diff --git a/pillar/top.sls b/pillar/top.sls
index 0c4c11957..c16b556d1 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -19,6 +19,8 @@ base:
   '*_eval or *_heavynode or *_sensor or *_standalone or *_import':
     - match: compound
     - zeek
+    - bpf.soc_bpf
+    - bpf.adv_bpf
 
   '*_managersearch or *_heavynode':
     - match: compound
diff --git a/salt/bpf/defaults.yaml b/salt/bpf/defaults.yaml
index 329537494..e9bc76dfb 100644
--- a/salt/bpf/defaults.yaml
+++ b/salt/bpf/defaults.yaml
@@ -1,4 +1,5 @@
 bpf:
-    pcap: []
-    suricata: []
-    zeek: []
\ No newline at end of file
+  pcap: []
+  suricata: []
+  zeek:
+    - ip or not ip
diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja
new file mode 100644
index 000000000..a160f2f7a
--- /dev/null
+++ b/salt/bpf/pcap.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set PCAPBPF = BPFMERGED.pcap %}
diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml
index 86e4c0ee8..379eaa022 100644
--- a/salt/bpf/soc_bpf.yaml
+++ b/salt/bpf/soc_bpf.yaml
@@ -1,10 +1,16 @@
 bpf:
   pcap:
     description: List of BPF filters to apply to PCAP.
+    multiline: True
+    forcedType: "[]string"
     helpLink: bpf.html
   suricata:
     description: List of BPF filters to apply to Suricata.
+    multiline: True
+    forcedType: "[]string"
     helpLink: bpf.html
   zeek:
     description: List of BPF filters to apply to Zeek.
+    multiline: True
+    forcedType: "[]string"
     helpLink: bpf.html
diff --git a/salt/bpf/suricata.map.jinja b/salt/bpf/suricata.map.jinja
new file mode 100644
index 000000000..bec763783
--- /dev/null
+++ b/salt/bpf/suricata.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set SURICATABPF = BPFMERGED.suricata %}
diff --git a/salt/bpf/zeek.map.jinja b/salt/bpf/zeek.map.jinja
new file mode 100644
index 000000000..1bfb6799e
--- /dev/null
+++ b/salt/bpf/zeek.map.jinja
@@ -0,0 +1,4 @@
+{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+
+{% set ZEEKBPF = BPFMERGED.zeek %}
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 401b5d616..73b384a53 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -9,8 +9,8 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from "pcap/map.jinja" import STENOOPTIONS with context %}
 {% from "pcap/config.map.jinja" import PCAPMERGED with context %}
-{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
-{% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %}
+{% from 'bpf/pcap.map.jinja' import PCAPBPF %}
+
 {% set BPF_COMPILED = "" %}
 
 # PCAP Section
@@ -33,8 +33,8 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
-{% if BPF_STENO %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %}
+{% if PCAPBPF %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
       {% set BPF_COMPILED =  ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\""  %}
    {% else  %}
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 6ef8c690e..07350d8e1 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -9,11 +9,9 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from "suricata/map.jinja" import SURICATAOPTIONS with context %}
 
-{% set interface = salt['pillar.get']('sensor:interface') %}
-{% set BPF_NIDS = salt['pillar.get']('bpf:suricata', None) %}
+{% from 'bpf/suricata.map.jinja' import SURICATABPF %}
 {% set BPF_STATUS = 0  %}
 
-{# import_yaml 'suricata/files/defaults2.yaml' as suricata #}
 {% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %}
 {% from "suricata/map.jinja" import START with context %}
 
@@ -109,8 +107,8 @@ surithresholding:
     - template: jinja
 
 # BPF compilation and configuration
-{% if BPF_NIDS %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %}
+{% if SURICATABPF %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
       {% set BPF_STATUS = 1  %}
    {% else  %}
@@ -128,7 +126,7 @@ suribpf:
     - user: 940
     - group: 940
    {% if BPF_STATUS %}
-    - contents_pillar: nids:bpf
+    - contents: {{ SURICATABPF }}
    {% else %}
     - contents:
       - ""
@@ -141,7 +139,7 @@ so-suricata:
     - start: {{ SURICATAOPTIONS.start }}
     - privileged: True
     - environment:
-      - INTERFACE={{ interface }}
+      - INTERFACE={{ GLOBALS.sensor.interface }}
     - binds:
       - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
       - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
diff --git a/salt/vars/standalone.map.jinja b/salt/vars/standalone.map.jinja
index 2efabefed..0e49a327d 100644
--- a/salt/vars/standalone.map.jinja
+++ b/salt/vars/standalone.map.jinja
@@ -1,12 +1,14 @@
 {% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %}
 {% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %}
+{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %}
 
 {% set ROLE_GLOBALS = {} %}
 
 {% set STANDALONE_GLOBALS =
    [
      ELASTICSEARCH_GLOBALS,
-     LOGSTASH_GLOBALS
+     LOGSTASH_GLOBALS,
+     SENSOR_GLOBALS
    ]
 %}
 
diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml
index 18e8a4d8a..a21bf3389 100644
--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -102,4 +102,3 @@ zeek:
     - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
     - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
     - application/vnd.openxmlformats-officedocument: doc
-  bpf: []
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index 5cc6310b9..41103f399 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -10,6 +10,8 @@
 {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
 {% from "zeek/config.map.jinja" import ZEEKMERGED with context %}
 
+{% from 'bpf/zeek.map.jinja' import ZEEKBPF %}
+
 {% set BPF_STATUS = 0  %}
 
 # Zeek Salt State
@@ -162,8 +164,8 @@ zeekpacketlosscron:
     - dayweek: '*'
 
 # BPF compilation and configuration
-{% if ZEEKMERGED.zeek.bpf %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
+{% if ZEEKBPF %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
        {% set BPF_STATUS = 1  %}
   {% else  %}
@@ -181,7 +183,7 @@ zeekbpf:
     - user: 940
     - group: 940
 {% if BPF_STATUS %}
-    - contents: {{ ZEEKMERGED.bpf }}
+    - contents: {{ ZEEKBPF }}
 {% else %}
     - contents:
       - "ip or not ip"