From 18c0f197b21a3d187241cd97bf68cd2df95c944c Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 10 Nov 2025 13:28:19 -0500 Subject: [PATCH] suricata bpf --- salt/bpf/pcap.map.jinja | 11 +++++++++++ salt/bpf/soc_bpf.yaml | 4 ++-- salt/bpf/suricata.map.jinja | 9 +++++++++ salt/bpf/zeek.map.jinja | 9 +++++++++ salt/pcap/config.sls | 19 +++++-------------- salt/pcap/files/config.jinja | 2 +- salt/suricata/config.sls | 23 +++++++++++++++-------- salt/suricata/map.jinja | 13 ++++--------- salt/zeek/config.sls | 16 +++++----------- 9 files changed, 61 insertions(+), 45 deletions(-) diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja index 4d8fef460..1b561b8d0 100644 --- a/salt/bpf/pcap.map.jinja +++ b/salt/bpf/pcap.map.jinja @@ -1,4 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} +{% set PCAP_BPF_STATUS = 0 %} +{% set STENO_BPF_COMPILED = "" %} + {% if GLOBALS.pcap_engine == "TRANSITION" %} {% set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %} {% else %} @@ -8,3 +11,11 @@ {{ MACROS.remove_comments(BPFMERGED, 'pcap') }} {% set PCAPBPF = BPFMERGED.pcap %} {% endif %} + +{% if PCAPBPF %} + {% set PCAP_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ PCAPBPF|join(" "), cwd='/root') %} + {% if PCAP_BPF_CALC['retcode'] == 0 %} + {% set PCAP_BPF_STATUS = 1 %} + {% set STENO_BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} + {% endif %} +{% endif %} diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index d93ec98fd..629ef9d5d 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -1,11 +1,11 @@ bpf: pcap: - description: List of BPF filters to apply to Stenographer. + description: List of BPF filters to apply to the packet capture application. multiline: True forcedType: "[]string" helpLink: bpf.html suricata: - description: List of BPF filters to apply to Suricata. + description: List of BPF filters to apply to Suricata. This will apply to alerts and, if enabled, to metadata and PCAP logs generated by Suricata. multiline: True forcedType: "[]string" helpLink: bpf.html diff --git a/salt/bpf/suricata.map.jinja b/salt/bpf/suricata.map.jinja index fe4adb663..5ee1e5a92 100644 --- a/salt/bpf/suricata.map.jinja +++ b/salt/bpf/suricata.map.jinja @@ -1,7 +1,16 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} +{% set SURICATA_BPF_STATUS = 0 %} {% import 'bpf/macros.jinja' as MACROS %} {{ MACROS.remove_comments(BPFMERGED, 'suricata') }} {% set SURICATABPF = BPFMERGED.suricata %} + +{% if SURICATABPF %} + {% set SURICATA_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ SURICATABPF|join(" "), cwd='/root') %} + {% if SURICATA_BPF_CALC['retcode'] == 0 %} + {% set SURICATA_BPF_STATUS = 1 %} + {% endif %} +{% endif %} diff --git a/salt/bpf/zeek.map.jinja b/salt/bpf/zeek.map.jinja index fdcc5e99f..789648bdb 100644 --- a/salt/bpf/zeek.map.jinja +++ b/salt/bpf/zeek.map.jinja @@ -1,7 +1,16 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} +{% set ZEEK_BPF_STATUS = 0 %} {% import 'bpf/macros.jinja' as MACROS %} {{ MACROS.remove_comments(BPFMERGED, 'zeek') }} {% set ZEEKBPF = BPFMERGED.zeek %} + +{% if ZEEKBPF %} + {% set ZEEK_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ ZEEKBPF|join(" "), cwd='/root') %} + {% if ZEEK_BPF_CALC['retcode'] == 0 %} + {% set ZEEK_BPF_STATUS = 1 %} + {% endif %} +{% endif %} diff --git a/salt/pcap/config.sls b/salt/pcap/config.sls index 173fecfd1..c37da9694 100644 --- a/salt/pcap/config.sls +++ b/salt/pcap/config.sls @@ -8,12 +8,9 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from "pcap/config.map.jinja" import PCAPMERGED %} -{% from 'bpf/pcap.map.jinja' import PCAPBPF %} - -{% set BPF_COMPILED = "" %} +{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC, STENO_BPF_COMPILED %} # PCAP Section - stenographergroup: group.present: - name: stenographer @@ -40,18 +37,12 @@ pcap_sbin: - group: 939 - file_mode: 755 -{% if PCAPBPF %} - {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} - {% else %} - -bpfcompilationfailure: +{% if PCAPBPF and not PCAP_BPF_STATUS %} +stenoPCAPbpfcompilationfailure: test.configurable_test_state: - changes: False - result: False - - comment: "BPF Compilation Failed - Discarding Specified BPF" - {% endif %} + - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}" {% endif %} stenoconf: @@ -64,7 +55,7 @@ stenoconf: - template: jinja - defaults: PCAPMERGED: {{ PCAPMERGED }} - BPF_COMPILED: "{{ BPF_COMPILED }}" + STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}" stenoca: file.directory: diff --git a/salt/pcap/files/config.jinja b/salt/pcap/files/config.jinja index f0a4fc51d..90c197938 100644 --- a/salt/pcap/files/config.jinja +++ b/salt/pcap/files/config.jinja @@ -6,6 +6,6 @@ , "Interface": "{{ pillar.sensor.interface }}" , "Port": 1234 , "Host": "127.0.0.1" - , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}] + , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ STENO_BPF_COMPILED }}] , "CertPath": "/etc/stenographer/certs" } diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index c5ca72da3..7de1a0fd4 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -8,6 +8,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'suricata/map.jinja' import SURICATAMERGED %} +{% from 'bpf/suricata.map.jinja' import SURICATABPF, SURICATA_BPF_STATUS, SURICATA_BPF_CALC %} suridir: file.directory: @@ -16,30 +17,36 @@ suridir: - group: 940 {% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %} -{% from 'bpf/suricata.map.jinja' import SURICATABPF %} -{% from 'suricata/map.jinja' import BPF_STATUS %} -{% from 'suricata/map.jinja' import BPF_CALC %} - +{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC %} # BPF compilation and configuration -{% if SURICATABPF and not BPF_STATUS %} -suribpfcompilationfailure: +{% if PCAPBPF and not PCAP_BPF_STATUS %} +suriPCAPbpfcompilationfailure: test.configurable_test_state: - changes: False - result: False - - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ BPF_CALC['stderr'] }}" + - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}" {% endif %} +{% endif %} +# BPF applied to all of Suricata - alerts/metadata/pcap suribpf: file.managed: - name: /opt/so/conf/suricata/bpf - user: 940 - group: 940 - {% if BPF_STATUS %} + {% if SURICATA_BPF_STATUS %} - contents: {{ SURICATABPF }} {% else %} - contents: - "" {% endif %} + +{% if SURICATABPF and not SURICATA_BPF_STATUS %} +suribpfcompilationfailure: + test.configurable_test_state: + - changes: False + - result: False + - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ SURICATA_BPF_CALC['stderr'] }}" {% endif %} # Add Suricata Group diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 5080b8620..3d378b69d 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -7,19 +7,14 @@ {% set default_filestore_index = [] %} {% set surimeta_evelog_index = [] %} {% set surimeta_filestore_index = [] %} -{% set BPF_STATUS = 0 %} {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #} {% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %} -{% from 'bpf/suricata.map.jinja' import SURICATABPF %} -{% if SURICATABPF %} - {% set BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ SURICATABPF|join(" "), cwd='/root') %} - {% if BPF_CALC['retcode'] == 0 %} - {% set BPF_STATUS = 1 %} - {% do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': SURICATABPF|join(" ")}) %} - {% endif %} -{% endif %} +{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %} +{% if PCAPBPF and PCAP_BPF_STATUS %} +{% do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %} +{% endif %} {% do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %} {# move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #} diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls index b3ea97507..42ea74fc9 100644 --- a/salt/zeek/config.sls +++ b/salt/zeek/config.sls @@ -8,8 +8,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from "zeek/config.map.jinja" import ZEEKMERGED %} -{% from 'bpf/zeek.map.jinja' import ZEEKBPF %} -{% set BPF_STATUS = 0 %} +{% from 'bpf/zeek.map.jinja' import ZEEKBPF, ZEEK_BPF_STATUS, ZEEK_BPF_CALC %} # Add Zeek group zeekgroup: @@ -158,18 +157,13 @@ zeekja4cfg: - user: 937 - group: 939 -# BPF compilation and configuration -{% if ZEEKBPF %} - {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_STATUS = 1 %} - {% else %} +# BPF compilation failed +{% if ZEEKBPF and not ZEEK_BPF_STATUS %} zeekbpfcompilationfailure: test.configurable_test_state: - changes: False - result: False - - comment: "BPF Syntax Error - Discarding Specified BPF" - {% endif %} + - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ ZEEK_BPF_CALC['stderr'] }}" {% endif %} zeekbpf: @@ -177,7 +171,7 @@ zeekbpf: - name: /opt/so/conf/zeek/bpf - user: 940 - group: 940 -{% if BPF_STATUS %} +{% if ZEEK_BPF_STATUS %} - contents: {{ ZEEKBPF }} {% else %} - contents: