From 83e038dc8153ea843bebe81b873dc122a36c93ba Mon Sep 17 00:00:00 2001
From: doug <doug.burks@gmail.com>
Date: Mon, 25 Sep 2017 11:39:50 -0400
Subject: [PATCH] sostat: provide Docker container interface correlation #1136

---
 debian/changelog                              |  6 ++
 debian/patches/series                         |  1 +
 ...cker-container-interface-correlation-#1136 | 58 +++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 debian/patches/sostat:-provide-Docker-container-interface-correlation-#1136

diff --git a/debian/changelog b/debian/changelog
index 937895b..e68067d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+securityonion-sostat (20120722-0ubuntu0securityonion76) trusty; urgency=medium
+
+  * sostat: provide Docker container interface correlation #1136 
+
+ -- Doug Burks <doug.burks@gmail.com>  Mon, 25 Sep 2017 11:39:15 -0400
+
 securityonion-sostat (20120722-0ubuntu0securityonion75) trusty; urgency=medium
 
   * replace localhost:9200 with ELASTICSEARCH_HOST and ELASTICSEARCH_PORT variables 
diff --git a/debian/patches/series b/debian/patches/series
index 5609dbd..219ba09 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -72,3 +72,4 @@ issues-928,-1072,-and-1108
 fix-quote-issue
 add-elastic-checks-to-sostat
 replace-localhost:9200-with-ELASTICSEARCH_HOST-and-ELASTICSEARCH_PORT-variables
+sostat:-provide-Docker-container-interface-correlation-#1136
diff --git a/debian/patches/sostat:-provide-Docker-container-interface-correlation-#1136 b/debian/patches/sostat:-provide-Docker-container-interface-correlation-#1136
new file mode 100644
index 0000000..544d677
--- /dev/null
+++ b/debian/patches/sostat:-provide-Docker-container-interface-correlation-#1136
@@ -0,0 +1,58 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-sostat (20120722-0ubuntu0securityonion76) trusty; urgency=medium
+ .
+   * sostat: provide Docker container interface correlation #1136
+Author: Doug Burks <doug.burks@gmail.com>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-sostat-20120722.orig/bin/sostat
++++ securityonion-sostat-20120722/bin/sostat
+@@ -82,7 +82,29 @@ service nsm status 2>&1 | remove_ansi_es
+ 
+ echo
+ header "Interface Status"
+-ifconfig
++if [ "$ELASTICSEARCH_ENABLED" = "yes" ]; then
++        NOT_VETH=`ls -A /sys/class/net | grep -v veth`
++        for i in $NOT_VETH; do
++                ifconfig $i
++        done
++        CONTAINERS=`docker ps --format '{{.Names}}'`
++        for i in $CONTAINERS; do
++		echo
++                echo $i
++                echo '-------------------------------------------------------------------------'
++                ETH_LIST=`docker exec $i ls /sys/class/net/eth*/iflink`
++		for interface in $ETH_LIST; do
++                        ETH_SHORT=`echo $interface | cut -d'/' -f5`
++                        INT_INT=`docker exec $i cat $interface`
++                        EXT_INT=`grep -w "$INT_INT" /sys/class/net/veth*/ifindex | cut -d'/' -f5`
++                        echo "("$ETH_SHORT")"
++                        ifconfig $EXT_INT
++                done
++        done
++
++else
++        ifconfig
++fi
+ 
+ echo
+ header "Link Statistics"