Skip to content
Josh Brower edited this page Jan 29, 2020 · 1 revision

BPF

BPF stands for Berkeley Packet Filter:
https://en.wikipedia.org/wiki/Berkeley_Packet_Filter
http://biot.com/capstats/bpf.html

Configuration

Global BPF

You can specify your BPF in the static pillar on your master server (/opt/so/saltstack/pillar/static.sls), and by default, it will apply to all interfaces in your entire deployment.

If you have separate sensors reporting to that master server, they will pull down the relevant BPF as part of the every-15min Salt update, which will also restart Suricata/Steno/Zeek so that the BPF change will take effect.

Node-Specific BPF

If you don’t want your sensors to inherit BPF from the master server, you can edit the minion sls file, which will override any global BPF settings set from the static pillar. (/opt/so/saltstack/pillar/minions/$Hostname.sls)

Pillar BPF Syntax

steno:
  bpf:
   - not port 80 &&
   - not port 443 &&
   - not port 134

zeek:
  bpf:
   - not port 443

nids:
  bpf:
   - not port 443
You can’t perform that action at this time.