pcapout still used for extracts

salt/common/tools/sbin/so-sensor-clean

@@ -72,7 +72,7 @@ clean() {
 		done
 	fi
 
-	## Clean up extracted pcaps from Steno
+	## Clean up extracted pcaps
 	PCAPS='/nsm/pcapout'
 	OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1)
 	if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ]; then

salt/suricata/pcap.sls

@@ -2,7 +2,7 @@
 {% from 'suricata/map.jinja' import SURICATAMERGED %}
 
 # This directory needs to exist regardless of whether SURIPCAP is enabled or not, in order for
-# Sensoroni to be able to look at old Suricata PCAP data
+# Sensoroni to mount it
 suripcapdir:
   file.directory:
     - name: /nsm/suripcap
@@ -11,6 +11,13 @@ suripcapdir:
     - mode: 775
     - makedirs: True
 
+pcapoutdir:
+  file.directory:
+    - name: /nsm/pcapout
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 {%   if GLOBALS.pcap_engine in ["SURICATA"] %}
 
 {# there should only be 1 interface in af-packet so we can just reference the first list item #}