pfSense no alerts
159 views
Skip to first unread message
Gal Akavia
Mar 30, 2022, 8:26:54 AM3/30/22
to Wazuh mailing list
Hi,
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>192.168.0.0/16</allowed-ips>
<allowed-ips>10.0.0.0/8</allowed-ips>
<local_ip>WazuhManager_IP</local_ip>
Using wazuh all-in-one version 4.1.5 since 2021.
I set few time pfSense to send logs to wazuh successfully but in my new environment i have some issues.
1. I set <logall_json>yes</logall_json> then i track the logs by using:
#tail -f /var/ossec/log/archive/archive.json | grep <pfSense ip>
OUTPUT:
- As i understand the logs are recived succesffuly from pfSense to Wazuh manager.
- I set in the manager side ossec.conf the following:
<remote><connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>192.168.0.0/16</allowed-ips>
<allowed-ips>10.0.0.0/8</allowed-ips>
<local_ip>WazuhManager_IP</local_ip>
</remote>
- I didn't change any pfSense rules but i added "pass" events for wazuh to log it by alert.
I compare my 2 environment, the one that rules successfully trigged and the second wazuh server that i have the issue above.
Is anyone experienced this before and can help q suggest me how to fix this issue please?
Thanks in advance!
Gal,
USHA GIRI
Mar 30, 2022, 9:56:17 AM3/30/22
to Wazuh mailing list
Yess, I'm also facing the same problem , I require the guidance too
Juan Cabrera
Mar 30, 2022, 10:07:45 AM3/30/22
to Wazuh mailing list
Hi gulguly64,
From what I understand you are using custom rules. Have you tested the logs you want to generate an alert with wazuh-logtest ? Could you provide me the complete log and the rule you want to generate alert?
Thanks
Gal Akavia
Mar 31, 2022, 8:14:15 AM3/31/22
to Wazuh mailing list
Hi Juan,
beside out cust rules wazuh also not trigged the default rule >>
<rule id="87701" level="5">
<if_sid>87700</if_sid>
<action>block</action>
<options>no_log</options>
<description>pfSense firewall drop event.</description>
<group>firewall_block,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
</rule>
<if_sid>87700</if_sid>
<action>block</action>
<options>no_log</options>
<description>pfSense firewall drop event.</description>
<group>firewall_block,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
</rule>
I can see the logs as i shown you above after i enable
<logall_json>yes</logall_json>
but no alerts about blocking,
about the cust rule, sure take a look >>
<!-- PfSense log record rules -->
<rule id="87703" level="3">
<if_sid>87700</if_sid>
<action>pass</action>
<!--<options>no_log</options>-->
<description>pfSense firewall pass event.</description>
<group>firewall_pass,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
</rule>
<rule id="87703" level="3">
<if_sid>87700</if_sid>
<action>pass</action>
<!--<options>no_log</options>-->
<description>pfSense firewall pass event.</description>
<group>firewall_pass,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
</rule>
What else can i provide you to help us ? just ask :)
Thanks for your helping..
Juan Cabrera
Apr 1, 2022, 11:55:37 AM4/1/22
to Wazuh mailing list
Hello gulguly64,
Could you paste me a complete log that you want to match with this rule? This way I could test to see what is happening.
Thanks
Could you paste me a complete log that you want to match with this rule? This way I could test to see what is happening.
Thanks
Juan Cabrera
Apr 6, 2022, 10:31:33 AM4/6/22
to Wazuh mailing list
Hi gulguly64,
The problem is that the predecoder does not work because the log arrives at the manager without the host name.
The original log is this one:
Apr 3 11:53:34 filterlog[28959]: 824,,,1634136718,hn6,match,pass,in,4,0x0,,59,56106,0,DF,6,tcp,60,172.27.128.30,*.*.*.*,49883,50092,0,S,1137582303,,64240,,mss;sackOK;TS;nop;wscale
And it should be:
Apr 3 11:53:34 HOSTNAME_HERE filterlog[28959]: 824,,,1634136718,hn6,match,pass,in,4,0x0,,59,56106,0,DF,6,tcp,60,172.27.128.30,*.*.*.*,49883,50092,0,S,1137582303,,64240,,mss;sackOK;TS;nop;wscale
If you could add the hostname, the decoder and the rule would work perfectly.
Logtest output:
Apr 3 11:53:34 ACA_NOMBRE_HOST filterlog[28959]: 824,,,1634136718,hn6,match,pass,in,4,0x0,,59,56106,0,DF,6,tcp,60,172.27.128.30,*.*.*.*,49883,50092,0,S,1137582303,,64240,,mss;sackOK;TS;nop;wscale
**Phase 1: Completed pre-decoding.
full event: 'Apr 3 11:53:34 test filterlog[28959]: 824,,,1634136718,hn6,match,pass,in,4,0x0,,59,56106,0,DF,6,tcp,60,172.27.128.30,*.*.*.*,49883,50092,0,S,1137582303,,64240,,mss;sackOK;TS;nop;wscale'
timestamp: 'Apr 3 11:53:34'
hostname: 'ACA_NOMBRE_HOST'
program_name: 'filterlog'
**Phase 2: Completed decoding.
name: 'pf'
action: 'pass'
dstip: '*.*.*.*'
dstport: '50092'
id: '1634136718'
length: '0'
protocol: 'tcp'
srcip: '172.27.128.30'
srcport: '49883'
**Phase 3: Completed filtering (rules).
id: '87703'
level: '3'
description: 'pfSense firewall pass event.'
groups: '['local', 'syslog', 'sshd', 'firewall_pass']'
firedtimes: '1'
gpg13: '['4.12']'
hipaa: '['164.312.a.1']'
mail: 'False'
nist_800_53: '['SC.7']'
pci_dss: '['1.4']'
tsc: '['CC6.7', 'CC6.8']'
**Alert to be generated.
Regards !
Reply all
Reply to author
Forward
0 new messages