After upgrade to 2.3.150 (from 2.3.120), the NIDS BPF Filter is no longer being applied

[mciantar]

I have scan engines on the lan that I would like to exclude from NIDS completely, and I had a BPF Filter in /opt/so/saltstack/local/pillar/global.sls as per documentation here: https://docs.securityonion.net/en/2.3/bpf.html

For some reason this is not being picked up and filtered out. How can I diagnose the issue further?

[dougburks]

Are you able to share the exact BPF syntax in /opt/so/saltstack/local/pillar/global.sls?

Are you able to share the contents of /opt/so/conf/suricata/bpf?

Are you able to share the output of sudo salt-call state.apply suricata?

[mciantar]

Seems like the issue was temporary after the upgrade, which led to a bunch of alerts, but then sorted itself out. Thanks Doug!