CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use importer's new --json flag.

Browse Source 
Using the new --json flag is not only more reliable than using a regex, the way the import script was written even re-imports will provide a url. This means that in more cases we can provide the results to the users (even if nothing changed).
This commit is contained in:
Corey Ogburn
2023-06-13 14:54:15 -06:00
parent 451a4784a1
commit 41951659ec
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/soc/files/bin/salt-relay.sh
View File

@@ -227,11 +227,11 @@ function import_file() {
log "importing..."
case $importer in
pcap)
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file'")
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'")
exit_code=$?
;;
evtx)
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file'")
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'")
exit_code=$?
;;
*)
@@ -246,7 +246,8 @@ function import_file() {
log "Exit Code: $exit_code"
if [[ exit_code -eq 0 ]]; then
url=$(echo "$response" | sed ':a;N;$!ba;s/\n//g' | grep -E -o "https://\S*")
# trim off the node header ("manager_standalone:\n") and parse out the URL
url=$(echo "$response" | tail -n +2 | jq -r .url)
$(echo "$url" > "${SOC_PIPE}")
else
log "false"