My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Help Wanted: Please help test our experimental PFSense Client

Published: 2015-11-18. Last Updated: 2015-11-18 18:41:43 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

We do have a *very* experimental client script to submit logs from PFSense firewalls. Supporting these popular and capable open source firewalls is somewhat challenging. First of all, PFSense is based on BSD, not Linux like most other open source firewall distributions. As a result, our standard Linux clients will not work. The BSD packet filter code uses a different log format. To make things more interesting, PFSense uses a round-robbing log file. Log lines are continuously removed and added to just keep the last 'x' lines. 

I managed to put together a quick test. Feedback would be very helpful while I am learning how to turn this into a proper PFSense package.

Since there is no simple package to install right now, you need to install and configure the script manually. The script is written in PHP and heavily leverages existing PHP libraries that are included in PFSesnse.

The script sends logs to DShield via e-mail. You need to have "Notifications" configured. The script will just use the e-mail server settings from your notification configuration.

Please see: 

https://isc.sans.edu/clients/dshieldpfsense.txt

for the script. Additional instructions are included at the top. Please check back regularly for updates.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
6 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

I personally don't use pfSense (anymore), but I now use OPNSense. I'd like to compare this to what could be done there. I haven't done much plugin stuff for OPNSense (yet) but I understand it as simply dealing with PKG files, instead of a custom method of implementation.

Correct me if i'm wrong; Thanks for this, as always!
[2.2.4-RELEASE][admin@pfsense.parallel42.ca]/var: ./dshieldpfsense.php

Parse error: syntax error, unexpected 'positives' (T_STRING) in /var/dshieldpfsense.php on line 67


*** FIXED - bad line wrap when pasted ***
Been using the script since it was released :-) pfSense 2.3 was released and now the script errors out

PHP Errors:
[12-Apr-2016 21:00:00 America/New_York] PHP Fatal error: Call to undefined function parse_filter_line() in /usr/local/pkg/DShield/dshieldpfsense.php on line 63
I just upgraded. let me take a look tomorrow. I guess they changed the internal PHP libraries.
I just released an updated client that will work for 2.2 and 2.3
https://isc.sans.edu/clients/dshieldpfsense.txt

if you rather adjust it yourself: replace "parse_filter_line" with "parse_firewall_log_line" (should be line 63-65 ... exact location may depend on you changing the lines at the top)
New changes work :-) thank you for all your work

Diary Archives