map pcap dir to container. enable pcap-log in map

salt/suricata/enabled.sls

@@ -35,6 +35,9 @@ so-suricata:
       - /nsm/suricata/:/nsm/:rw
       - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
       - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
+      {% if GLOBALS.pcap_engine == "SURICATA" %}
+      - /nsm/suripcap/:/nsm/pcap:rw
+      {% endif %}
       {% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
       - {{ BIND }}

salt/suricata/map.jinja

@@ -60,6 +60,11 @@
 {%   do SURICATAMERGED.config.outputs['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %}
 {% endif %}
 
+{# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
+{% if GLOBALS.pcap_engine == "SURICATA" %}
+{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
+{% endif %}
+
 {# outputs is a list but we convert to dict in defaults to work with ui #}
 {# below they are converted back to lists #}
 {% load_yaml as outputs %}

salt/suricata/pcap.sls

@@ -9,8 +9,8 @@ suripcapdir:
     - mode: 755
     - makedirs: True
 
-
+{# there should only be 1 interface in af-packet so we can just reference the first list item #}
-{% for i in range(1, SURICATAMERGED.config['af-packet'].threads) + 1) %}
+{% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %}
 
 suripcapthread{{i}}dir:
   file.directory: