From 252afa84996671269932622f86e03cefe79fd356 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 20 Mar 2023 17:10:34 -0400
Subject: [PATCH] bpf for pcap

---
 salt/bpf/pcap.map.jinja | 4 ++++
 salt/bpf/soc_bpf.yaml   | 3 +++
 salt/pcap/init.sls      | 8 ++++----
 3 files changed, 11 insertions(+), 4 deletions(-)
 create mode 100644 salt/bpf/pcap.map.jinja

diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja
new file mode 100644
index 000000000..a160f2f7a
--- /dev/null
+++ b/salt/bpf/pcap.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set PCAPBPF = BPFMERGED.pcap %}
diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml
index 0474b2e62..379eaa022 100644
--- a/salt/bpf/soc_bpf.yaml
+++ b/salt/bpf/soc_bpf.yaml
@@ -2,12 +2,15 @@ bpf:
   pcap:
     description: List of BPF filters to apply to PCAP.
     multiline: True
+    forcedType: "[]string"
     helpLink: bpf.html
   suricata:
     description: List of BPF filters to apply to Suricata.
     multiline: True
+    forcedType: "[]string"
     helpLink: bpf.html
   zeek:
     description: List of BPF filters to apply to Zeek.
     multiline: True
+    forcedType: "[]string"
     helpLink: bpf.html
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 401b5d616..73b384a53 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -9,8 +9,8 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from "pcap/map.jinja" import STENOOPTIONS with context %}
 {% from "pcap/config.map.jinja" import PCAPMERGED with context %}
-{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
-{% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %}
+{% from 'bpf/pcap.map.jinja' import PCAPBPF %}
+
 {% set BPF_COMPILED = "" %}
 
 # PCAP Section
@@ -33,8 +33,8 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
-{% if BPF_STENO %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %}
+{% if PCAPBPF %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
       {% set BPF_COMPILED =  ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\""  %}
    {% else  %}