From bc082dff9995bc39efc21a5524bd71679a6ef7b3 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Thu, 2 Feb 2023 16:22:42 +0000
Subject: [PATCH] Only run Zeek if it is defined as 'mdengine'

---
 salt/common/tools/sbin/so-import-pcap | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap
index b099f39a4..d443e9f07 100755
--- a/salt/common/tools/sbin/so-import-pcap
+++ b/salt/common/tools/sbin/so-import-pcap
@@ -148,11 +148,12 @@ for PCAP in "$@"; do
     # generate IDS alerts and write them to standard pipeline
     echo "- analyzing traffic with Suricata"
     suricata "${PCAP}" $HASH
-
-    # generate Zeek logs and write them to a unique subdirectory in /nsm/import/bro/
+    {% if salt['pillar.get']('global:mdengine') == 'ZEEK' %}
+    # generate Zeek logs and write them to a unique subdirectory in /nsm/import/zeek/
     # since each run writes to a unique subdirectory, there is no need for a lock file
     echo "- analyzing traffic with Zeek"
     zeek "${PCAP}" $HASH
+    {% endif %}
 
     START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}')
     END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}')