Add so-minion modifications

salt/manager/tools/sbin/so-minion

@@ -79,6 +79,30 @@ function getinstallinfo() {
 	source <(echo $INSTALLVARS)
 }
 
+function pcapspace() {
+
+	local NSMSIZE=$(salt \* disk.usage --out=json | jq -r '.[]."/nsm"."1K-blocks" ')
+	local ROOTSIZE=$(salt \* disk.usage --out=json | jq -r '.[]."/"."1K-blocks" ')
+
+	if [[ "$NSMSIZE" == "null" ]]; then
+		# Looks like there is no dedicated nsm partition. Using root
+		local SPACESIZE=$ROOTSIZE
+	else
+		local SPACESIZE=$NSMSIZE
+	fi
+
+	local s=$(( $SPACESIZE / 1000000 ))
+	local s1=$(( $s / 2 ))
+	local s2=$(( $s1 / $lb_procs ))
+
+	printf '%s\n'\
+		"suricata:"\
+		"  config:"\
+		"    output:"\
+		"      pcap-log: $s" >> $PILLARFILE
+	
+}
+
 function testMinion() {
 	# Always run on the host, since this is going to be the manager of a distributed grid, or an eval/standalone.
 	# Distributed managers must run this in order for the sensor nodes to have access to the so-tcpreplay image.
@@ -252,6 +276,7 @@ function add_sensor_to_minion() {
 	if [[ $is_pcaplimit ]]; then
 		echo "  config:" >> $PILLARFILE
 		echo "    diskfreepercentage: 60" >> $PILLARFILE
+		pcapspace
 	fi
 	echo "  " >> $PILLARFILE
 }

salt/suricata/soc_suricata.yaml

@@ -181,7 +181,7 @@ suricata:
           description: File size limit per thread. To determine max PCAP size multiple threads x max-files x limit.
           helpLink: suricata.html
         mode: 
-          description: Suricata PCAP mode. Currenlty only multi is supported.
+          description: Suricata PCAP mode. Currently only multi is supported.
           advanced: True
           readonly: True
           helpLink: suricata.html