Merge pull request #9973 from Security-Onion-Solutions/2.4/zeekbpf

2.4/zeekbpf
2025-12-07 09:42:46 +01:00 · 2023-03-21 09:54:39 -04:00
parent 41554e8311 02c79463e1
commit cdb714f331
11 changed files with 41 additions and 19 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -19,6 +19,8 @@ base:
  '*_eval or *_heavynode or *_sensor or *_standalone or *_import':
    - match: compound
    - zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf

  '*_managersearch or *_heavynode':
    - match: compound
--- a/salt/bpf/defaults.yaml
+++ b/salt/bpf/defaults.yaml
@@ -1,4 +1,5 @@
 bpf:
-    pcap: []
-    suricata: []
-    zeek: []
+  pcap: []
+  suricata: []
+  zeek:
+    - ip or not ip
--- a/salt/bpf/pcap.map.jinja
+++ b/salt/bpf/pcap.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set PCAPBPF = BPFMERGED.pcap %}
--- a/salt/bpf/soc_bpf.yaml
+++ b/salt/bpf/soc_bpf.yaml
@@ -1,10 +1,16 @@
 bpf:
  pcap:
    description: List of BPF filters to apply to PCAP.
+    multiline: True
+    forcedType: "[]string"
    helpLink: bpf.html
  suricata:
    description: List of BPF filters to apply to Suricata.
+    multiline: True
+    forcedType: "[]string"
    helpLink: bpf.html
  zeek:
    description: List of BPF filters to apply to Zeek.
+    multiline: True
+    forcedType: "[]string"
    helpLink: bpf.html
--- a/salt/bpf/suricata.map.jinja
+++ b/salt/bpf/suricata.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set SURICATABPF = BPFMERGED.suricata %}
--- a/salt/bpf/zeek.map.jinja
+++ b/salt/bpf/zeek.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set ZEEKBPF = BPFMERGED.zeek %}
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -9,8 +9,8 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from "pcap/map.jinja" import STENOOPTIONS with context %}
 {% from "pcap/config.map.jinja" import PCAPMERGED with context %}
-{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
-{% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %}
+{% from 'bpf/pcap.map.jinja' import PCAPBPF %}
+
 {% set BPF_COMPILED = "" %}

 # PCAP Section
@@ -33,8 +33,8 @@ stenoconfdir:
    - group: 939
    - makedirs: True

-{% if BPF_STENO %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %}
+{% if PCAPBPF %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %}
   {% if BPF_CALC['stderr'] == "" %}
      {% set BPF_COMPILED =  ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\""  %}
   {% else  %}
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -9,11 +9,9 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from "suricata/map.jinja" import SURICATAOPTIONS with context %}

-{% set interface = salt['pillar.get']('sensor:interface') %}
-{% set BPF_NIDS = salt['pillar.get']('bpf:suricata', None) %}
+{% from 'bpf/suricata.map.jinja' import SURICATABPF %}
 {% set BPF_STATUS = 0  %}

-{# import_yaml 'suricata/files/defaults2.yaml' as suricata #}
 {% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %}
 {% from "suricata/map.jinja" import START with context %}

@@ -109,8 +107,8 @@ surithresholding:
    - template: jinja

 # BPF compilation and configuration
-{% if BPF_NIDS %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %}
+{% if SURICATABPF %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %}
   {% if BPF_CALC['stderr'] == "" %}
      {% set BPF_STATUS = 1  %}
   {% else  %}
@@ -128,7 +126,7 @@ suribpf:
    - user: 940
    - group: 940
   {% if BPF_STATUS %}
-    - contents_pillar: nids:bpf
+    - contents: {{ SURICATABPF }}
   {% else %}
    - contents:
      - ""
@@ -141,7 +139,7 @@ so-suricata:
    - start: {{ SURICATAOPTIONS.start }}
    - privileged: True
    - environment:
-      - INTERFACE={{ interface }}
+      - INTERFACE={{ GLOBALS.sensor.interface }}
    - binds:
      - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
      - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
--- a/salt/vars/standalone.map.jinja
+++ b/salt/vars/standalone.map.jinja
@@ -1,12 +1,14 @@
 {% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %}
 {% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %}
+{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %}

 {% set ROLE_GLOBALS = {} %}

 {% set STANDALONE_GLOBALS =
   [
     ELASTICSEARCH_GLOBALS,
-     LOGSTASH_GLOBALS
+     LOGSTASH_GLOBALS,
+     SENSOR_GLOBALS
   ]
 %}

--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -102,4 +102,3 @@ zeek:
    - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
    - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
    - application/vnd.openxmlformats-officedocument: doc
-  bpf: []
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -10,6 +10,8 @@
 {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
 {% from "zeek/config.map.jinja" import ZEEKMERGED with context %}

+{% from 'bpf/zeek.map.jinja' import ZEEKBPF %}
+
 {% set BPF_STATUS = 0  %}

 # Zeek Salt State
@@ -162,8 +164,8 @@ zeekpacketlosscron:
    - dayweek: '*'

 # BPF compilation and configuration
-{% if ZEEKMERGED.zeek.bpf %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
+{% if ZEEKBPF %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %}
   {% if BPF_CALC['stderr'] == "" %}
       {% set BPF_STATUS = 1  %}
  {% else  %}
@@ -181,7 +183,7 @@ zeekbpf:
    - user: 940
    - group: 940
 {% if BPF_STATUS %}
-    - contents: {{ ZEEKMERGED.bpf }}
+    - contents: {{ ZEEKBPF }}
 {% else %}
    - contents:
      - "ip or not ip"