pcap improvements

2026-04-27 23:18:08 +02:00 · 2024-03-08 15:48:53 -05:00
parent 40574982e4
commit a55e04e64a
7 changed files with 19 additions and 28 deletions
@@ -12,9 +12,6 @@
 include:
  - suricata.config
  - suricata.sostatus
-{%   if GLOBALS.pcap_engine == "SURICATA" %}
-  - suricata.pcap
-{%   endif %}

 so-suricata:
  docker_container.running:
@@ -36,9 +33,7 @@ so-suricata:
      - /nsm/suricata/:/nsm/:rw
      - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
      - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
-      {% if GLOBALS.pcap_engine == "SURICATA" %}
      - /nsm/suripcap/:/nsm/suripcap:rw
-      {% endif %}
      {% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
      - {{ BIND }}
@@ -7,6 +7,7 @@
 {% from 'suricata/map.jinja' import SURICATAMERGED %}

 include:
+  - suricata.pcap
 {% if SURICATAMERGED.enabled and GLOBALS.role != 'so-import' %}
  - suricata.enabled
 {% elif GLOBALS.role == 'so-import' %}
@@ -1,14 +1,18 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'suricata/map.jinja' import SURICATAMERGED %}

+# This directory needs to exist regardless of whether SURIPCAP is enabled or not, in order for
+# Sensoroni to be able to look at old Suricata PCAP data
 suripcapdir:
  file.directory:
    - name: /nsm/suripcap
    - user: 940
    - group: 939
-    - mode: 755
+    - mode: 775
    - makedirs: True

+{%   if GLOBALS.pcap_engine == "SURICATA" %}
+
 {# there should only be 1 interface in af-packet so we can just reference the first list item #}
 {% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %}

@@ -17,6 +21,8 @@ suripcapthread{{i}}dir:
    - name: /nsm/suripcap/{{i}}
    - user: 940
    - group: 939
-    - mode: 755
+    - mode: 775

 {% endfor %}
+
+{%   endif %}