move zeek bpf from zeek pillar to bpf pillar

2025-12-07 09:42:46 +01:00 · 2023-03-20 15:28:33 -04:00
parent 460f84d80f
commit 903ad530fe
7 changed files with 21 additions and 8 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -19,6 +19,8 @@ base:
  '*_eval or *_heavynode or *_sensor or *_standalone or *_import':
    - match: compound
    - zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf

  '*_managersearch or *_heavynode':
    - match: compound
--- a/salt/bpf/defaults.yaml
+++ b/salt/bpf/defaults.yaml
@@ -1,4 +1,5 @@
 bpf:
-    pcap: []
-    suricata: []
-    zeek: []
+  pcap: []
+  suricata: []
+  zeek:
+    - ip or not ip
--- a/salt/bpf/soc_bpf.yaml
+++ b/salt/bpf/soc_bpf.yaml
@@ -1,10 +1,13 @@
 bpf:
  pcap:
    description: List of BPF filters to apply to PCAP.
+    multiline: True
    helpLink: bpf.html
  suricata:
    description: List of BPF filters to apply to Suricata.
+    multiline: True
    helpLink: bpf.html
  zeek:
    description: List of BPF filters to apply to Zeek.
+    multiline: True
    helpLink: bpf.html
--- a/salt/bpf/zeek.map.jinja
+++ b/salt/bpf/zeek.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set ZEEKBPF = BPFMERGED.zeek %}
--- a/salt/vars/standalone.map.jinja
+++ b/salt/vars/standalone.map.jinja
@@ -1,12 +1,14 @@
 {% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %}
 {% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %}
+{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %}

 {% set ROLE_GLOBALS = {} %}

 {% set STANDALONE_GLOBALS =
   [
     ELASTICSEARCH_GLOBALS,
-     LOGSTASH_GLOBALS
+     LOGSTASH_GLOBALS,
+     SENSOR_GLOBALS
   ]
 %}

--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -102,4 +102,3 @@ zeek:
    - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
    - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
    - application/vnd.openxmlformats-officedocument: doc
-  bpf: []
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -10,6 +10,8 @@
 {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
 {% from "zeek/config.map.jinja" import ZEEKMERGED with context %}

+{% from 'bpf/zeek.map.jinja' import ZEEKBPF %}
+
 {% set BPF_STATUS = 0  %}

 # Zeek Salt State
@@ -162,8 +164,8 @@ zeekpacketlosscron:
    - dayweek: '*'

 # BPF compilation and configuration
-{% if ZEEKMERGED.zeek.bpf %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
+{% if ZEEKBPF %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %}
   {% if BPF_CALC['stderr'] == "" %}
       {% set BPF_STATUS = 1  %}
  {% else  %}
@@ -181,7 +183,7 @@ zeekbpf:
    - user: 940
    - group: 940
 {% if BPF_STATUS %}
-    - contents: {{ ZEEKMERGED.bpf }}
+    - contents: {{ ZEEKBPF }}
 {% else %}
    - contents:
      - "ip or not ip"