Merge pull request #284 from Security-Onion-Solutions/fix/bpf-zeek

Dep Bro and enabled Zeek BPF
2025-12-06 17:22:49 +01:00 · 2020-01-30 10:00:09 -05:00
parent 960bb51218 3fdc5fbef4
commit a2c75c8fc0
20 changed files with 137 additions and 0 deletions
--- a/salt/deprecated-bro/cron/packetloss.sh
+++ b/salt/deprecated-bro/cron/packetloss.sh
--- a/salt/deprecated-bro/cron/zeek_clean
+++ b/salt/deprecated-bro/cron/zeek_clean
--- a/salt/deprecated-bro/files/local.bro
+++ b/salt/deprecated-bro/files/local.bro
--- a/salt/deprecated-bro/files/local.bro.community
+++ b/salt/deprecated-bro/files/local.bro.community
--- a/salt/deprecated-bro/files/node.cfg
+++ b/salt/deprecated-bro/files/node.cfg
--- a/salt/deprecated-bro/init.sls
+++ b/salt/deprecated-bro/init.sls
--- a/salt/deprecated-bro/policy/intel/load.bro
+++ b/salt/deprecated-bro/policy/intel/load.bro
--- a/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro
+++ b/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro
--- a/salt/deprecated-bro/policy/securityonion/apt1/load.bro
+++ b/salt/deprecated-bro/policy/securityonion/apt1/load.bro
--- a/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat
+++ b/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat
--- a/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat
+++ b/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat
--- a/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat
+++ b/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat
--- a/salt/deprecated-bro/policy/securityonion/bpfconf.bro
+++ b/salt/deprecated-bro/policy/securityonion/bpfconf.bro
--- a/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro
+++ b/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro
--- a/salt/deprecated-bro/policy/securityonion/file-extraction/load.bro
+++ b/salt/deprecated-bro/policy/securityonion/file-extraction/load.bro
--- a/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro
+++ b/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro
--- a/salt/deprecated-bro/policy/securityonion/json-logs/load.bro
+++ b/salt/deprecated-bro/policy/securityonion/json-logs/load.bro
--- a/salt/zeek/files/local.zeek
+++ b/salt/zeek/files/local.zeek
@@ -121,3 +121,6 @@ redef LogAscii::json_timestamps = JSON::TS_ISO8601;
 # CVE-2020-0601
@load cve-2020-0601
 # BPF Configuration
@load securityonion/bpfconf
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,5 +1,7 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
 {% set BPF_STATUS = 0  %}
 # Zeek Salt State
 # Add Zeek group
 zeekgroup:
@@ -90,6 +92,32 @@ plcronscript:
    - month: '*'
    - dayweek: '*'
 # BPF compilation and configuration
 {% if BPF_ZEEK %}
   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ")  ) %}
   {% if BPF_CALC['stderr'] == "" %}
       {% set BPF_STATUS = 1  %}
  {% else  %}
 zeekbpfcompilationfailure:
  test.configurable_test_state:
   - changes: False
   - result: False
   - comment: "BPF Syntax Error - Discarding Specified BPF"
   {% endif %}
 {% endif %}
 zeekbpf:
  file.managed:
    - name: /opt/so/conf/zeek/bpf
    - user: 940
    - group: 940
   {% if BPF_STATUS %}
    - contents_pillar: zeek:bpf
   {% else %}
    - contents:
      - "ip or not ip"
   {% endif %}
 localzeeksync:
  file.managed:
    - name: /opt/so/conf/zeek/local.zeek
--- a/salt/zeek/policy/securityonion/bpfconf.zeek
+++ b/salt/zeek/policy/securityonion/bpfconf.zeek
@@ -0,0 +1,106 @@
 ##! This script is to support the bpf.conf file like other network monitoring tools use.
 ##! Please don't try to learn from this script right now, there are a large number of
 ##! hacks in it to work around bugs discovered in Bro.
@load base/frameworks/notice
 module BPFConf;
 export {
 	## The file that is watched on disk for BPF filter changes.
 	## Two templated variables are available; "sensorname" and "interface".
 	## They can be used by surrounding the term by doubled curly braces.
 	const filename = "/opt/zeek/share/zeek/site/bpf" &redef;
 	redef enum Notice::Type += { 
 		## Invalid filter notice.
 		InvalidFilter
 	};
 }
 global filter_parts: vector of string = vector();
 global current_filter_filename = "";
 type FilterLine: record {
 	s: string;
 };
 redef enum PcapFilterID += {
 	BPFConfPcapFilter,
 };
 event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	{
 	local part = sub(s, /[[:blank:]]*#.*$/, "");
 	# We don't want any blank parts.
 	if ( part != "" )
 		filter_parts[|filter_parts|] = part;
 	}
 event Input::end_of_data(name: string, source:string)
 	{
 	if ( name == "bpfconf" )
 		{
 		local filter = join_string_vec(filter_parts, " ");
 		capture_filters["bpf.conf"] = filter;
 		if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) )
 			{
 			PacketFilter::install();
 			}
 		else
 			{
 			NOTICE([$note=InvalidFilter,
 			        $msg=fmt("Compiling packet filter from %s failed", filename),
 			        $sub=filter]);
 			}
 		filter_parts=vector();
 		}
 	}
 function add_filter_file()
 	{
 	local real_filter_filename = BPFConf::filename;
 	# Support the interface template value.
 	#if ( SecurityOnion::sensorname != "" )
 	#	real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname);
 	# Support the interface template value.
 	#if ( SecurityOnion::interface != "" )
 	#	real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface);
 	#if ( /\{\{/ in real_filter_filename )
 	#	{
 	#	return;
 	#	}
 	#else
 	#	Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node));
 	if ( real_filter_filename != current_filter_filename )
 		{
 		current_filter_filename = real_filter_filename;
 		Input::add_event([$source=real_filter_filename,
 		                  $name="bpfconf",
 		                  $reader=Input::READER_RAW,
 		                  $mode=Input::REREAD,
 		                  $want_record=F,
 		                  $fields=FilterLine,
 		                  $ev=BPFConf::line]);
 		}
 	}
 #event SecurityOnion::found_sensorname(name: string)
 #	{
 #	add_filter_file();
 #	}
 event zeek_init() &priority=5
 	{
 	if ( BPFConf::filename != "" )
 		add_filter_file();
 	}