BPF stands for Berkeley Packet Filter:
You can specify your BPF in the static pillar on your master server (
/opt/so/saltstack/pillar/static.sls), and by default, it will apply to all interfaces in your entire deployment.
If you have separate sensors reporting to that master server, they will pull down the relevant BPF as part of the every-15min Salt update, which will also restart Suricata/Steno/Zeek so that the BPF change will take effect.
If you don’t want your sensors to inherit BPF from the master server, you can edit the minion sls file, which will override any global BPF settings set from the static pillar. (
Pillar BPF Syntax
steno: bpf: - not port 80 && - not port 443 && - not port 134 zeek: bpf: - not port 443 nids: bpf: - not port 443