set transport for ssl.established:false logs

Merge pull request #16008 from Security-Onion-Solutions/jertel/wip
support multiple capinfos versions
2026-06-26 04:08:20 +02:00 · 2026-06-25 14:18:43 -04:00 · 2026-06-25 10:19:56 -04:00 · 2026-06-25 09:32:08 -04:00 · 2026-06-24 13:41:53 -04:00 · 2026-06-23 15:53:34 -05:00
3 changed files with 9 additions and 4 deletions
@@ -63,7 +63,8 @@ function status {
 function pcapinfo() {
  PCAP=$1
  ARGS=$2
-  docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -ae $ARGS
+  docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -ae $ARGS |\
+    sed 's/First packet/Earliest packet/g' | sed 's/Last packet/Latest packet/g'
 }

 function pcapfix() {
@@ -5,6 +5,7 @@
    { "remove":   { "field": ["host"],     "ignore_failure": true } },
    { "json":             { "field": "message",                 "target_field": "message2",             "ignore_failure": true  } },
    { "rename":         { "field": "message2.version",          "target_field": "ssl.version",          "ignore_missing": true  } },
+    { "set":      { "description": "Set transport for the community_id processor", "if": "ctx.ssl?.version == null || !ctx.ssl.version.startsWith('DTLS')", "field": "network.transport", "value": "tcp", "ignore_failure": true } },
    { "rename":         { "field": "message2.cipher",           "target_field": "ssl.cipher",           "ignore_missing": true  } },
    { "rename":         { "field": "message2.curve",            "target_field": "ssl.curve",            "ignore_missing": true  } },
    { "rename":         { "field": "message2.server_name",      "target_field": "ssl.server_name",              "ignore_missing": true  } },
@@ -9,14 +9,17 @@
 # Make sure you are root before doing anything
 uid="$(id -u)"
 if [ "$uid" -ne 0 ]; then
-	echo "This script must be run using sudo!"
-	fail_setup
+	echo "This script must be run using sudo!" >&2
+	exit 1
 fi

 # Save the original argument array since we modify it
 original_args=("$@")

-cd "$(dirname "$0")" || fail_setup
+cd "$(dirname "$0")" || {
+	echo "Unable to change to setup directory" >&2
+	exit 1
+}

 echo "Getting started..."
Author	SHA1	Message	Date
Josh Brower	d0edfd2131	set transport for ssl.established:false logs	2026-06-25 14:18:43 -04:00
Jason Ertel	30312b93a6	Merge pull request #16008 from Security-Onion-Solutions/jertel/wip support multiple capinfos versions	2026-06-25 10:19:56 -04:00
Jason Ertel	a9c03e39bb	support multiple capinfos versions	2026-06-25 09:32:08 -04:00
Dan Marr	4d34470b84	Merge pull request #16005 from triggerman86/triggerman-fix-root_check-so-soup Fix premature fail_setup function call in so-setup	2026-06-24 13:41:53 -04:00
Jorge Reyes	81c8d54589	Merge pull request #16006 from Security-Onion-Solutions/reyesj2-patch-5 remove heayvnode FleetServer_* directory creation, and skip empty dir…	2026-06-23 15:53:34 -05:00
Dan Marr	81ebea0451	Fix non-root exit checks at start of so-setup	2026-06-23 16:07:30 -04:00