capme should check to see if uid field is an array

Security-Onion-Solutions · Mar 26, 2018 · 21df730 · 21df730
1 parent 1de8529
commit 21df730
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/var/www/so/capme/.inc/callback-elastic.php b/var/www/so/capme/.inc/callback-elastic.php
@@ -229,6 +229,11 @@ function elastic_command($elastic_host, $elastic_port, $type, $bro_query, $st_es
 		// Let's first check to see if it's a Bro log that has a CID in the uid field.
 		if (isset($elastic_response_object["hits"]["hits"][0]["_source"]["uid"]) ) {
 			$uid = $elastic_response_object["hits"]["hits"][0]["_source"]["uid"];
+			// Some bro_files logs are coming back with uid as an array
+			// If that's the case here, then grab the first element in that array
+			if (is_array($uid)) {
+				$uid = $elastic_response_object["hits"]["hits"][0]["_source"]["uid"][0];
+			}
 			// A Bro CID should be alphanumeric and begin with the letter C
 			if (ctype_alnum($uid)) {
 				if (substr($uid,0,1)=="C") {