From 876690a9f61269345b0c81a12f4717b857c0ab75 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Wed, 20 Mar 2024 15:49:46 -0400
Subject: [PATCH 1/4] FIX: Annotations for BPF and Suricata PCAP #12626

---
 salt/bpf/soc_bpf.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml
index 379eaa022..d93ec98fd 100644
--- a/salt/bpf/soc_bpf.yaml
+++ b/salt/bpf/soc_bpf.yaml
@@ -1,6 +1,6 @@
 bpf:
   pcap:
-    description: List of BPF filters to apply to PCAP.
+    description: List of BPF filters to apply to Stenographer.
     multiline: True
     forcedType: "[]string"
     helpLink: bpf.html

From d2fb067110facbac8bcb228e2bc99cdd6650c690 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Wed, 20 Mar 2024 15:57:32 -0400
Subject: [PATCH 2/4] FIX: Annotations for BPF and Suricata PCAP #12626

---
 salt/suricata/soc_suricata.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 7decaa6d3..34c9b6269 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -21,12 +21,12 @@ suricata:
       helpLink: suricata.html
   pcap:
     filesize: 
-      description: Max file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval times.
+      description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
       advanced: True
-      helplink: suricata.html 
+      helpLink: suricata.html 
     maxsize:
-      description: Size in GB for total usage size of PCAP on disk. 
-      helplink: suricata.html
+      description: Maximum disk usage in GB for all PCAP written by Suricata. 
+      helpLink: suricata.html
     compression: 
       description: Enable compression of Suricata PCAP.
       advanced: True
@@ -36,7 +36,7 @@ suricata:
       advanced: True
       helpLink: suricata.html
     lz4-level: 
-      description: lz4 compression level of PCAP. 0 for no compression 16 for max compression.
+      description: lz4 compression level of PCAP. 0 for no compression. 16 for maximum compression.
       advanced: True
       helpLink: suricata.html
     filename:
@@ -50,13 +50,13 @@ suricata:
       readonly: True
       helpLink: suricata.html
     use-stream-depth: 
-      description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. 
+      description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth. 
       advanced: True
       regex: ^(yes|no)$
       regexFailureMessage: You must enter either yes or no.
       helpLink: suricata.html
     conditional: 
-      description: Set to "all" to capture PCAP for all flows. Set to "alerts" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
+      description: Set to "all" to record PCAP for all flows. Set to "alerts" to record PCAP just for alerts. Set to "tag" to record PCAP for just tagged rules.
       regex: ^(all|alerts|tag)$
       regexFailureMessage: You must enter either all, alert or tag.
       helpLink: suricata.html

From fff4d20e39c8eae18a296cad442910c843a49b3a Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Wed, 20 Mar 2024 16:03:45 -0400
Subject: [PATCH 3/4] Update soc_suricata.yaml

---
 salt/suricata/soc_suricata.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 34c9b6269..806033483 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -25,7 +25,7 @@ suricata:
       advanced: True
       helpLink: suricata.html 
     maxsize:
-      description: Maximum disk usage in GB for all PCAP written by Suricata. 
+      description: Maximum size in GB for total disk usage of all PCAP written by Suricata.
       helpLink: suricata.html
     compression: 
       description: Enable compression of Suricata PCAP.
@@ -36,7 +36,7 @@ suricata:
       advanced: True
       helpLink: suricata.html
     lz4-level: 
-      description: lz4 compression level of PCAP. 0 for no compression. 16 for maximum compression.
+      description: lz4 compression level of PCAP. Set to 0 for no compression. Set to 16 for maximum compression.
       advanced: True
       helpLink: suricata.html
     filename:
@@ -50,7 +50,7 @@ suricata:
       readonly: True
       helpLink: suricata.html
     use-stream-depth: 
-      description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth. 
+      description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth.
       advanced: True
       regex: ^(yes|no)$
       regexFailureMessage: You must enter either yes or no.

From f3b921342ef5f6777ed230d87f17ccfbed309502 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Wed, 20 Mar 2024 16:06:25 -0400
Subject: [PATCH 4/4] FIX: Annotations for BPF and Suricata PCAP #12626

---
 salt/suricata/soc_suricata.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 806033483..13a709c4a 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -25,10 +25,10 @@ suricata:
       advanced: True
       helpLink: suricata.html 
     maxsize:
-      description: Maximum size in GB for total disk usage of all PCAP written by Suricata.
+      description: Maximum size in GB for total disk usage of all PCAP files written by Suricata.
       helpLink: suricata.html
     compression: 
-      description: Enable compression of Suricata PCAP.
+      description: Enable compression of Suricata PCAP files.
       advanced: True
       helpLink: suricata.html
     lz4-checksum: 
@@ -36,11 +36,11 @@ suricata:
       advanced: True
       helpLink: suricata.html
     lz4-level: 
-      description: lz4 compression level of PCAP. Set to 0 for no compression. Set to 16 for maximum compression.
+      description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression.
       advanced: True
       helpLink: suricata.html
     filename:
-      description: Filename output for Suricata PCAP.
+      description: Filename output for Suricata PCAP files.
       advanced: True
       readonly: True
       helpLink: suricata.html
@@ -56,7 +56,7 @@ suricata:
       regexFailureMessage: You must enter either yes or no.
       helpLink: suricata.html
     conditional: 
-      description: Set to "all" to record PCAP for all flows. Set to "alerts" to record PCAP just for alerts. Set to "tag" to record PCAP for just tagged rules.
+      description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules.
       regex: ^(all|alerts|tag)$
       regexFailureMessage: You must enter either all, alert or tag.
       helpLink: suricata.html