Security-Onion-Solutions · defensivedepth · Dec 5, 2025 · Sep 17, 2025 · Sep 17, 2025 · Nov 6, 2025
diff --git a/pillar/top.sls b/pillar/top.sls
@@ -43,8 +43,6 @@ base:
     - secrets
     - manager.soc_manager
     - manager.adv_manager
-    - idstools.soc_idstools
-    - idstools.adv_idstools
     - logstash.nodes
     - logstash.soc_logstash
     - logstash.adv_logstash
@@ -117,8 +115,6 @@ base:
     - elastalert.adv_elastalert
     - manager.soc_manager
     - manager.adv_manager
-    - idstools.soc_idstools
-    - idstools.adv_idstools
     - soc.soc_soc
     - soc.adv_soc
     - kibana.soc_kibana
@@ -158,8 +154,6 @@ base:
     {% endif %}
     - secrets
     - healthcheck.standalone
-    - idstools.soc_idstools
-    - idstools.adv_idstools
     - kratos.soc_kratos
     - kratos.adv_kratos
     - hydra.soc_hydra

diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja
@@ -38,8 +38,6 @@
     'hydra',
     'elasticfleet',
     'elastic-fleet-package-registry',
-    'idstools',
-    'suricata.manager',
     'utility'
 ] %}
 

diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common
@@ -25,7 +25,6 @@ container_list() {
   if [ $MANAGERCHECK == 'so-import' ]; then
     TRUSTED_CONTAINERS=(
       "so-elasticsearch"
-      "so-idstools"
       "so-influxdb"
       "so-kibana"
       "so-kratos"
@@ -49,7 +48,6 @@ container_list() {
       "so-elastic-fleet-package-registry"
       "so-elasticsearch"
       "so-idh"
-      "so-idstools"
       "so-influxdb"
       "so-kafka"
       "so-kibana"
@@ -69,7 +67,6 @@ container_list() {
     )
   else
     TRUSTED_CONTAINERS=(
-      "so-idstools"
       "so-elasticsearch"
       "so-logstash"
       "so-nginx"

diff --git a/salt/common/tools/sbin_jinja/so-import-pcap b/salt/common/tools/sbin_jinja/so-import-pcap
@@ -85,7 +85,7 @@ function suricata() {
   docker run --rm \
     -v /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro \
     -v /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro \
-    -v /opt/so/conf/suricata/rules:/etc/suricata/rules:ro \
+    -v /opt/so/rules/suricata/:/etc/suricata/rules:ro \
     -v ${LOG_PATH}:/var/log/suricata/:rw \
     -v ${NSM_PATH}/:/nsm/:rw \
     -v "$PCAP:/input.pcap:ro" \

diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml
@@ -24,11 +24,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-    'so-idstools':
-      final_octet: 25
-      custom_bind_mounts: []
-      extra_hosts: []
-      extra_env: []
     'so-influxdb':
       final_octet: 26
       port_bindings:

diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml
@@ -41,7 +41,6 @@ docker:
         forcedType: "[]string"
     so-elastic-fleet: *dockerOptions
     so-elasticsearch: *dockerOptions
-    so-idstools: *dockerOptions
     so-influxdb: *dockerOptions
     so-kibana: *dockerOptions
     so-kratos: *dockerOptions
@@ -102,4 +101,4 @@ docker:
         multiline: True
         forcedType: "[]string"
     so-zeek: *dockerOptions
-    so-kafka: *dockerOptions
+    so-kafka: *dockerOptions
diff --git a/salt/idstools/config.sls b/salt/idstools/config.sls
diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml
diff --git a/salt/idstools/disabled.sls b/salt/idstools/disabled.sls
diff --git a/salt/idstools/enabled.sls b/salt/idstools/enabled.sls
diff --git a/salt/idstools/etc/disable.conf b/salt/idstools/etc/disable.conf
diff --git a/salt/idstools/etc/enable.conf b/salt/idstools/etc/enable.conf
diff --git a/salt/idstools/etc/modify.conf b/salt/idstools/etc/modify.conf
diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
diff --git a/salt/idstools/map.jinja b/salt/idstools/map.jinja
diff --git a/salt/idstools/rules/local.rules b/salt/idstools/rules/local.rules