From 4dfa1a5626387ab70c389565fa74a542cc44949b Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 6 Mar 2024 10:35:10 -0500
Subject: [PATCH] Move Suricata around

---
 salt/suricata/defaults.yaml     | 5 +++--
 salt/suricata/soc_suricata.yaml | 8 ++++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
index eb2c181e3..42af3fc55 100644
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -1,5 +1,8 @@
 suricata:
   enabled: False
+  pcap:
+    filesize: 1000mb
+    maxsize: 25
   config:
     threading:
       set-cpu-affinity: "no"
@@ -132,9 +135,7 @@ suricata:
         lz4-checksum: "no"
         lz4-level: 8
         filename: "%n/so-pcap.%t"
-        limit: "1000mb"
         mode: "multi"
-        max-files: 10
         use-stream-depth: "no"
         conditional: "all"
         dir: "/nsm/suripcap"
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index fbd6e84ee..88b460af8 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -19,6 +19,14 @@ suricata:
       multiline: True
       title: Classifications
       helpLink: suricata.html
+  pcap:
+    filesize: 
+      description: Max file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval times.
+      advanced: True
+      helplink: suricata.html 
+    maxsize:
+      description: Size in GB for total usage size of PCAP on disk. 
+      helplink: suricata.html
   config:
     af-packet:
       interface: