From db964cad21763d648494f1520b0853b8a7153e60 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 10 Mar 2026 10:18:25 -0400
Subject: [PATCH 1/2] Add date to HOTFIX file

---
 HOTFIX | 1 +
 1 file changed, 1 insertion(+)

diff --git a/HOTFIX b/HOTFIX
index e69de29bb..6fe743c83 100644
--- a/HOTFIX
+++ b/HOTFIX
@@ -0,0 +1 @@
+20260311

From 6472c610d0052e8a9d8f3077509f3b8e7c4d87b8 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 10 Mar 2026 11:01:11 -0400
Subject: [PATCH 2/2] fix enable/disable suricata pcap

suricata pcap can now be enabled/disabled through pcap:enabled grid config / pillar
---
 salt/suricata/map.jinja | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index 3d378b69d..781935fe9 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -16,7 +16,13 @@
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}
 
-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
+{%   set PCAP = salt['pillar.get']('pcap', {'enabled': false}) %}
+{%   if PCAP.enabled and GLOBALS.role != 'so-import'%}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
+{%   else %}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'no'}) %}
+{%   endif %}
+
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}