From d2df405cf05fb7e2b953bf86a4cd687065175603 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 21 Jul 2020 11:07:01 -0400
Subject: [PATCH] so-import-pcap improvements: Ensure PCAP filenames with
 spaces are handled properly; Provide link directly to the imported logs,
 filtered by import ID; Require sudo access to run so-import-pcap

---
 salt/common/tools/sbin/so-import-pcap         | 12 ++++++----
 .../templates/so/so-common-template.json      | 24 +++++++++++--------
 2 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap
index a45fe6777..2281ff943 100755
--- a/salt/common/tools/sbin/so-import-pcap
+++ b/salt/common/tools/sbin/so-import-pcap
@@ -20,6 +20,8 @@
 {% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
 {%- set MANAGERIP = salt['pillar.get']('static:managerip') -%}
 
+. /usr/sbin/so-common
+
 function usage {
   cat << EOF
 Usage: $0 <pcap-file-1> [pcap-file-2] [pcap-file-N]
@@ -32,13 +34,13 @@ EOF
 function pcapinfo() {
   PCAP=$1
   ARGS=$2
-  docker run --rm -v $PCAP:/input.pcap --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap $ARGS
+  docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap $ARGS
 }
 
 function pcapfix() {
   PCAP=$1
   PCAP_OUT=$2
-  docker run --rm -v $PCAP:/input.pcap -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1
+  docker run --rm -v "$PCAP:/input.pcap" -v $PCAP_OUT:$PCAP_OUT --entrypoint pcapfix {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -o $PCAP_OUT > /dev/null 2>&1
 }
 
 function suricata() {
@@ -57,7 +59,7 @@ function suricata() {
     -v /opt/so/conf/suricata/rules:/etc/suricata/rules:ro \
     -v ${LOG_PATH}:/var/log/suricata/:rw \
     -v ${NSM_PATH}/:/nsm/:rw \
-    -v $PCAP:/input.pcap:ro \
+    -v "$PCAP:/input.pcap:ro" \
     -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \
     {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} \
     --runmode single -k none -r /input.pcap > $LOG_PATH/console.log 2>&1
@@ -76,7 +78,7 @@ function zeek() {
     -v $NSM_PATH/logs:/nsm/zeek/logs:rw \
     -v $NSM_PATH/spool:/nsm/zeek/spool:rw \
     -v $NSM_PATH/extracted:/nsm/zeek/extracted:rw \
-    -v $PCAP:/input.pcap:ro \
+    -v "$PCAP:/input.pcap:ro" \
     -v /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro \
     -v /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro \
     -v /opt/so/conf/zeek/zeekctl.cfg:/opt/zeek/etc/zeekctl.cfg:ro \
@@ -210,7 +212,7 @@ cat << EOF
 Import complete!
 
 You can use the following hyperlink to view data in the time range of your import.  You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
-https://{{ MANAGERIP }}/#/hunt?q=%2a%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM
+https://{{ MANAGERIP }}/#/hunt?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM
 
 or you can manually set your Time Range to be:
 From: $START_OLDEST    To: $END_NEWEST
diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json
index c0167198d..85a65fd6f 100644
--- a/salt/elasticsearch/templates/so/so-common-template.json
+++ b/salt/elasticsearch/templates/so/so-common-template.json
@@ -18,7 +18,7 @@
         "@version":{
           "type":"keyword"
         },
-  "osquery":{
+        "osquery":{
           "type":"object",
           "dynamic":true
         },
@@ -85,7 +85,7 @@
           "type":"object",
           "dynamic": true
         },
-	"client":{
+	      "client":{
           "type":"object",
           "dynamic": true
         },
@@ -177,6 +177,10 @@
           "type":"object",
           "dynamic": true
         },
+        "import":{
+          "type":"object",
+          "dynamic": true
+        },
         "ingest":{
           "type":"object",
           "dynamic": true
@@ -185,7 +189,7 @@
           "type":"object",
           "dynamic": true
         },
-	"irc":{
+	      "irc":{
           "type":"object",
           "dynamic": true
         },
@@ -201,7 +205,7 @@
           "type":"object",
           "dynamic": true
         },
-	"message":{  
+	      "message":{  
           "type":"text",
           "fields":{  
             "keyword":{  
@@ -213,7 +217,7 @@
           "type":"object",
           "dynamic": true
         },
-	"mysql":{
+	      "mysql":{
           "type":"object",
           "dynamic": true
         },
@@ -221,7 +225,7 @@
           "type":"object",
           "dynamic": true
         },
-	"notice":{
+	      "notice":{
           "type":"object",
           "dynamic": true
         },
@@ -269,7 +273,7 @@
           "type":"object",
           "dynamic": true
         },
-	"request":{
+	      "request":{
           "type":"object",
           "dynamic": true
         },
@@ -281,7 +285,7 @@
           "type":"object",
           "dynamic": true
         },
-	"scan":{
+	      "scan":{
           "type":"object",
           "dynamic": true
         },
@@ -317,7 +321,7 @@
           "type":"object",
           "dynamic": true
         },
-	"source":{
+	      "source":{
           "type":"object",
           "dynamic": true
         },
@@ -329,7 +333,7 @@
           "type":"object",
           "dynamic": true
         },
-	"syslog":{
+	      "syslog":{
           "type":"object",
           "dynamic": true
         },