pfSense and Security Onion

[BBCan177]

I am using pfSense router appliance which has a Snort Application for IDS/IPS. It has the ability to use Barnyard2 but I see from the Security Onion wiki that mysql is only setup for localhost.

Is there any way to push the pfsense/snort data to Security Onion?

Thanks

[Doug Burks]

Hi BBCan177,

In theory it's possible. You could either configure MySQL to listen
on a network interface or build an ssh tunnel between your firewall
and Security Onion box to tunnel the MySQL traffic over. However,
this is beyond the scope of this mailing list and we won't be able to
support you.

A better solution would be to let your firewall be a firewall and
leave the IDS functionality to Security Onion.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Doug Burks
http://securityonion.net

[Heine Lysemose]

Hi

Check out this blog post about getting your pfsense firewall logs into ELSA maybe that could be interesting for you.

http://www.securitygrit.com/2013/03/pfsense-into-elsa.html

/Lysemose

[BBCan177]

Thanks Heine,

Now I know why the pfsense logs in ELSA were impossible to understand.
I have tried this with the root user and get the "Content-Type:text/plain" response but no file is being generated (/root folder)? I read that the SED command should have -l? Have you been successful with these changes?

Here is my php script

<?php
$filter=file_get_contents ('/etc/inc/filter.inc');
$filternew =
str_replace(
"-ttt -i pflog0 | logger -t pf -p local0.info",
"-ttt -i pflog0 | /usr/bin/sed -e 'N;s/\\\\n //;P;D;' | logger -t pf -p local0.info",$filter);
if (strcmp($filter, $filternew) !=0) {
file_put_contents('filter.inc.new',$filternew);
file_put_contents('filter.inc.org',$filter);
}
?>

[BBCan177]

Thanks Doug,

I wanted to thank you for such a great product. Provides great insite into whats happening on my network.

If I remove Snort from the firewall and let Security Onion pick up all the trafic, I still need to filter out the intrusions. Snort on pfsense is blocking alot of portsweeps, RBN, CINS, DROPS, DShield, innbound SQL alerts etc.

Only issue is that I see the alert and a block but cant get a pcap in pfsense for further review.

If there are articles to help design the IDS/IPS environment, i want to be a sponge. Thanks for your help.

[Heine Lysemose]

Hi

Yes I managed getting it working.

It was on a earlier version, 2.0.x, and haven't tried on pfSense 2.1. i don't know if anything have changed.

Regards,

Lysemose

[Greg Porter]

Has anyone gotten this working with pfsense 2.1? Could you point me in right direction. I started this once following an article on how to correct the way pfsense parsed and sent syslog but got pulled onto higher priority project.

Thanks in advance,

GP

[BBCan177]

In order to get pfSense to push syslogs to ELSA, pfSense needs to format the logs to one line as they are dual line now.

From pfSense add "System Patches" from the "Avalable Packages" repository.
In the System:Patches menu, select "+" and add a new patch

If you're on 2.1, add this patch:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option.diff

If you're on 2.0.x, use this patch instead:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.0.x.diff

Once you have entered the patch details, you need to "Fetch" and than "Apply"

(HELP LINK) https://doc.pfsense.org/index.php/System_Patches

Finally. check the box on the system log settings to force the firewall logs to one line.

[Heine Lysemose]

Hi

Thanks for the update.

Another thing I struggled with for a "few" minutes was that I only saw blocked/denied entries from my pfSense. Once I edited the/a firewall pass rule to enable logging, I was able to sent pass traffic to ELSA.

Regards,

Lysemose

[BBCan177]

Has anyone had success viewing pfSense Firewall syslogs in ELSA?

I am getting all of the syslog entries from pfSense into ELSA but am having difficulties with the following entries.

This is a "Block" entry from the "Firewall" log. ELSA is treating it as a single entry and cant pivot on the src/dst IP or other data. I am also trying to get the actual Rule name that triggered the alert to be shown. Currently its labeling the entry as "5/0(match) instead of the Actual Rule Name.

01-05-2014 20:08:26 Local0.Info 10.1.41.3 Jan 5 20:08:27 pf: 00:00:00.570566 rule 5/0(match): block in on rl0: (tos 0x0, ttl 114, id 37724, offset 0, flags [none], proto TCP (6), length 48) 185.25.184.184.28796 > xxx.xxx.xxx.xxx.5900: Flags, cksum 0x8635 (correct), seq 979907292, win 65535, options [mss 1460,nop,nop,sackOK], length 0

Any help would be appreciated.

[BBCan177]

I have located a parser script for pfSense Firewall Syslogs @ http://www.securitygrit.com/2013/03/pfsense-into-elsa.html

(See attachment for parser)

I have added the ruleset to the end of patterndb.xml between <patterndb> </patterndb> and ran "service syslog-ng restart"

The syslogs are going into the existing database ELSA class/fields "FIREWALL_ACCESS_LOG" and "FIREWALL_CONNECTION_END". Select "Grid Display".

Tested with several pfSense boxes and all seems to work fine.

[Ismail Kaleem]

I have tried pfsense as firewall n snort. works like a charm! :)) its v stable. just enabled barnyard2 and viewing logs from Snorby! looks nice.

u need to allow connection to the snorby box (mysql port) from the pfsense ip!