From 96b72d46be65d8becd1346c649bcd50355249e7e Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 16 Dec 2020 12:01:48 -0500
Subject: [PATCH 1/3] show steno,zeek,suricata as disabled in so-status on
 import node

---
 salt/pcap/init.sls     | 2 +-
 salt/suricata/init.sls | 8 ++++++++
 salt/zeek/init.sls     | 8 ++++++++
 setup/so-functions     | 5 +++++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index e98bbecf5..a43f90288 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -133,7 +133,7 @@ append_so-steno_so-status.conf:
   file.append:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-steno
-    - unless: grep so-steno /opt/so/conf/so-status/so-status.conf
+    - unless: grep -q so-steno /opt/so/conf/so-status/so-status.conf
 
   {% if STENOOPTIONS.status == 'running' %}
 delete_so-steno_so-status.disabled:
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 0c50bb5d1..99609be32 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -167,6 +167,14 @@ append_so-suricata_so-status.conf:
   file.append:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-suricata
+    - unless: grep -q so-suricata /opt/so/conf/so-status/so-status.conf
+
+{% if grains.role == 'so-import' %}
+disable_so-suricata_so-status.conf:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-suricata$
+{% endif %}
 
 surilogrotate:
   file.managed:
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index f6edae136..6fa289d5c 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -200,6 +200,14 @@ append_so-zeek_so-status.conf:
   file.append:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-zeek
+    - unless: grep -q so-zeek /opt/so/conf/so-status/so-status.conf
+
+{% if grains.role == 'so-import' %}
+disable_so-zeek_so-status.conf:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-zeek$
+{% endif %}
 
 {% else %}
 
diff --git a/setup/so-functions b/setup/so-functions
index 5f98e685e..c49babaae 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1941,6 +1941,11 @@ sensor_pillar() {
 	if [ "$HNSENSOR" != 'inherit' ]; then
 		echo "  hnsensor: $HNSENSOR" >> "$pillar_file"
 	fi
+	if [[ $is_import ]]; then
+		printf '%s\n'\
+			"steno:"\
+			"  enabled: false" >> "$pillar_file"
+	fi
 
 }
 

From 2e278586f21dd68e3453657af4fbbb00faa20678 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 16 Dec 2020 13:03:24 -0500
Subject: [PATCH 2/3] disable steno in so-status for import node

---
 salt/pcap/init.sls | 13 +++++++------
 setup/so-functions |  6 ------
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index a43f90288..b8580fd86 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -135,16 +135,17 @@ append_so-steno_so-status.conf:
     - text: so-steno
     - unless: grep -q so-steno /opt/so/conf/so-status/so-status.conf
 
-  {% if STENOOPTIONS.status == 'running' %}
-delete_so-steno_so-status.disabled:
-  file.uncomment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-steno$
-  {% elif STENOOPTIONS.status == 'stopped' %}
+
+  {% if not STENOOPTIONS.start %}
 so-steno_so-status.disabled:
   file.comment:
     - name: /opt/so/conf/so-status/so-status.conf
     - regex: ^so-steno$
+  {% else %}
+delete_so-steno_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-steno$
   {% endif %}
 
 {% else %}
diff --git a/setup/so-functions b/setup/so-functions
index 6d7e5582a..da452516d 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1941,12 +1941,6 @@ sensor_pillar() {
 	if [ "$HNSENSOR" != 'inherit' ]; then
 		echo "  hnsensor: $HNSENSOR" >> "$pillar_file"
 	fi
-	if [[ $is_import ]]; then
-		printf '%s\n'\
-			"steno:"\
-			"  enabled: false" >> "$pillar_file"
-	fi
-
 }
 
 set_default_log_size() {

From 2d497cb7245b9aa34acdf3824f175fef67ef5ab5 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 16 Dec 2020 14:15:57 -0500
Subject: [PATCH 3/3] change to just Hunt

---
 salt/common/tools/sbin/so-import-pcap | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap
index 2dc5b0504..72c199231 100755
--- a/salt/common/tools/sbin/so-import-pcap
+++ b/salt/common/tools/sbin/so-import-pcap
@@ -217,6 +217,6 @@ https://{{ URLBASE }}/#/hunt?q=import.id:${HASH}%20%7C%20groupby%20event.module%
 or you can manually set your Time Range to be (in UTC):
 From: $START_OLDEST    To: $END_NEWEST
 
-Please note that it may take 30 seconds or more for events to appear in Onion Hunt.
+Please note that it may take 30 seconds or more for events to appear in Hunt.
 EOF
 fi