From 78527ab87c0eb2de6632d03a451e58de549f816b Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 24 Jan 2020 04:20:49 -0500
Subject: [PATCH 1/5] Steno - BPF Config

---
 salt/pcap/files/compile_bpf.sh | 37 ++++++++++++++++++++++++++++++++++
 salt/pcap/files/config         |  4 ++--
 salt/pcap/init.sls             | 36 ++++++++++++++++++++++++++++++++-
 3 files changed, 74 insertions(+), 3 deletions(-)
 create mode 100644 salt/pcap/files/compile_bpf.sh

diff --git a/salt/pcap/files/compile_bpf.sh b/salt/pcap/files/compile_bpf.sh
new file mode 100644
index 000000000..44c5b8249
--- /dev/null
+++ b/salt/pcap/files/compile_bpf.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ "$#" -lt 2 ]; then
+  cat 1>&2 <<EOF
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
+Its first argument is the interface (link type is required) and all other arguments
+are passed to TCPDump.
+
+Examples:
+ $0 eth0 dst port 80
+ $0 eth0 udp port 53
+EOF
+  exit 1
+fi
+
+interface="$1"
+shift
+sudo tcpdump -i $interface -ddd $@ | tail -n+2 |
+while read line; do
+  cols=( $line )
+  printf "%04x%02x%02x%08x" ${cols[0]} ${cols[1]} ${cols[2]} ${cols[3]}
+done
+echo ""
diff --git a/salt/pcap/files/config b/salt/pcap/files/config
index 12c68cb0a..a41645e88 100644
--- a/salt/pcap/files/config
+++ b/salt/pcap/files/config
@@ -4,13 +4,13 @@
     { "PacketsDirectory": "/nsm/pcap"
     , "IndexDirectory": "/nsm/pcapindex"
     , "MaxDirectoryFiles": 30000
-    , "DiskFreePercentage": 10
+    , "DiskFreePercentage": 5
     }
   ]
   , "StenotypePath": "/usr/bin/stenotype"
   , "Interface": "{{ interface }}"
   , "Port": 1234
   , "Host": "127.0.0.1"
-  , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"]
+  , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"{{ bpf_compiled }}]
   , "CertPath": "/etc/stenographer/certs"
 }
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index f5a4e4924..a91f6bfce 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -36,6 +36,33 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
+{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% set bpf_global = salt['pillar.get']('static:steno:bpf', None) %}
+{% set bpf_steno = salt['pillar.get']('steno:bpf', None) %}
+
+{% if bpf_steno != None or bpf_global != None %}
+   {% if bpf_steno != None %}
+      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_steno) %}
+   {% else %}
+      {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_global) %}
+   {% endif %}
+   {% if bpf_calc['stderr'] == "" %}
+      {% set bpf_compiled = bpf_calc['stdout'] %}
+   {% else  %}
+         {% set bpf_compiled = None %}
+
+bpfcompilationfailure:
+  test.configurable_test_state:
+   - name: foo
+   - changes: False
+   - result: False
+   - comment: "BPF Compilation Failed - Discarding specified BPF"
+
+   {% endif %}
+{% else  %}
+   {% set bpf_compiled = None %}
+{% endif %}
+
 stenoconf:
   file.managed:
     - name: /opt/so/conf/steno/config
@@ -44,6 +71,12 @@ stenoconf:
     - group: root
     - mode: 644
     - template: jinja
+    - defaults:
+        bpf_compiled: ""
+{% if bpf_compiled != None %}
+    - context:
+        bpf_compiled: ',"--filter={{ bpf_compiled }}"'
+{% endif %}
 
 sensoroniagentconf:
   file.managed:
@@ -113,4 +146,5 @@ so-steno:
       - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
       - /opt/so/log/stenographer:/opt/sensoroni/logs:rw
     - watch:
-      - /opt/so/conf/steno/sensoroni.json
+      - file: /opt/so/conf/steno/config
+      - file: /opt/so/conf/steno/sensoroni.json

From 7dd30ef07eff49a6d4d449b77ac9b41763e91b93 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 24 Jan 2020 04:22:47 -0500
Subject: [PATCH 2/5] Steno - fix disk percentage

---
 salt/pcap/files/config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/pcap/files/config b/salt/pcap/files/config
index a41645e88..0f06d1c7e 100644
--- a/salt/pcap/files/config
+++ b/salt/pcap/files/config
@@ -4,7 +4,7 @@
     { "PacketsDirectory": "/nsm/pcap"
     , "IndexDirectory": "/nsm/pcapindex"
     , "MaxDirectoryFiles": 30000
-    , "DiskFreePercentage": 5
+    , "DiskFreePercentage": 10
     }
   ]
   , "StenotypePath": "/usr/bin/stenotype"

From 3262854f4e37b28fa80aa562cfa22ceeb0504930 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 24 Jan 2020 04:30:06 -0500
Subject: [PATCH 3/5] Steno - fix error name

---
 salt/pcap/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index a91f6bfce..16d002250 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -53,7 +53,7 @@ stenoconfdir:
 
 bpfcompilationfailure:
   test.configurable_test_state:
-   - name: foo
+   - name: bpfcompfailure
    - changes: False
    - result: False
    - comment: "BPF Compilation Failed - Discarding specified BPF"

From dcf1dc6e092879abffbaab3b7ed7591b62c1e3b5 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 24 Jan 2020 12:33:15 -0500
Subject: [PATCH 4/5] reorder pillar top -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/249

---
 pillar/top.sls | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/pillar/top.sls b/pillar/top.sls
index 3a37fa861..99fe26556 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -2,40 +2,40 @@ base:
   '*':
     - patch.needs_restarting
 
-  'G@role:so-sensor':
-    - minions.{{ grains.id }}
-    - static
-    - firewall.*
-    - brologs
-
   'G@role:so-mastersearch':
     - logstash.mastersearch
 
+  'G@role:so-sensor':
+    - static
+    - firewall.*
+    - brologs
+    - minions.{{ grains.id }}
+
   'G@role:so-master or G@role:so-mastersearch':
     - match: compound
-    - minions.{{ grains.id }}
     - static
     - firewall.*
     - data.*
     - auth
+    - minions.{{ grains.id }}
 
   'G@role:so-eval':
-    - minions.{{ grains.id }}
     - static
     - firewall.*
     - data.*
     - brologs
     - auth
+    - minions.{{ grains.id }}
 
   'G@role:so-node':
-    - minions.{{ grains.id }}
     - static
     - firewall.*
+    - minions.{{ grains.id }}
 
   'G@role:so-helix':
-    - minions.{{ grains.id }}
     - static
     - firewall.*
     - fireeye
     - static
     - brologs
+    - minions.{{ grains.id }}

From d54a41a1f012001681ed065b5f5487bc98785196 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 24 Jan 2020 15:08:09 -0500
Subject: [PATCH 5/5] fix so-buildregistry from returning error

---
 salt/registry/bin/so-buildregistry | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/registry/bin/so-buildregistry b/salt/registry/bin/so-buildregistry
index da50f44f7..01756fc67 100644
--- a/salt/registry/bin/so-buildregistry
+++ b/salt/registry/bin/so-buildregistry
@@ -7,6 +7,6 @@ TARBALL=/nsm/docker-registry/docker/so-dockers-$VERSION.tar
 if [ -f "$TARBALL" ]; then
   cd /nsm/docker-registry/docker
   tar xvf so-dockers-$VERSION.tar
-else
-  exit
 fi
+
+exit 0