Merge pull request #15716 from Security-Onion-Solutions/2.4/main

2.4/main

salt/suricata/config.sls

@@ -10,7 +10,7 @@
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
 {%   from 'bpf/suricata.map.jinja' import SURICATABPF, SURICATA_BPF_STATUS, SURICATA_BPF_CALC %}
 
-{%   if GLOBALS.pcap_engine == "SURICATA" %}
+{%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 {%     from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC %}
 # BPF compilation and configuration
 {%     if PCAPBPF and not PCAP_BPF_STATUS %}

salt/suricata/map.jinja

@@ -11,19 +11,9 @@
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
 {% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 
-{%   if GLOBALS.pcap_engine == "SURICATA" %}
+{%   from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
-{%     from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
+{%   if PCAPBPF and PCAP_BPF_STATUS %}
-{%     if PCAPBPF and PCAP_BPF_STATUS %}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
-{%       do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
-{%     endif %}
-{%   elif GLOBALS.pcap_engine == "TRANSITION" %}
-{%     import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
-{%     set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
-{%     import 'bpf/macros.jinja' as MACROS %}
-{{     MACROS.remove_comments(BPFMERGED, 'pcap') }}
-{%     if BPFMERGED.pcap %}
-{%       do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': BPFMERGED.pcap|join(" ")}) %}
-{%     endif %}
 {%   endif %}
 
 {%   set PCAP = salt['pillar.get']('pcap', {'enabled': false}) %}