Wazuh integration with PFSense, is it possible?
4,993 views
Skip to first unread message
mauro....@cmcc.it
Jul 11, 2021, 7:34:49 AM7/11/21
to Wazuh mailing list
Dear All,
I would like to know if Wazuh integration with the latest version of PFSense is possible.
If yes, how it works? Should I install the Wazuh agent on PFSense?
Could you please help me to understand it?
Thank you in advance.
Mauro
jcc...@gmail.com
Jul 12, 2021, 8:46:49 AM7/12/21
to Wazuh mailing list
Hi Mauro,
I found a old script I wrote years ago:
Hope it helps!
jcc...@gmail.com
Jul 12, 2021, 8:47:48 AM7/12/21
to Wazuh mailing list
I forgot to link the wazuh package: https://www.freshports.org/security/wazuh-agent
Juan Carlos
Jul 12, 2021, 11:25:00 AM7/12/21
to Wazuh mailing list
Hello Mauro,
As Julio points out it is possible to install an agent on FreeBSD based operating systems like pfSense, you may follow this guide to install from sources: https://documentation.wazuh.com/current/installation-guide/more-installation-alternatives/wazuh-from-sources/wazuh-agent/index.html
You may also configure pfSense to forward logs via syslog to the Wazuh manager and collect them by using Remote Syslog: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog
The Wazuh ruleset includes rules and decoders to understand, categorize and enrich events from pfSense, but new rules and decoders can be added if you wish to add more context to the events received.
Let us know if you have any more questions,
Best Regards,
Juan Carlos Tello
Mauro Tridici
Jul 12, 2021, 3:55:41 PM7/12/21
to Juan Carlos, jcc...@gmail.com, Wazuh mailing list
Hello Julio, hello Juan Carlos,
thank you for your help.
So, if I’m not wrong, pfsense can be integrated with Wazuh installing (an old) wazuh agent on pfsense and creating an action script on pfsense.
Anyway, I would like to know what is the workflow that should be followed in this scenario.
Is the PFsense agent that detect the bad IPs and populate a blacklist or are the other wazuh agents that collect bad IPs and populate PFsense blacklist.
Sorry for this stupid question, but I’m not an expert and I would like to know the right integration between Wazuh and PFSense.
Whatt is the best practice in this case?
Thank you in advance to all of you.
Mauro
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/pc4IAOIjW-E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/87a43d20-d0d4-4712-bbb8-4251af2d086an%40googlegroups.com.
mauro....@cmcc.it
Jul 13, 2021, 6:47:18 AM7/13/21
to Wazuh mailing list
I forgot to ask you if a best practice document is available for this use case.
Thank you in advance,
Mauro
Juan Carlos
Jul 13, 2021, 7:18:51 AM7/13/21
to Wazuh mailing list
Hi Mauro,
Thank you for participating in our community and feel free to ask as many questions as you'd like, we just want to make Wazuh as easy to use as possible and provide as much value as we can to its users.
Installing the agent from sources (or from a community compiled package) will give you the latest version of Wazuh, so it would not be an older agent.
Depending on your specific needs you may do this to benefit from various capabilities of the agent, including Log collection, File Integrity Monitoring and the encryption and compression of all the information being sent directly to the Wazuh manager for analysis.
If you're only interested in collecting log messages to be analyzed by the Wazuh manager, then the simplest option is to configure syslog output on pfSense and collect them with the Wazuh manager.
The log messages from pfSense will contain information on access attempts and the Wazuh manager will be able to analyze these with the same ruleset as if there was an agent installed on the device.
Configuring a blacklist can be done on the Wazuh manager by using the integrator daemon so that when an event matches the criteria of your interest you can configure it to interact with pfSense to add it into it's block list. This can also be achieved by creating an Active Response if there is an agent installed on the pfSense device.
More information on Integrations can be found here: https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html
And on Active Responses here: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html
Given that each environment is different and in consequence so are their use cases Wazuh is very flexible and the best practice will greatly depend on the need you are trying to fulfill.
Some users will only need Wazuh to gain visibility on the logs being produced by their assets while others will also want to take action and add more context to the information being observed.
I'll be happy to answer any questions you may have to achieve your goal.
Best Regards,
Juan Carlos Tello.
Mauro Tridici
Jul 14, 2021, 4:33:09 AM7/14/21
to Juan Carlos, Wazuh mailing list
Hello Juan Carlos,
thank you very much for your reply, I really appreciated it.
Our environment is very “simple” and it should be composed by a PFSense firewall with a couple of FTP and WEB server in the backend.
I think that we’ll installl Wazuh agent on PFSense in order to block malicious attacks and populate the PFsense blacklist.
Anyway, since the WEB servers will be accessible from every IP addresses, we’ll need to install also the Wazuh Agent there.
I hope that, in this way, malicious IPs would be blocked on WEB servers and, in the same time, the malicious IPs could be added to the PFSense blacklist.
In your opinion, does it make sense? Is it a correct solution?
Thank you,
Mauro
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/12f138c5-a287-4e91-a730-e630b29024fbn%40googlegroups.com.
Julio Cesar
Jul 14, 2021, 8:19:27 AM7/14/21
to Mauro Tridici, Juan Carlos, Wazuh mailing list
Hello Mauro,
Did you considered using OPNsense instead pfSense? The are several advantages... I can name one related with Wazuh: API integration. Here an example: https://github.com/cloudfence/opnsense-wazuh
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/025BD91D-9E3C-42BA-B851-5F4176165271%40cmcc.it.
Juan Carlos Tello
Jul 15, 2021, 1:55:04 PM7/15/21
to Julio Cesar, Mauro Tridici, Wazuh mailing list
Hello Mauro,
Yes, your design makes sense. Using the Wazuh agent to collect information from the servers as well as the pfSense device will give you a thorough visibility over logged events as well as other key indicators on the system.
Julio, thank you for sharing that adapted Active Response, it's a very good example of what can be achieved with an agent on a network device.
Cheers,
Juan Carlos Tello
Reply all
Reply to author
Forward
0 new messages