Add Globals

salt/global/defaults.yaml

@@ -0,0 +1,2 @@
+global:
+  pcapengine: STENO

salt/global/soc_global.yaml

@@ -14,6 +14,11 @@ global:
     regex: ^(ZEEK|SURICATA)$
     regexFailureMessage: You must enter either ZEEK or SURICATA.
     global: True
+  pcapengine:
+    description: What engine to use for generating pcap. Options are STENO and SURICATA.
+    regex: ^(STENO|SURICATA)$
+    regexFailureMessage: You must enter either STENO or SURICATA.
+    global: True
   ids:
     description: Which IDS engine to use. Currently only Suricata is supported.
     global: True

salt/manager/tools/sbin/so-minion

@@ -99,7 +99,8 @@ function pcapspace() {
 		"suricata:"\
 		"  config:"\
 		"    output:"\
-		"      pcap-log: $s" >> $PILLARFILE
+		"      pcap-log:"\
+		"        max-files: $s" >> $PILLARFILE
 	
 }
 

salt/sensoroni/files/sensoroni.json

@@ -24,12 +24,21 @@
       "statickeyauth": {
         "apiKey": "{{ GLOBALS.sensoroni_key }}"
 {%- if PCAPMERGED.enabled %}
+{%-   if PCAPENGINE.steno %} 
       },     
       "stenoquery": {
         "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
         "pcapInputPath": "/nsm/pcap",
         "pcapOutputPath": "/nsm/pcapout"
       }
+{%- elif PCAPENGINE.suri %}
+      },     
+      "suriquery": {
+        "executablePath": "/opt/sensoroni/scripts/suriquery.sh",
+        "pcapInputPath": "/nsm/suripcap",
+        "pcapOutputPath": "/nsm/pcapout"
+      }
+{%- endif %}
 {%- else %}
       }
 {%- endif %}

salt/suricata/soc_suricata.yaml

@@ -155,8 +155,10 @@ suricata:
                 helpLink: suricata.html
       pcap-log:
         enabled:
-          description: Enable Suricata to collect PCAP.
+          description: This value is ignored by SO. pcapengine in globals takes predidence.
+          readonly: True
           helpLink: suricata.html
+          advanced: True
         compression: 
           description: Enable compression of Suricata PCAP. Currently unsupported
           advanced: True