From 583227290f1fedc68ffb9abf14b2b92c8677171d Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 6 Mar 2024 15:18:22 -0500
Subject: [PATCH] fix max-files calc

---
 salt/suricata/map.jinja | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index d8ce271fe..77cdbe7c5 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -70,10 +70,11 @@
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'filename': SURICATAMERGED.pcap.filename}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'limit': SURICATAMERGED.pcap.filesize}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'mode': SURICATAMERGED.pcap.mode}) %}
-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'max-stream-depth': SURICATAMERGED.pcap['max-stream-depth']}) %}
+{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'use-stream-depth': SURICATAMERGED.pcap['use-stream-depth']}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'conditional': SURICATAMERGED.pcap.conditional}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'dir': SURICATAMERGED.pcap.dir}) %}
-{%   set maxfiles = (SURICATAMERGED.pcap.maxsize / SURICATAMERGED.pcap.filesize) | round | int %}
+{#   multiply maxsize by 1000 since it is saved in GB, i.e. 52 = 52000MB. filesize is also saved in MB and we strip the MB and convert to int #}
+{%   set maxfiles = (SURICATAMERGED.pcap.maxsize * 1000 / SURICATAMERGED.pcap.filesize[:-2] | int) | round | int %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'max-files': maxfiles}) %}
 {% endif %}