From 34dfc809c718e247a63cc00b2246705e59e87c55 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 6 Oct 2020 13:57:50 -0400
Subject: [PATCH] handle thread count for suricata and default
 max-pending-packets to 5000 -
 https://github.com/Security-Onion-Solutions/securityonion/issues/1460

---
 salt/suricata/afpacket.map.jinja | 1 +
 salt/suricata/defaults.yaml      | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/suricata/afpacket.map.jinja b/salt/suricata/afpacket.map.jinja
index cd700765a..37b80aa87 100644
--- a/salt/suricata/afpacket.map.jinja
+++ b/salt/suricata/afpacket.map.jinja
@@ -5,6 +5,7 @@ af-packet:
     cluster-type: cluster_flow
     defrag: yes
     use-mmap: yes
+    threads: {{ salt['pillar.get']('sensor:suriprocs', salt['pillar.get']('sensor:suripins') | length) }}
     tpacket-v3: yes
     ring-size: {{ salt['pillar.get']('sensor:suriringsize', '2048') }}
   - interface: default
diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
index ee34a8bf0..9f34c0871 100644
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -345,7 +345,7 @@ suricata:
     coredump:
       max-dump: unlimited
     host-mode: auto
-    max-pending-packets: 1024
+    max-pending-packets: 5000
     runmode: workers
     #autofp-scheduler: hash
     default-packet-size: 1500