From 5403dab027f47a9e00f54766dff52dcf801f3e9f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 28 Jan 2020 15:48:40 -0500
Subject: [PATCH 1/3] Suricata - Initial bpf support

---
 salt/common/tools/sbin/so-bpf-compile | 37 +++++++++++++++++++++++++++
 salt/suricata/init.sls                | 29 +++++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-bpf-compile

diff --git a/salt/common/tools/sbin/so-bpf-compile b/salt/common/tools/sbin/so-bpf-compile
new file mode 100644
index 000000000..44c5b8249
--- /dev/null
+++ b/salt/common/tools/sbin/so-bpf-compile
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ "$#" -lt 2 ]; then
+  cat 1>&2 <<EOF
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
+Its first argument is the interface (link type is required) and all other arguments
+are passed to TCPDump.
+
+Examples:
+ $0 eth0 dst port 80
+ $0 eth0 udp port 53
+EOF
+  exit 1
+fi
+
+interface="$1"
+shift
+sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
+while read line; do
+  cols=( $line )
+  printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
+done
+echo ""
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index a8f15d268..81df5b150 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -17,6 +17,9 @@
 {% set BROVER = salt['pillar.get']('static:broversion', '') %}
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
+{% set BPF_STATUS = 0  %}
+
 
 # Suricata
 
@@ -79,6 +82,32 @@ surithresholding:
     - user: 940
     - group: 940
     - template: jinja
+
+# BPF compilation and configuration
+{% if BPF_NIDS %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" ")  ) %}
+   {% if BPF_CALC['stderr'] == "" %}
+      {% set BPF_STATUS = 1  %}
+   {% else  %}
+suribpfcompilationfailure:
+  test.configurable_test_state:
+   - changes: False
+   - result: False
+   - comment: "BPF Syntax Error - Discarding Specified BPF"
+   {% endif %}
+{% endif %}
+
+suribpf:
+  file.managed:
+    - name: /opt/so/conf/suricata/bpf
+    - user: 940
+    - group: 940
+   {% if BPF_STATUS %}
+    - contents_pillar: nids:bpf
+   {% else %}
+    - contents:
+      - ""
+   {% endif %}
     
 so-suricata:
   docker_container.running:

From 8204ffdd0595e0b3abc9e880434590759c623c25 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 28 Jan 2020 15:51:13 -0500
Subject: [PATCH 2/3] Suricata bpf - docker bind bpf file

---
 salt/suricata/init.sls | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 81df5b150..5802e2b38 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -120,8 +120,10 @@ so-suricata:
       - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
       - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
       - /opt/so/log/suricata/:/var/log/suricata/:rw
+      - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
     - network_mode: host
     - watch:
       - file: /opt/so/conf/suricata/suricata.yaml
       - file: surithresholding
       - file: /opt/so/conf/suricata/rules/
+      - file: /opt/so/conf/suricata/bpf

From f536e89064984b94bc3f8cea358fe02d567b7ca9 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Tue, 28 Jan 2020 16:12:46 -0500
Subject: [PATCH 3/3] Suricata bpf cleanup

---
 salt/suricata/init.sls | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 5802e2b38..65b80c9ae 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -18,7 +18,6 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
-{% set BPF_STATUS = 0  %}
 
 
 # Suricata
@@ -86,9 +85,7 @@ surithresholding:
 # BPF compilation and configuration
 {% if BPF_NIDS %}
    {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" ")  ) %}
-   {% if BPF_CALC['stderr'] == "" %}
-      {% set BPF_STATUS = 1  %}
-   {% else  %}
+   {% if BPF_CALC['stderr'] != "" %}
 suribpfcompilationfailure:
   test.configurable_test_state:
    - changes: False
@@ -102,7 +99,7 @@ suribpf:
     - name: /opt/so/conf/suricata/bpf
     - user: 940
     - group: 940
-   {% if BPF_STATUS %}
+   {% if BPF_CALC['stderr'] == "" %}
     - contents_pillar: nids:bpf
    {% else %}
     - contents: