PFSense firewall and snort logs
948 views
Skip to first unread message
SIIL IT
Nov 3, 2022, 7:47:31 AM11/3/22
to Wazuh mailing list
We have a large number of PFSense devices which we want to pull the logs off into our Wazuh.
I've got onto two of the devices to test the setup. The log message format is "BSD (RFC 3164, default)" under "general logging options" and i've configured the remote logging options to point to one of our workers.
I've gone into the targeted worker and edited the ossec.conf with a <remote> section to set the connection type (syslog), port, protocol and allowed IP's
I've got onto two of the devices to test the setup. The log message format is "BSD (RFC 3164, default)" under "general logging options" and i've configured the remote logging options to point to one of our workers.
I've gone into the targeted worker and edited the ossec.conf with a <remote> section to set the connection type (syslog), port, protocol and allowed IP's
If I grep the archives.log or archives.json with the IP, "snort" or "filterlog", I see entries in either of the archives but when I try any of those entries in logtest, I can't get a hit on the decoder
This is from the archive.json
"Nov 3 14:39:58 filterlog[17009]: 611,,,1770011094,lagg0.4090,match,block,in,4,0x0,,118,54917,0,none,17,udp,48,95.128.244.1,185.25.14.102,25099,23119,28","predecoder":{"timestamp":"Nov 3 14:39:58","hostname":"filterlog[17009]:"},"decoder":{},"location":"172.20.1.1"}
This is from the archive.log
Nov 3 14:39:58 filterlog[17009]: 611,,,1770011094,lagg0.4090,match,block,in,4,0x0,,118,54915,0,DF,6,tcp,52,95.128.244.1,185.25.14.102,52619,63093,0,S,2274932390,,64800,,mss;nop;wscale;nop;nop;sackOK
Can anyone advise how I can either tweak the pfsense logs so the decoder will recognize them or tweak the decoder so it will take these logs or is it going to be better to get the bsd version of the agent on the devices?
Thanks in advance
"Nov 3 14:39:58 filterlog[17009]: 611,,,1770011094,lagg0.4090,match,block,in,4,0x0,,118,54917,0,none,17,udp,48,95.128.244.1,185.25.14.102,25099,23119,28","predecoder":{"timestamp":"Nov 3 14:39:58","hostname":"filterlog[17009]:"},"decoder":{},"location":"172.20.1.1"}
This is from the archive.log
Nov 3 14:39:58 filterlog[17009]: 611,,,1770011094,lagg0.4090,match,block,in,4,0x0,,118,54915,0,DF,6,tcp,52,95.128.244.1,185.25.14.102,52619,63093,0,S,2274932390,,64800,,mss;nop;wscale;nop;nop;sackOK
Can anyone advise how I can either tweak the pfsense logs so the decoder will recognize them or tweak the decoder so it will take these logs or is it going to be better to get the bsd version of the agent on the devices?
Thanks in advance
Gonzalo Membrillo Solbes
Nov 3, 2022, 8:18:31 AM11/3/22
to Wazuh mailing list
Hello,
What you need to do in this case is make a new decoder that reads those logs and then rules that trigger based on the information extracted from said decoders you made. You can do so from the Wazuh UI, under Management>Rules/Decoders.
I will leave a link on how to make custom rules and decoders for your Wazuh environment here:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Regards,
Gonzalo
Reply all
Reply to author
Forward
0 new messages