From 9a6fe3e8de7fdf773e94e626d6c84763db114d4e Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 16 Sep 2022 08:36:44 -0400
Subject: [PATCH] Add BPF

---
 salt/bpf/defaults.yaml | 4 ++++
 salt/bpf/soc_bpf.yaml  | 7 +++++++
 salt/pcap/init.sls     | 2 +-
 salt/suricata/init.sls | 2 +-
 salt/zeek/init.sls     | 2 +-
 setup/so-variables     | 2 +-
 6 files changed, 15 insertions(+), 4 deletions(-)
 create mode 100644 salt/bpf/defaults.yaml
 create mode 100644 salt/bpf/soc_bpf.yaml

diff --git a/salt/bpf/defaults.yaml b/salt/bpf/defaults.yaml
new file mode 100644
index 000000000..ec990d1de
--- /dev/null
+++ b/salt/bpf/defaults.yaml
@@ -0,0 +1,4 @@
+bpf:
+    pcap: []
+    suricta: []
+    zeek: []
\ No newline at end of file
diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml
new file mode 100644
index 000000000..62395830f
--- /dev/null
+++ b/salt/bpf/soc_bpf.yaml
@@ -0,0 +1,7 @@
+bpf:
+  pcap:
+    description: List of BPF filters to apply to PCAP.
+  suricata:
+    description: List of BPF filters to apply to Suricata.
+  zeek:
+    description: List of BPF filters to apply to Zeek.
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index d355ec445..a5fd5da68 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -13,7 +13,7 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
-{% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %}
+{% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %}
 {% set BPF_COMPILED = "" %}
 
 # PCAP Section
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index a46f7425b..5f628cbdd 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -12,7 +12,7 @@
 {% set VERSION = salt['pillar.get']('global:soversion') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
-{% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
+{% set BPF_NIDS = salt['pillar.get']('bpf:suricata', None) %}
 {% set BPF_STATUS = 0  %}
 
 {# import_yaml 'suricata/files/defaults2.yaml' as suricata #}
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index b6f3231ae..5f904bf7d 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -11,7 +11,7 @@
 {% set VERSION = salt['pillar.get']('global:soversion') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
-{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %}
+{% set BPF_ZEEK = salt['pillar.get']('bpf:zeek', {}) %}
 {% set BPF_STATUS = 0  %}
 {% set INTERFACE = salt['pillar.get']('sensor:interface') %}
 
diff --git a/setup/so-variables b/setup/so-variables
index 214fa6b6f..5acbc01bc 100644
--- a/setup/so-variables
+++ b/setup/so-variables
@@ -81,7 +81,7 @@ export whiptail_title
 
 mkdir -p $local_salt_dir/pillar/minions
 
-for THEDIR in elasticsearch firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert 
+for THEDIR in bpf pcap elasticsearch firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert 
 do
     mkdir -p $local_salt_dir/pillar/$THEDIR
     touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls