add GLOBALS.pcap_engine

salt/global/map.jinja

@@ -0,0 +1,2 @@
+{% import_yaml 'global/defaults.yaml' as GLOBALDEFAULTS %}
+{% set GLOBALMERGED = salt['pillar.get']('global', GLOBALDEFAULTS.global, merge=True) %}

salt/sensoroni/files/sensoroni.json

@@ -24,21 +24,21 @@
       "statickeyauth": {
         "apiKey": "{{ GLOBALS.sensoroni_key }}"
 {%- if PCAPMERGED.enabled %}
-{%-   if PCAPENGINE.steno %} 
+{%-   if GLOBALS.pcap_engine == "STENO" %}
       },     
       "stenoquery": {
         "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
         "pcapInputPath": "/nsm/pcap",
         "pcapOutputPath": "/nsm/pcapout"
       }
-{%- elif PCAPENGINE.suri %}
+{%-   elif GLOBALS.pcap_engine == "SURICATA" %}
       },     
       "suriquery": {
         "executablePath": "/opt/sensoroni/scripts/suriquery.sh",
         "pcapInputPath": "/nsm/suripcap",
         "pcapOutputPath": "/nsm/pcapout"
       }
-{%- endif %}
+{%-   endif %}
 {%- else %}
       }
 {%- endif %}

salt/suricata/enabled.sls

@@ -12,9 +12,9 @@
 include:
   - suricata.config
   - suricata.sostatus
-  if blah
+{%   if GLOBALS.pcap_engine == "SURICATA" %}
   - suricata.pcap
-  endif
+{%   endif %}
 
 so-suricata:
   docker_container.running:

salt/suricata/pcap.sls

@@ -1,6 +1,5 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %}
-{% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %}
+{% from 'suricata/map.jinja' import SURICATAMERGED %}
 
 suripcapdir:
   file.directory:
@@ -10,16 +9,14 @@ suripcapdir:
     - mode: 755
     - makedirs: True
 
-{{ SURICATAMERGED.config['af-packet'].threads }}
 
-for thread in afp.threads
+{% for i in range(1, SURICATAMERGED.config['af-packet'].threads) + 1) %}
 
-suripcapthreaddir:
+suripcapthread{{i}}dir:
   file.directory:
-    - name: /nsm/suripcap/{{thread}}
+    - name: /nsm/suripcap/{{i}}
     - user: 940
     - group: 939
     - mode: 755
-    - makedirs: True
 
-endfor
+{% endfor %}

salt/telegraf/config.sls

@@ -41,6 +41,8 @@ tgraf_sync_script_{{script}}:
     - mode: 770
     - template: jinja
     - source: salt://telegraf/scripts/{{script}}
+    - defaults:
+        GLOBALS: {{ GLOBALS }}
 {% endfor %}
 
 telegraf_sbin:

salt/telegraf/scripts/oldpcap.sh

@@ -5,13 +5,12 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- if pcap is steno
-PCAPLOC=/host/nsm/pcap
-{%- else %}
+{%- if GLOBALS.pcap_engine == "SURICATA" %}
 PCAPLOC=/host/nsm/suripcap
+{%- else %}
+PCAPLOC=/host/nsm/pcap
 {%- endif %}
 
-
 # if this script isn't already running
 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
 

salt/vars/globals.map.jinja

@@ -1,5 +1,6 @@
 {% import 'vars/init.map.jinja' as INIT %}
 {% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'global/map.jinja' import GLOBALMERGED %}
 
 {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
 
@@ -20,6 +21,7 @@
     'influxdb_host': INIT.PILLAR.global.influxdb_host,
     'manager_ip': INIT.PILLAR.global.managerip,
     'md_engine': INIT.PILLAR.global.mdengine,
+    'pcap_engine': GLOBALMERGED.pcapengine
     'pipeline': INIT.PILLAR.global.pipeline,
     'so_version': INIT.PILLAR.global.soversion,
     'so_docker_gateway': DOCKER.gateway,