Merge pull request #299 from Security-Onion-Solutions/fix/zeek-bpfv2

Zeek - bpf fixup

salt/zeek/init.sls

@@ -2,6 +2,7 @@
 {% set MASTER = salt['grains.get']('master') %}
 {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
 {% set BPF_STATUS = 0  %}
+{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
 # Zeek Salt State
 # Add Zeek group
 zeekgroup:
@@ -94,7 +95,7 @@ plcronscript:
 
 # BPF compilation and configuration
 {% if BPF_ZEEK %}
-   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ")  ) %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" ")  ) %}
    {% if BPF_CALC['stderr'] == "" %}
        {% set BPF_STATUS = 1  %}
   {% else  %}
@@ -140,8 +141,10 @@ so-zeek:
       - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro
       - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
+      - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro 
    - network_mode: host
     - watch:
       - file: /opt/so/conf/zeek/local.zeek
       - file: /opt/so/conf/zeek/node.cfg
       - file: /opt/so/conf/zeek/policy
+      - file: /opt/so/conf/zeek/bpf

salt/zeek/policy/securityonion/bpfconf.zeek

@@ -10,7 +10,7 @@ export {
 	## The file that is watched on disk for BPF filter changes.
 	## Two templated variables are available; "sensorname" and "interface".
 	## They can be used by surrounding the term by doubled curly braces.
-	const filename = "/opt/zeek/share/zeek/site/bpf" &redef;
+	const filename = "/opt/zeek/etc/bpf" &redef;
 
 	redef enum Notice::Type += { 
 		## Invalid filter notice.