Monitoring pfsense/snort

[toddehb]

Hi all,

on pfsense there was an opportunity to install the wazuh-agent through bsd repository. On the new pfsense 2.7 this does not seem to be the case anymore, at least from what I read. How do I monito my pfsense, especially snort in wazuh? Could not find any tutorials or documentation

[Javier Medeot]

Hello toddehb.

We don't offer any guides on how to install the Wazuh agent or install it from sources for FreeBSD systems. However, to monitor your pfsense with Wazuh you can try a different approach: Agentless monitoring.

Agentless monitoring uses SSH to read the events. Please take a look at the following documents where it is explained how agentless monitoring works and how to configure it:

• Agentless monitoring
• Reference guide: Agentless

And about Snort, Wazuh has out-of-the-box decoders and rules to alert about Snort log findings. But you need to edit your Wazuh manager configuration to setup the monitoring of your Snort log file. Assuming you have a snort log file similar to the following example:

# cat /var/log/snort/snort.alert.fast
10/22-11:49:58.164668  [**] [1:1421:11] SNMP AgentX/tcp request [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.92:40756 -> 192.168.1.1:705

...

 You'll then need to add a configuration block in the /var/ossec/etc/ossec.conf server file like this:

<ossec_config>

  <localfile>

    <log_format>snort-full</log_format>
    <location>/var/log/snort/snort.alert.fast</location>
  </localfile>

</ossec_config>

After restarting your wazuh-manager (e.g. systemctl restart wazuh-manager) you'll have monitoring of snort events ready.

Please let me know if this is what you needed to know. Thank you.

[toddehb]

Thanks. Is it possible to combine the agentless monitoring with the snort method you mentioned?

[toddehb]

I just tried out as from the link you presented. When adding an agentless section in /var/ossec/etc/ossec.conf wazuh-manager ist giving this error:

Oct 24 17:05:49 wazuh env[611832]: 2023/10/24 17:05:49 wazuh-csyslogd: ERROR: (1230): Invalid element in the configuration: 'agentless'.

[Javier Medeot]

Ok, please share your ossec.conf configuration. maybe I can find the cause of that error. It could be that you are including the <agentless></agentless> block outside of a <ossec_config></ossec_config> block. Also please share any details of your deployment. What Wazuh version have you installed? Is it deployed all in one node or in a cluster configuration? What about your Snort deployment and what do you mean when asking about combining agentless monitoring with Snort logs monitoring? Thank you.

[toddehb]

Thanks, the tags where missing.

Regarding snort. You posted this:

<ossec_config>

  <localfile>

    <log_format>snort-full</log_format>
    <location>/var/log/snort/snort.alert.fast</location>
  </localfile>

</ossec_config>

My snort is running on a pfsense box, now with agentless connection. How does the server know of the existence of <location>/var/log/snort/snort.log</location> ?

Is it sufficient to configure agentless connection and wazuh server is pulling the logs thru ssh?

[toddehb]

This is what I configured on the server in /var/ossec/etc/ossec.conf:

<ossec_config>
  <localfile>
    <log_format>snort-full</log_format>

    <location>/var/log/snort/snort_igc061727/alert</location>
  </localfile>
</ossec_config>

This excatly reflects the log location on my pfsense box. But ossec.log is giving me error:

2023/10/25 10:48:34 wazuh-logcollector: INFO: (1904): File not available, ignoring it: '/var/log/snort/snort_igc061727/alert'

[Javier Medeot]

Hello toddehb.

Ok, I see you have Snort running on your pfsense box.

Agentless monitoring allows monitoring the integrity of files. If there is a change in a directory or a file, Wazuh generates an alert for it. It also allows monitoring the output of specific commands that get run on the agentless endpoint and alert about the findings. But agentless monitoring won't monitor events in a log file as a Wazuh agent does. To monitor specific files such as /var/log/snort/snort_igc061727/alert without a Wazuh agent you can forward the events using syslog. We have a use case on forwarding syslog using Rsyslog on Linux that I'm sharing only as a reference. By forwarding your Snort events to a system monitored by an agent or to the Wazuh server you'll be able to monitor them as a local file by configuring the agent or the manager as explained before. Please let me know if this approach is useful for you. Thank you.

[toddehb]

OK, thanks. Is it possible to run rsyslog then on the same machine as Wazuh is running or does that not work cause I cannot install the agent on that machine?

[toddehb]

I ment on the machine where wazuh  manager is running.

[toddehb]

Took another machine now. Syslog from Pfsense is now forwarded to it according to your link. What else need to be done on the manager?

[Javier Medeot]

Next step is to configure Wazuh to read the forwarded log file. The machine receiving the forwarded log must have a Wazuh agent (or the Wazuh server if forwarded to this server) installed. You'll edit then the /var/ossec/etc/ossec.conf file (within <ossec_config></ossec_config>) setting something like this:

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/<YOUR_LOG_FILE_NAME></location>
  </localfile>

Then restart the agent (or Wazuh server) so this new configuration takes effect.

Now, if a forwarded event matches one of your Wazuh rules you'll see an alert in the Wazuh dashboard. Let me know how it goes or if you have any questions about this.

Thank you.

[toddehb]

Thanks. I did that already. I am getting lots of alerts from the agent which is hosting the logs for pfsense like this:

Wazuh Notification. 2023 Nov 18 10:58:31 Received From: (unifi) any->/var/log/pfsense_rsyslog.log Rule: 20152 fired (level 10) -> "Multiple IDS alerts for same id." Src IP: 192.168.99.100 Dst IP: 134.76.12.6:80 Portion of the log(s): 2023-11-18T10:58:34+01:00 192.168.1.1 snort[70003]: [1:2013504:3] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.99.100:6221 -> 134.76.12.6:80 --END OF NOTIFICATION

Unifi is the machine, where rsyslog is running. I'd rather get notification with pfsense as sender, or is the current way the correct one?

[Javier Medeot]

Yes, this is the expected result. Here, (unifi) any->/var/log/pfsense_rsyslog.log is the location or origin for the log that triggered the alert. In this approach, where a forwarded log is locally monitored by an agent, the reported location includes the name and registered IP addresss for the Wazuh agent. Forwarding the log is a workaround solution for those cases where it's not possible to have an agent installed on the system such as this pfsense use case. You can check in addition the following topics in the documentation:

• location: To customize alerts according to the reported location.
  
• agent labels: To add details to the sender agent.
  

Let me know if this is what you needed to know.

Thank you.

[toddehb]

Ok, thanks for th eclarification