suricata bpf

salt/bpf/pcap.map.jinja

@@ -1,4 +1,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
+{% set PCAP_BPF_STATUS = 0  %}
+{% set STENO_BPF_COMPILED = "" %}
+
 {% if GLOBALS.pcap_engine == "TRANSITION" %}
 {%   set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %}
 {% else %}
@@ -8,3 +11,11 @@
 {{   MACROS.remove_comments(BPFMERGED, 'pcap') }}
 {%   set PCAPBPF = BPFMERGED.pcap %}
 {% endif %}
+
+{% if PCAPBPF %}
+   {% set PCAP_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ PCAPBPF|join(" "), cwd='/root') %}
+   {% if PCAP_BPF_CALC['retcode'] == 0 %}
+      {% set PCAP_BPF_STATUS = 1 %}
+      {% set STENO_BPF_COMPILED =  ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\""  %}
+   {% endif %}
+{% endif %}

salt/bpf/soc_bpf.yaml

@@ -1,11 +1,11 @@
 bpf:
   pcap:
-    description: List of BPF filters to apply to Stenographer.
+    description: List of BPF filters to apply to the packet capture application.
     multiline: True
     forcedType: "[]string"
     helpLink: bpf.html
   suricata:
-    description: List of BPF filters to apply to Suricata.
+    description: List of BPF filters to apply to Suricata. This will apply to alerts and, if enabled, to metadata and PCAP logs generated by Suricata.
     multiline: True
     forcedType: "[]string"
     helpLink: bpf.html

salt/bpf/suricata.map.jinja

@@ -1,7 +1,16 @@
+{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% set SURICATA_BPF_STATUS = 0 %}
 {% import 'bpf/macros.jinja' as MACROS %}
 
 {{ MACROS.remove_comments(BPFMERGED, 'suricata') }}
 
 {% set SURICATABPF = BPFMERGED.suricata %}
+
+{% if SURICATABPF %}
+   {% set SURICATA_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ SURICATABPF|join(" "), cwd='/root') %}
+   {% if SURICATA_BPF_CALC['retcode'] == 0 %}
+      {% set SURICATA_BPF_STATUS = 1 %}
+   {% endif %}
+{% endif %}

salt/bpf/zeek.map.jinja

@@ -1,7 +1,16 @@
+{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% set ZEEK_BPF_STATUS = 0 %}
 {% import 'bpf/macros.jinja' as MACROS %}
 
 {{ MACROS.remove_comments(BPFMERGED, 'zeek') }}
 
 {% set ZEEKBPF = BPFMERGED.zeek %}
+
+{% if ZEEKBPF %}
+   {% set ZEEK_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ ZEEKBPF|join(" "), cwd='/root') %}
+   {% if ZEEK_BPF_CALC['retcode'] == 0 %}
+      {% set ZEEK_BPF_STATUS = 1 %}
+   {% endif %}
+{% endif %}

salt/pcap/config.sls

@@ -8,12 +8,9 @@
 
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from "pcap/config.map.jinja" import PCAPMERGED %}
-{% from 'bpf/pcap.map.jinja' import PCAPBPF %}
+{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC, STENO_BPF_COMPILED %}
-
-{% set BPF_COMPILED = "" %}
 
 # PCAP Section
-
 stenographergroup:
   group.present:
     - name: stenographer
@@ -40,18 +37,12 @@ pcap_sbin:
     - group: 939
     - file_mode: 755
 
-{% if PCAPBPF %}
+{% if PCAPBPF and not PCAP_BPF_STATUS %}
-   {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %}
+stenoPCAPbpfcompilationfailure:
-   {% if BPF_CALC['stderr'] == "" %}
-      {% set BPF_COMPILED =  ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\""  %}
-   {% else  %}
-
-bpfcompilationfailure:
   test.configurable_test_state:
    - changes: False
    - result: False
-   - comment: "BPF Compilation Failed - Discarding Specified BPF"
+  - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}"
-   {% endif %}
 {% endif %}
 
 stenoconf:
@@ -64,7 +55,7 @@ stenoconf:
     - template: jinja
     - defaults:
         PCAPMERGED: {{ PCAPMERGED }}
-        BPF_COMPILED: "{{ BPF_COMPILED }}"
+        STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}"
 
 stenoca:
   file.directory:

