fix suricata bpf for transition mode

Fix soup for 3.X.X installations

salt/common/soup_scripts.sls

@@ -3,7 +3,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% if '2.4' in salt['cp.get_file_str']('/etc/soversion') %}
+{% set soversion = salt['cp.get_file_str']('/etc/soversion') %}
+{% if '2.4' in soversion or soversion.startswith('3.') %}
 
 {%   import_yaml '/opt/so/saltstack/local/pillar/global/soc_global.sls' as SOC_GLOBAL %}
 {%   if SOC_GLOBAL.global.airgap %}

salt/manager/tools/sbin/soup

@@ -2128,6 +2128,26 @@ failed_soup_restore_items() {
 main() {
   trap 'check_err $?' EXIT
 
+  # If running 3.X.X, we need to fetch the correct soup and supporting scripts
+  # from the 3/main branch before proceeding, otherwise we'll clone 2.4/main
+  # and end up with incompatible scripts.
+  if [[ "$INSTALLEDVERSION" == 3.* && "$BRANCH" != "3/main" ]]; then
+    echo "Detected Security Onion $INSTALLEDVERSION. Fetching soup from 3/main branch."
+    rm -rf /tmp/sogh
+    mkdir -p /tmp/sogh
+    cd /tmp/sogh
+    git clone -b 3/main https://github.com/Security-Onion-Solutions/securityonion.git
+    if [ ! -f "$UPDATE_DIR/VERSION" ]; then
+      echo "Unable to clone 3/main branch from Github. Please check your Internet access."
+      exit 1
+    fi
+    cp "$UPDATE_DIR/salt/manager/tools/sbin/soup" /usr/sbin/soup
+    cp "$UPDATE_DIR/salt/common/tools/sbin/so-common" /usr/sbin/so-common
+    cp "$UPDATE_DIR/salt/common/tools/sbin/so-image-common" /usr/sbin/so-image-common
+    echo "Updated soup scripts from 3/main. Restarting soup."
+    exec env BRANCH=3/main soup "$@"
+  fi
+
   if [ -n "$BRANCH" ]; then
     echo "SOUP will use the $BRANCH branch."
     echo ""

salt/suricata/config.sls

@@ -10,7 +10,7 @@
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
 {%   from 'bpf/suricata.map.jinja' import SURICATABPF, SURICATA_BPF_STATUS, SURICATA_BPF_CALC %}
 
-{%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
+{%   if GLOBALS.pcap_engine == "SURICATA" %}
 {%     from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC %}
 # BPF compilation and configuration
 {%     if PCAPBPF and not PCAP_BPF_STATUS %}

salt/suricata/map.jinja

@@ -11,9 +11,19 @@
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
 {% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 
-{%   from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
-{%   if PCAPBPF and PCAP_BPF_STATUS %}
-{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
+{%   if GLOBALS.pcap_engine == "SURICATA" %}
+{%     from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
+{%     if PCAPBPF and PCAP_BPF_STATUS %}
+{%       do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
+{%     endif %}
+{%   elif GLOBALS.pcap_engine == "TRANSITION" %}
+{%     import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{%     set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{%     import 'bpf/macros.jinja' as MACROS %}
+{{     MACROS.remove_comments(BPFMERGED, 'pcap') }}
+{%     if BPFMERGED.pcap %}
+{%       do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': BPFMERGED.pcap|join(" ")}) %}
+{%     endif %}
 {%   endif %}
 
 {%   set PCAP = salt['pillar.get']('pcap', {'enabled': false}) %}