bpf for pcap

salt/bpf/pcap.map.jinja

@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set PCAPBPF = BPFMERGED.pcap %}

salt/bpf/soc_bpf.yaml

@@ -2,12 +2,15 @@ bpf:
   pcap:
     description: List of BPF filters to apply to PCAP.
     multiline: True
+    forcedType: "[]string"
     helpLink: bpf.html
   suricata:
     description: List of BPF filters to apply to Suricata.
     multiline: True
+    forcedType: "[]string"
     helpLink: bpf.html
   zeek:
     description: List of BPF filters to apply to Zeek.
     multiline: True
+    forcedType: "[]string"
     helpLink: bpf.html

salt/pcap/init.sls

@@ -9,8 +9,8 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from "pcap/map.jinja" import STENOOPTIONS with context %}
 {% from "pcap/config.map.jinja" import PCAPMERGED with context %}
-{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% from 'bpf/pcap.map.jinja' import PCAPBPF %}
-{% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %}
+
 {% set BPF_COMPILED = "" %}
 
 # PCAP Section
@@ -33,8 +33,8 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
-{% if BPF_STENO %}
+{% if PCAPBPF %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
       {% set BPF_COMPILED =  ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\""  %}
    {% else  %}