From 8ed66ea468b5eea0d3230db0e23ea34fd3267762 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 30 Jan 2024 15:22:32 -0500
Subject: [PATCH] disable stenographer if suricata is pcap engine

---
 salt/pcap/config.map.jinja | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/salt/pcap/config.map.jinja b/salt/pcap/config.map.jinja
index 7ed500f25..e6d9f8bda 100644
--- a/salt/pcap/config.map.jinja
+++ b/salt/pcap/config.map.jinja
@@ -2,6 +2,12 @@
    or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
    https://securityonion.net/license; you may not use this file except in compliance with the
    Elastic License 2.0. #}
-   
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %}
 {% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %}
+
+{# disable stenographer if the pcap engine is set to SURICATA #}
+{% if GLOBALS.pcap_engine == "SURICATA" %}
+{%   do PCAPMERGED.update({'enabled': False}) %}
+{% endif %}