diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 077087757..5134da91b 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -69,7 +69,8 @@ so-steno:
     - image: toosmooth/so-steno:test2
     - network_mode: host
     - priviledged: true
-    - user: 941
+    - port_bindings:
+      - 127.0.0.1:1234:1234
     - binds:
       - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
       - /opt/so/conf/steno/config:/etc/stenographer/config:rw
diff --git a/salt/pulledpork/init.sls b/salt/pulledpork/init.sls
index 1470cecf9..74776366e 100644
--- a/salt/pulledpork/init.sls
+++ b/salt/pulledpork/init.sls
@@ -27,6 +27,11 @@ rulesdir:
     - group: 939
     - makedirs: True
 
+ruleslink:
+  file.symlink:
+    - name: /opt/so/saltstack/salt/pulledpork/rules
+    - target: /opt/so/rules/nids
+
 toosmooth/so-pulledpork:test2:
   docker_image.present
 
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
new file mode 100644
index 000000000..5a31b9db4
--- /dev/null
+++ b/salt/suricata/init.sls
@@ -0,0 +1,46 @@
+# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Suricata
+ppdir:
+  file.directory:
+    - name: /opt/so/pulledpork
+    - user: 939
+    - group: 939
+
+rulesdir:
+  file.directory:
+    - name: /opt/so/rules/nids
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+ruleslink:
+  file.symlink:
+    - name: /opt/so/saltstack/salt/pulledpork/rules
+    - target: /opt/so/rules/nids
+
+toosmooth/so-pulledpork:test2:
+  docker_image.present
+
+so-pulledpork:
+  docker_container.running:
+    - image: toosmooth/so-pulledpork:test2
+    - hostname: so-pulledpork
+    - user: socore
+    - binds:
+      - /opt/so/pulledpork/etc:/opt/pulledpork/etc:ro
+      - /opt/so/rules/nids:/opt/so/rules/nids:rw
+    - network_mode: so-elastic-net
diff --git a/so-setup-network.sh b/so-setup-network.sh
index a8a174865..cf32afeb0 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -223,7 +223,7 @@ if (whiptail --title "Security Onion Setup" --yesno "Are you sure you want to in
 
     # Create the pillar file for the sensor
     touch /tmp/$HOSTNAME.sls
-    echo "sensor:" > /tmp/$HOSTNAME.sls
+    echo "sensors:" > /tmp/$HOSTNAME.sls
     echo "  interface: bond0" >> /tmp/$HOSTNAME.sls
     echo "  lbprocs: $LBPROCS" >> /tmp/$HOSTNAME.sls