From 7f07c96a2fc0d058231d0ddd3013462553f7d208 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 9 Mar 2026 14:58:27 -0400
Subject: [PATCH] pcapout still used for extracts

---
 salt/common/tools/sbin/so-sensor-clean | 2 +-
 salt/suricata/pcap.sls                 | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean
index 472663bb1..083a316b9 100755
--- a/salt/common/tools/sbin/so-sensor-clean
+++ b/salt/common/tools/sbin/so-sensor-clean
@@ -72,7 +72,7 @@ clean() {
 		done
 	fi
 
-	## Clean up extracted pcaps from Steno
+	## Clean up extracted pcaps
 	PCAPS='/nsm/pcapout'
 	OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1)
 	if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ]; then
diff --git a/salt/suricata/pcap.sls b/salt/suricata/pcap.sls
index 99105a2fa..c557b6cda 100644
--- a/salt/suricata/pcap.sls
+++ b/salt/suricata/pcap.sls
@@ -2,7 +2,7 @@
 {% from 'suricata/map.jinja' import SURICATAMERGED %}
 
 # This directory needs to exist regardless of whether SURIPCAP is enabled or not, in order for
-# Sensoroni to be able to look at old Suricata PCAP data
+# Sensoroni to mount it
 suripcapdir:
   file.directory:
     - name: /nsm/suripcap
@@ -11,6 +11,13 @@ suripcapdir:
     - mode: 775
     - makedirs: True
 
+pcapoutdir:
+  file.directory:
+    - name: /nsm/pcapout
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 {%   if GLOBALS.pcap_engine in ["SURICATA"] %}
 
 {# there should only be 1 interface in af-packet so we can just reference the first list item #}