salt/pcap/files/config.jinja

@@ -6,6 +6,6 @@
   , "Interface": "{{ pillar.sensor.interface }}"
   , "Port": 1234
   , "Host": "127.0.0.1"
-  , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}]
+  , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ STENO_BPF_COMPILED }}]
   , "CertPath": "/etc/stenographer/certs"
 }

salt/suricata/config.sls

@@ -8,6 +8,7 @@
 
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
+{%   from 'bpf/suricata.map.jinja' import SURICATABPF, SURICATA_BPF_STATUS, SURICATA_BPF_CALC %}
 
 suridir:
   file.directory:
@@ -16,30 +17,36 @@ suridir:
     - group: 940
 
 {%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
-{%     from 'bpf/suricata.map.jinja' import SURICATABPF %}
+{%     from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC %}
-{%     from 'suricata/map.jinja' import BPF_STATUS %}
-{%     from 'suricata/map.jinja' import BPF_CALC %}
-
 # BPF compilation and configuration
-{%     if SURICATABPF and not BPF_STATUS %}
+{%     if PCAPBPF and not PCAP_BPF_STATUS %}
-suribpfcompilationfailure:
+suriPCAPbpfcompilationfailure:
   test.configurable_test_state:
     - changes: False
     - result: False
-    - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ BPF_CALC['stderr'] }}"
+    - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}"
 {%     endif %}
+{%   endif %}
 
+# BPF applied to all of Suricata - alerts/metadata/pcap
 suribpf:
   file.managed:
     - name: /opt/so/conf/suricata/bpf
     - user: 940
     - group: 940
-   {% if BPF_STATUS %}
+   {% if SURICATA_BPF_STATUS %}
     - contents: {{ SURICATABPF }}
    {% else %}
     - contents:
       - ""
    {% endif %}
+
+{%   if SURICATABPF and not SURICATA_BPF_STATUS %}
+suribpfcompilationfailure:
+  test.configurable_test_state:
+    - changes: False
+    - result: False
+    - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ SURICATA_BPF_CALC['stderr'] }}"
 {%   endif %}
 
 # Add Suricata Group

salt/suricata/map.jinja

@@ -7,19 +7,14 @@
 {% set default_filestore_index = [] %}
 {% set surimeta_evelog_index = [] %}
 {% set surimeta_filestore_index = [] %}
-{% set BPF_STATUS = 0  %}
 
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
 {% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 
-{% from 'bpf/suricata.map.jinja' import SURICATABPF %}
+{%   from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
-{% if SURICATABPF %}
+{%   if PCAPBPF and PCAP_BPF_STATUS %}
-   {% set BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ SURICATABPF|join(" "), cwd='/root') %}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
-   {% if BPF_CALC['retcode'] == 0 %}
+{%   endif %}
-      {% set BPF_STATUS = 1 %}
-      {% do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': SURICATABPF|join(" ")}) %}
-   {% endif %}
-{% endif %}
 
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}

salt/zeek/config.sls

@@ -8,8 +8,7 @@
 
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from "zeek/config.map.jinja" import ZEEKMERGED %}
-{% from 'bpf/zeek.map.jinja' import ZEEKBPF %}
+{% from 'bpf/zeek.map.jinja' import ZEEKBPF, ZEEK_BPF_STATUS, ZEEK_BPF_CALC %}
-{% set BPF_STATUS = 0  %}
 
 # Add Zeek group
 zeekgroup:
@@ -158,18 +157,13 @@ zeekja4cfg:
     - user: 937
     - group: 939
 
-# BPF compilation and configuration
+# BPF compilation failed
-{% if ZEEKBPF %}
+{% if ZEEKBPF and not ZEEK_BPF_STATUS %}
-   {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %}
-   {% if BPF_CALC['stderr'] == "" %}
-       {% set BPF_STATUS = 1  %}
-  {% else  %}
 zeekbpfcompilationfailure:
   test.configurable_test_state:
     - changes: False
     - result: False
-    - comment: "BPF Syntax Error - Discarding Specified BPF"
+    - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ ZEEK_BPF_CALC['stderr'] }}"
-   {% endif %}
 {% endif %}
 
 zeekbpf:
@@ -177,7 +171,7 @@ zeekbpf:
     - name: /opt/so/conf/zeek/bpf
     - user: 940
     - group: 940
-{% if BPF_STATUS %}
+{% if ZEEK_BPF_STATUS %}
     - contents: {{ ZEEKBPF }}
 {% else %}
     - contents: