {id: "n1a", status: GridMemberAccepted },
                 {id: "n2", name: "node2", role: "standalone", status: "accepted" }, {id:"n3", status: "pending" }];
 
   const nodeValues = new Map();
@@ -555,7 +555,7 @@ test('addNode', () => {
   expect(comp.settings[0].nodeValues.get('n2')).toBe(undefined);
   expect(comp.form.key).toBe("n1");
   expect(comp.form.value).toBe("touched-value");
-  expect(comp.cancelDialog).toBe(true);  
+  expect(comp.cancelDialog).toBe(true);
 });
 
 test('addToNode_Malformed', () => {
@@ -622,4 +622,65 @@ test('isReadOnly', () => {
   expect(comp.isReadOnly(setting)).toBe(true);
   setting.readonly = true;
   expect(comp.isReadOnly(setting)).toBe(true);
-});
\ No newline at end of file
+});
+
+test('processRouteParameters', () => {
+  comp.$route.query = {
+    f: 'search',
+  };
+  comp.$nextTick = jest.fn();
+
+  comp.processRouteParameters();
+
+  expect(comp.search).toBe('search');
+  expect(comp.autoSelect).toBe('');
+  expect(comp.autoExpand).toBe(false);
+  expect(comp.searchFilter).toBe('search');
+  expect(comp.advanced).toBe(false);
+  expect(comp.$nextTick).toHaveBeenCalledTimes(0);
+
+  comp.search = '';
+  comp.searchFilter = '';
+  comp.$route.query = {
+    e: '1',
+  };
+
+  comp.processRouteParameters();
+
+  expect(comp.search).toBe('');
+  expect(comp.autoSelect).toBe('');
+  expect(comp.autoExpand).toBe(true);
+  expect(comp.searchFilter).toBe('');
+  expect(comp.advanced).toBe(false);
+  expect(comp.$nextTick).toHaveBeenCalledTimes(0);
+
+  comp.autoExpand = false;
+  comp.$route.query = {
+    a: '1',
+  };
+
+  comp.processRouteParameters();
+
+  expect(comp.search).toBe('');
+  expect(comp.autoSelect).toBe('');
+  expect(comp.autoExpand).toBe(false);
+  expect(comp.searchFilter).toBe('');
+  expect(comp.advanced).toBe(true);
+  expect(comp.$nextTick).toHaveBeenCalledTimes(0);
+
+  comp.advanced = false
+  comp.$route.query = {
+    a: '1',
+    e: '1',
+    f: 'search',
+  };
+
+  comp.processRouteParameters();
+
+  expect(comp.search).toBe('search');
+  expect(comp.autoSelect).toBe('');
+  expect(comp.autoExpand).toBe(true);
+  expect(comp.searchFilter).toBe('search');
+  expect(comp.advanced).toBe(true);
+  expect(comp.$nextTick).toHaveBeenCalledTimes(1);
+});

From 108e497f4f5c2120b1890f8a4b1016b7c463f898 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 21 Jun 2024 09:31:26 -0600
Subject: [PATCH 54/57] Added test for new logic

New "1 line" logic now has specific test cases.
---
 server/modules/suricata/suricata_test.go | 35 ++++++++++++++++++++----
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go
index 09054180..973cb7b5 100644
--- a/server/modules/suricata/suricata_test.go
+++ b/server/modules/suricata/suricata_test.go
@@ -293,7 +293,7 @@ func TestValidate(t *testing.T) {
 	table := []struct {
 		Name        string
 		Input       string
-		ExpectedErr *string
+		ExpectedErr string
 	}{
 		{
 			Name:  "Valid Rule",
@@ -310,17 +310,17 @@ func TestValidate(t *testing.T) {
 		{
 			Name:        "Invalid Direction",
 			Input:       `alert http any any <-> any any (msg:"This rule has an invalid direction";)`,
-			ExpectedErr: util.Ptr("invalid direction, must be '<>' or '->', got <->"),
+			ExpectedErr: "invalid direction, must be '<>' or '->', got <->",
 		},
 		{
 			Name:        "Unexpected Suffix",
 			Input:       SimpleRule + "x",
-			ExpectedErr: util.Ptr("invalid rule, expected end of rule, got 1 more bytes"),
+			ExpectedErr: "invalid rule, expected end of rule, got 1 more bytes",
 		},
 		{
 			Name:        "Unexpected End of Rule",
 			Input:       "x",
-			ExpectedErr: util.Ptr("invalid rule, unexpected end of rule"),
+			ExpectedErr: "invalid rule, unexpected end of rule",
 		},
 		{
 			Name:  "Parentheses in Unquoted Option",
@@ -330,6 +330,29 @@ func TestValidate(t *testing.T) {
 			Name:  "Unescaped Double Quote in PCRE Option",
 			Input: `alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Unhidebody Function Observed in Phishing Landing"; flow:established,to_client; file.data; content:"function unhideBody()"; nocase; fast_pattern; content:"var bodyElems = document.getElementsByTagName(|22|body|22|)|3b|"; nocase; content:"bodyElems[0].style.visibility =|20 22|visible|22 3b|"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; content:"method="; nocase; pcre:"/^["']?post/Ri"; classtype:social-engineering; sid:2029732; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_03_24;)`,
 		},
+		{
+			Name:  "Accidental Whitespace",
+			Input: SimpleRule + "\n",
+		},
+		{
+			Name:  "Excessive Whitespace",
+			Input: "\n\n" + SimpleRule + "\n\n",
+		},
+		{
+			Name:        "Rule w/ Comment",
+			Input:       "# This rule does X, Y, and Z\n" + SimpleRule,
+			ExpectedErr: "suricata rules must be a single line",
+		},
+		{
+			Name:        "Multiple Rules",
+			Input:       FlowbitsRuleA + "\n" + FlowbitsRuleB,
+			ExpectedErr: "suricata rules must be a single line",
+		},
+		{
+			Name:        "Multiple Rules, One Line",
+			Input:       FlowbitsRuleA + " " + FlowbitsRuleB,
+			ExpectedErr: "invalid rule, expected end of rule, got 126 more bytes",
+		},
 	}
 
 	for _, test := range table {
@@ -340,7 +363,7 @@ func TestValidate(t *testing.T) {
 			mod := NewSuricataEngine(&server.Server{})
 
 			_, err := mod.ValidateRule(test.Input)
-			if test.ExpectedErr == nil {
+			if test.ExpectedErr == "" {
 				assert.NoError(t, err)
 
 				// this rule seems valid, attempt to parse, serialize, re-parse
@@ -350,7 +373,7 @@ func TestValidate(t *testing.T) {
 				_, err = ParseSuricataRule(parsed.String())
 				assert.NoError(t, err)
 			} else {
-				assert.Equal(t, *test.ExpectedErr, err.Error())
+				assert.Equal(t, test.ExpectedErr, err.Error())
 			}
 		})
 	}

From 3310c4fa7dd36ac332ce40da7455da64ce24f172 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 21 Jun 2024 09:36:19 -0600
Subject: [PATCH 55/57] Update URL for Override Edits

Suricata's link to the config section for it's variables has now been updated for both new overrides and editting overrides.
---
 html/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/index.html b/html/index.html
index e10e445e..07db1ddc 100644
--- a/html/index.html
+++ b/html/index.html
@@ -1496,7 +1496,7 @@ <h3 class="text--primary">{{ i18n.commentAddDetection }}</h3>
                             <v-text-field id="override-ip-edit" ref="override-ip" hide-details="auto" outlined v-model="item.ip" :rules="[rules.required, rules.cidrFormat]"
                               persistent-hint :hint="i18n.ipCidr" v-on:keyup.enter="isFieldValid('override-ip') && stopOverrideEdit(true)" v-on:keyup.esc="stopOverrideEdit(false)" data-aid="detection_override_suppress_ip_input">
                             <template v-slot:append-outer>
-                              <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars' }}" target="_blank" data-aid="override_ip_edit_config_shortcut">
+                              <router-link :to="{ name: 'config', query: { s: 'suricata.config.vars', a: '1', e: '1' }}" target="_blank" data-aid="override_ip_edit_config_shortcut">
                                 <v-icon>fa fa-gear</v-icon>
                               </router-link>
                             </template>

From d1ea2fba6aac17fa40a1ed16fdd8e3eff2c7c553 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 21 Jun 2024 13:07:29 -0600
Subject: [PATCH 56/57] Allow for shorter PublicIDs

---
 server/modules/elastic/elasticdetectionstore.go      | 2 +-
 server/modules/elastic/elasticdetectionstore_test.go | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/modules/elastic/elasticdetectionstore.go b/server/modules/elastic/elasticdetectionstore.go
index f13b7951..77fb7c28 100644
--- a/server/modules/elastic/elasticdetectionstore.go
+++ b/server/modules/elastic/elasticdetectionstore.go
@@ -68,7 +68,7 @@ func (store *ElasticDetectionstore) validateId(id string, label string) error {
 func (store *ElasticDetectionstore) validatePublicId(id string, label string) error {
 	var err error
 
-	isValidId := regexp.MustCompile(`^[A-Za-z0-9-_]{5,128}$`).MatchString
+	isValidId := regexp.MustCompile(`^[A-Za-z0-9-_]{3,128}$`).MatchString
 	if !isValidId(id) {
 		err = fmt.Errorf("invalid ID for %s", label)
 	}
diff --git a/server/modules/elastic/elasticdetectionstore_test.go b/server/modules/elastic/elasticdetectionstore_test.go
index 56d9a4cb..506652fd 100644
--- a/server/modules/elastic/elasticdetectionstore_test.go
+++ b/server/modules/elastic/elasticdetectionstore_test.go
@@ -122,6 +122,9 @@ func TestDetectionValidatePublicIdValid(t *testing.T) {
 	err := store.validatePublicId("12345", "test")
 	assert.NoError(t, err)
 
+	err = store.validatePublicId("123", "test")
+	assert.NoError(t, err)
+
 	err = store.validatePublicId("123456", "test")
 	assert.NoError(t, err)
 

From 6bc0d6ed97da6e53951cf111778b43b8b3f5c91e Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 21 Jun 2024 16:07:17 -0600
Subject: [PATCH 57/57] Suricata Integrity Check, Include Custom

Removed an option from GetAllDetections that prevented custom detections from being returned.
---
 server/modules/suricata/suricata.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go
index 0f65c93d..d595be18 100644
--- a/server/modules/suricata/suricata.go
+++ b/server/modules/suricata/suricata.go
@@ -1734,7 +1734,7 @@ func (e *SuricataEngine) IntegrityCheck(canInterrupt bool) error {
 		return detections.ErrIntCheckerStopped
 	}
 
-	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameSuricata), model.WithEnabled(true), model.WithCommunity(true))
+	ret, err := e.srv.Detectionstore.GetAllDetections(e.srv.Context, model.WithEngine(model.EngineNameSuricata), model.WithEnabled(true))
 	if err != nil {
 		logger.WithError(err).Error("unable to query for enabled detections")
 		return detections.ErrIntCheckFailed