merge with dev and fix conflicts

salt/suricata/files/suricata.yaml

@@ -99,7 +99,7 @@ outputs:
   - eve-log:
       enabled: yes
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
-      filename: eve.json
+      filename: /nsm/eve.json
       rotate-interval: day
       community-id: true
       community-id-seed: 0
@@ -918,7 +918,7 @@ host-mode: auto
 # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
 # apply. In that case try something like 60000 or more. This is because the CUDA
 # pattern matcher buffers and scans as many packets as possible in parallel.
-#max-pending-packets: 1024
+max-pending-packets: 5000
 
 # Runmode the engine should use. Please check --list-runmodes to get the available
 # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned

salt/suricata/init.sls

@@ -59,6 +59,12 @@ ruleslink:
   file.symlink:
     - name: /opt/so/saltstack/local/salt/suricata/rules
     - target: /opt/so/rules/nids
+    
+suridatadir:
+  file.directory:
+    - name: /nsm/suricata
+    - user: 940
+    - group: 939
 
 surirulesync:
   file.recurse:
@@ -124,6 +130,7 @@ so-suricata:
       - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
       - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
       - /opt/so/log/suricata/:/var/log/suricata/:rw
+      - /nsm/suricata/:/nsm/:rw
       - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
     - network_mode: host
     - watch: