From 18f971954bf36b84bbf1369dfcf5bed0a55dabec Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Fri, 13 Mar 2026 14:54:23 -0400
Subject: [PATCH] Improve soup version checks and migrate pcap pillar to
 suricata

Consolidate version checks to use regex patterns for 2.4.21X and 3.x
versions. Add migrate_pcap_to_suricata to move pcap.enabled to
suricata.pcap.enabled in minion and pcap pillar files during upgrade.
---
 salt/manager/tools/sbin/soup | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index e644e6ec5..16fb9e669 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -362,7 +362,7 @@ preupgrade_changes() {
     # This function is to add any new pillar items if needed.
     echo "Checking to see if changes are needed."
 
-    [[ "$INSTALLEDVERSION" == 2.4.210 ]] && up_to_3.0.0   
+    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0   
     true
 }
 
@@ -370,12 +370,12 @@ postupgrade_changes() {
     # This function is to add any new pillar items if needed.
     echo "Running post upgrade processes."
 
-    [[ "$POSTVERSION" == 2.4.210 ]] && post_to_3.0.0
+    [[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
     true
 }
 
 check_minimum_version() {
-  if [[ "$INSTALLEDVERSION" != "2.4.210" ]] && [[ "$INSTALLEDVERSION" != "2.4.211" ]] && [[ ! "$INSTALLEDVERSION" =~ ^3\. ]]; then
+  if [[ ! "$INSTALLEDVERSION" =~ ^(2\.4\.21[0-9]+|3\.) ]]; then
     echo "You must be on at least Security Onion 2.4.210 to upgrade. Currently installed version: $INSTALLEDVERSION"
     exit 1
   fi
@@ -385,10 +385,23 @@ check_minimum_version() {
 
 up_to_3.0.0() {
   determine_elastic_agent_upgrade
+  migrate_pcap_to_suricata
 
   INSTALLEDVERSION=3.0.0
 }
 
+migrate_pcap_to_suricata() {
+  local MINIONDIR=/opt/so/saltstack/local/pillar/minions
+  local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
+
+  for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
+    [[ -f "$pillar_file" ]] || continue
+    pcap_enabled=$(so-yaml.py get "$pillar_file" pcap.enabled 2>/dev/null) || continue
+    so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
+    so-yaml.py remove "$pillar_file" pcap
+  done
+}
+
 post_to_3.0.0() {
   echo "Nothing to apply"
   POSTVERSION=3.0.0