From d963222f3188c21b670f3725e344ff66aefdbbb7 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 14 Aug 2020 15:28:47 -0400
Subject: [PATCH] provide proper url for so-import-pcap based on redirect
 strategy chosen during setup -
 https://github.com/Security-Onion-Solutions/securityonion/issues/1039

---
 salt/common/tools/sbin/so-import-pcap | 9 +++++----
 setup/so-functions                    | 2 +-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap
index 6e2d98daa..f10f5fad9 100755
--- a/salt/common/tools/sbin/so-import-pcap
+++ b/salt/common/tools/sbin/so-import-pcap
@@ -15,10 +15,11 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-{% set MANAGER = salt['grains.get']('master') %}
-{% set VERSION = salt['pillar.get']('global:soversion') %}
-{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
+{%- set MANAGER = salt['grains.get']('master') %}
+{%- set VERSION = salt['pillar.get']('global:soversion') %}
+{%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {%- set MANAGERIP = salt['pillar.get']('global:managerip') -%}
+{%- set URLBASE = salt['pillar.get']('global:url_base') %}
 
 . /usr/sbin/so-common
 
@@ -212,7 +213,7 @@ cat << EOF
 Import complete!
 
 You can use the following hyperlink to view data in the time range of your import.  You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
-https://{{ MANAGERIP }}/#/hunt?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
+https://{{ URLBASE }}/#/hunt?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
 
 or you can manually set your Time Range to be (in UTC):
 From: $START_OLDEST    To: $END_NEWEST
diff --git a/setup/so-functions b/setup/so-functions
index 778d1a21d..88539f0cf 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1028,7 +1028,6 @@ manager_pillar() {
 		"  osquery: $OSQUERY"\
 		"  thehive: $THEHIVE"\
 		"  playbook: $PLAYBOOK"\
-		"  url_base: $REDIRECTIT"\
 		""\
 		"elasticsearch:"\
 		"  mainip: $MAINIP"\
@@ -1087,6 +1086,7 @@ manager_global() {
                 "  proxy: $PROXY"\
                 "  zeekversion: $ZEEKVERSION"\
                 "  ids: $NIDS"\
+				"  url_base: $REDIRECTIT"\
                 "  managerip: $MAINIP" > "$global_pillar"
 
         # Check if TheHive is enabled.  If so, add creds and other details