intrusion detection: undo previous, switch to --pcap=intX

src/opnsense/service/templates/OPNsense/IDS/rc.conf.d

@@ -1,12 +1,34 @@
+{# Macro import #}
+{% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {% if helpers.exists('OPNsense.IDS.general') and OPNsense.IDS.general.enabled|default("0") == "1" %}
-suricata_opnsense_bootup_run="/usr/local/opnsense/scripts/suricata/setup.sh"
 suricata_enable="YES"
+suricata_opnsense_bootup_run="/usr/local/opnsense/scripts/suricata/setup.sh"
+
 {% if OPNsense.IDS.general.ips|default("0") == "1" %}
-suricata_netmap="YES"
+# IPS mode, switch to netmap
+suricata_netmap=YES
+
 {% else %}
+
 # IDS mode, pcap live mode
-suricata_flags="-D --pcap"
+{% set addFlags=[] %}
+{% for intfName in OPNsense.IDS.general.interfaces.split(',') %}
+{%   if loop.index == 1 %}
+{# enable first interface #}
+suricata_interface="{{ physical_interface(intfName) }}"
+{%   else %}
+{#   store additional interfaces to addFlags #}
+{%      do addFlags.append(physical_interface(intfName)) %}
+{%   endif %}
+{% endfor %}
+{#   append additional interfaces #}
+suricata_flags="-D {%
+   for intf in addFlags
+%} --pcap={{ intf }}  {% endfor
+%} "
+
 {% endif %}
+
 {% else %}
 suricata_enable="NO"
 {% endif %}

src/opnsense/service/templates/OPNsense/IDS/suricata.yaml

@@ -748,12 +748,8 @@ logging:
       format: "[%i] <%d> -- "
 
 pcap:
-  {% if helpers.exists('OPNsense.IDS.general.interfaces') %}
-    {% for intfName in OPNsense.IDS.general.interfaces.split(',') %}
-  - interface: {{physical_interface(intfName)}}
+  - interface: default
     promisc: {% if helpers.exists('OPNsense.IDS.general.promisc') and OPNsense.IDS.general.promisc|default('0') == '1' %}yes{% else %}no{% endif %} #  promiscuous mode
-    {% endfor %}
-  {% endif %}
 
 pcap-file:
   # Possible values are: