From d452694c550dbdafb8c949015fb3b95cf8ad4b14 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 10 Mar 2026 11:30:24 -0400
Subject: [PATCH] enable/disable suricata pcap

---
 salt/suricata/defaults.yaml     | 3 +--
 salt/suricata/map.jinja         | 2 +-
 salt/suricata/soc_suricata.yaml | 9 +++------
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
index cdb243465..811053cd0 100644
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -1,6 +1,7 @@
 suricata:
   enabled: False
   pcap:
+    enabled: "no"
     filesize: 1000mb
     maxsize: 25
     compression: "none"
@@ -141,8 +142,6 @@ suricata:
         enabled: "no"
       tls-store:
         enabled: "no"
-      pcap-log:
-        enabled: "no"
       alert-debug:
         enabled: "no"
       alert-prelude:
diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index f7dec7493..adde8d3ee 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -16,8 +16,8 @@
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}
 
-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
+{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': SURICATAMERGED.pcap.enabled}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %}
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 03f30be75..76031cfd2 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -22,6 +22,9 @@ suricata:
       title: Classifications
       helpLink: suricata.html
   pcap:
+    enabled:
+      description: Enables or disables the Suricata packet recording process.
+      helpLink: suricata.html
     filesize: 
       description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
       advanced: True
@@ -209,12 +212,6 @@ suricata:
               header:
                 description: Header name where the actual IP address will be reported.
                 helpLink: suricata.html
-      pcap-log:
-        enabled:
-          description: This value is ignored by SO. pcapengine in globals takes precedence.
-          readonly: True
-          helpLink: suricata.html
-          advanced: True        
     asn1-max-frames:
       description: Maximum nuber of asn1 frames to decode.
       helpLink: suricata.html