Move Suricata around

salt/suricata/defaults.yaml

@@ -1,5 +1,8 @@
 suricata:
   enabled: False
+  pcap:
+    filesize: 1000mb
+    maxsize: 25
   config:
     threading:
       set-cpu-affinity: "no"
@@ -132,9 +135,7 @@ suricata:
         lz4-checksum: "no"
         lz4-level: 8
         filename: "%n/so-pcap.%t"
-        limit: "1000mb"
         mode: "multi"
-        max-files: 10
         use-stream-depth: "no"
         conditional: "all"
         dir: "/nsm/suripcap"

salt/suricata/soc_suricata.yaml

@@ -19,6 +19,14 @@ suricata:
       multiline: True
       title: Classifications
       helpLink: suricata.html
+  pcap:
+    filesize: 
+      description: Max file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval times.
+      advanced: True
+      helplink: suricata.html 
+    maxsize:
+      description: Size in GB for total usage size of PCAP on disk. 
+      helplink: suricata.html
   config:
     af-packet:
       interface: