• Support
  • Forums
  • Blogs

Integrate pfSense logs

wifiukwifiuk

New Life Form
+3
I'd like to request having the ability for OSSIM to import the logs from my pfSense firewall, then i can have a proper SIEM working, at the moment i have no input into OSSIM from my pfSense firewall :(
Barry.Stephenson
Tagged:

Share post:

Comments

  • wifiuk,

    Actually, I would love to look at adding this plugin. I had a request in to another user for a copy of the syslog data coming from PFsense so that we could look into it, but I never received any data.

    I am not sure what this plugin would look like as there are a number of optional plugins which also write to the log, but i will submit a request for the plugin if you can send me a copy of the syslog data being sent by the device, and which version of PFsense you are using.
    Barry.Stephenson
  • well i have provided all PFsense logs and syslog data inclduing the snort and squid and plugins etc that i use, i sent them into an account manager / product manager i was talking to over twitter.

    I emailed them on the weekend so im willing to work with you guys to help
  • I would like to ask OSSIM to import logs from my pfSense firewall, can u help me !!!
    thank you 
  • Here is my plugin.  You may need to tweak a few things like your interfaces and log location.
    And you'll need to add the data source w/ 2 plugin IDs-
    1 = pfSense: Accept
    2 = pfSense: Block

    Hope this gets you going.

    Rus


    # Alienvault plugin
    # Author: RusFM
    # Plugin RusFM_pfSense id:10545 version: 1.0.0
    # Last modification: 2015-11-18 12:00
    #
    # Plugin Selection Info:
    # AlienVault:-:-
    #
    # END-HEADER
    # Accepted products:
    # pfsense
    # Description:
     
    [DEFAULT]
    plugin_id=10545
     
    [config]
    type=detector
    enable=yes
     
    source=log
    location=/var/log/pfsense.log
    create_file=false
     
    process=
    start=no
    stop=no
    startup=
    shutdown=
     
    # use {translate($n)} for translations
    [translation]
    accept=1
    pass=1
    block=2
    reject=2
    em0=LAN
    em1=WAN
     
    [00 pfsense-ip-tcp-udp]
    event_type=event

    # v2.2
    # Mar 15 23:38:47 1.1.0.4 filterlog: 97,16777216,,1424657960,em1,match,block,in,4,0x0,,98,256,0,none,6,tcp,40,5.6.7.8,6.7.8.9,6000,1433,0,S,287571968,,16384,,
    # Mar 15 23:39:27 1.1.0.4 filterlog: 124,16777216,,1424657983,em0,match,block,in,4,0x0,,64,31554,0,DF,6,tcp,111,1.2.3.4,2.3.4.5,47352,5228,59,FPA,3848401982:3848402041,1214149043,856,,nop;nop;TS

    regexp=^(?P<date>\w{3}\s+\d{1,2}\s\d\d\:\d\d\:\d\d)\s(?P<sensor>[^\s]+)\s+filterlog:\s+(?P<rule>\d*),(?P<subrule>\d*),(?P<anchor>\d*),(?P<tracker>\d*),(?P<interface>[\w\d]+),(?P<reason>.*?),(?P<action>\w+),(?P<direction>\w+),(?P<ipversion>\d+),(?P<typeofservice>[\w\d]*),(?P<ecn>[\w\d]*),(?P<ttl>\d*),(?P<packetid>\d*),(?P<offset>\d*),(?P<ipflags>[\w\d]*),(?P<protoid>\d+),(?P<proto>\w+),(?P<length>\d*),(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?P<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?P<src_port>\d+),(?P<dst_port>\d+),(?P<therest>.*)

    plugin_sid={translate($action)}

    date={normalize_date($date)}
    sensor={resolv($sensor)}

    src_ip={$src_ip}
    src_port={$src_port}
    dst_ip={$dst_ip}
    dst_port={$dst_port}
    protocol={$proto}
    interface={translate($interface)}

    userdata1={$proto}
    userdata2={$rule}
    userdata3={translate($interface)}
    userdata4={$therest}

    [99 pf-other]

    # Sep 30 22:28:05 192.168.0.4 pf: #011Reserved, Leap indicator:  (0), Stratum 0, poll 3s, precision 42
    # Sep 30 22:28:05 192.168.0.4 pf: #011Root Delay: 0.000000, Root dispersion: 0.000000 [|ntp]

    regexp=(?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>[^\s]+)\s+pf:\s+(?P<therest>.*)

    event_type=event
    plugin_sid=20000000

    date={normalize_date($date)}
    sensor={resolv($sensor)}
    userdata4={$therest}



Sign In or Register to comment.