handle bpf for suricata 8 pcap

salt/suricata/config.sls

@@ -7,9 +7,40 @@
 {% if sls.split('.')[0] in allowed_states %}
 
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'bpf/suricata.map.jinja' import SURICATABPF %}
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
-{%   set BPF_STATUS = 0  %}
+
+suridir:
+  file.directory:
+    - name: /opt/so/conf/suricata
+    - user: 940
+    - group: 940
+
+{%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
+{%     from 'bpf/suricata.map.jinja' import SURICATABPF %}
+{%     from 'suricata/map.jinja' import BPF_STATUS %}
+{%     from 'suricata/map.jinja' import BPF_CALC %}
+
+# BPF compilation and configuration
+{%     if SURICATABPF and not BPF_STATUS %}
+suribpfcompilationfailure:
+  test.configurable_test_state:
+    - changes: False
+    - result: False
+    - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ BPF_CALC['stderr'] }}"
+{%     endif %}
+
+suribpf:
+  file.managed:
+    - name: /opt/so/conf/suricata/bpf
+    - user: 940
+    - group: 940
+   {% if BPF_STATUS %}
+    - contents: {{ SURICATABPF }}
+   {% else %}
+    - contents:
+      - ""
+   {% endif %}
+{%   endif %}
 
 # Add Suricata Group
 suricatagroup:
@@ -49,18 +80,11 @@ suricata_sbin_jinja:
     - file_mode: 755
     - template: jinja
 
-suridir:
-  file.directory:
-    - name: /opt/so/conf/suricata
-    - user: 940
-    - group: 940
-
 suriruledir:
   file.directory:
     - name: /opt/so/conf/suricata/rules
     - user: 940
     - group: 940
-    - makedirs: True
 
 surilogdir:
   file.directory:
@@ -136,32 +160,6 @@ suriclassifications:
     - user: 940
     - group: 940
 
-# BPF compilation and configuration
-{% if SURICATABPF %}
-   {% set BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %}
-   {% if BPF_CALC['stderr'] == "" %}
-      {% set BPF_STATUS = 1  %}
-   {% else  %}
-suribpfcompilationfailure:
-  test.configurable_test_state:
-   - changes: False
-   - result: False
-   - comment: "BPF Syntax Error - Discarding Specified BPF"
-   {% endif %}
-{% endif %}
-
-suribpf:
-  file.managed:
-    - name: /opt/so/conf/suricata/bpf
-    - user: 940
-    - group: 940
-   {% if BPF_STATUS %}
-    - contents: {{ SURICATABPF }}
-   {% else %}
-    - contents:
-      - ""
-   {% endif %}
-
 so-suricata-eve-clean:
   file.managed:
     - name: /usr/sbin/so-suricata-eve-clean

salt/suricata/map.jinja

@@ -7,9 +7,20 @@
 {% set default_filestore_index = [] %}
 {% set surimeta_evelog_index = [] %}
 {% set surimeta_filestore_index = [] %}
+{% set BPF_STATUS = 0  %}
 
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
 {% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
+
+{% from 'bpf/suricata.map.jinja' import SURICATABPF %}
+{% if SURICATABPF %}
+   {% set BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ SURICATABPF|join(" "), cwd='/root') %}
+   {% if BPF_CALC['retcode'] == 0 %}
+      {% set BPF_STATUS = 1 %}
+      {% do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': SURICATABPF|join(" ")}) %}
+   {% endif %}
+{% endif %}
+
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}