Original Author: Barakat A. B. Abweh Updated by: W. Scott Howard
Version:
- 3.0.0
Supported products:
- pfsense >= 2.5.0
Supported CIM Version:
- >=4.0.0
Supported CIM Datamodels:
- Authentication
- Network Traffic
Sourcetypes:
pfsense:filterlogpfsense:filterdnspfsense:dhcpdpfsense:kea-dhcp4pfsense:openvpnpfsense:nginxpfsense:unboundpfsense:snortpfsense:suricatapfsense:*
Add-on contains:
- Search and Parsing-Time configuration
Input requirements:
- This release requires pfsense to send data in syslog format
- Adjust pfsense sed replacements to remove duplicate timestamps / or set
no_appending_timestamp = truein inputs.conf for udp input
- The add-on has to be installed on both indexers & Search Heads
- If data is collected through Intermediate Heavy Forwarders, it has to be installed on Heavy Forwarders, otherwise on indexers
- The add-on expects an initial sourcetype named
pfsense, the sourcetype will be transformed into more specific ones (see sourcetype list) - A sample
inputs.confis provided (default/inputs.conf.sample) - Another way to ingest the logs is to send them to a syslog server and then send them using the universal forwarder with the sourcetype
pfsense
- Use syslog-ng package to send pfblockerng-devel logs to splunk
- Since IDS/IPS action is not found in snort's logs and also the action can be modified manually, I added a new lookup file to use for action based on the SID. So please make sure to update the lookup file based on your ruleset action
- sid,interface_name,interface_description,action
- xxx,lan(re0),lan,alert
- Log in to your firewall
- Go to Services->snort->interface and configure the IDS/IPS to work in inline mode
- Go to Services->snort->interface->interface_rules and modify the rules action based on your needs
- After that update the lookup file to match the sid,action pairs and the lookup will automatically work
- Compatible with pfsense 23.09.01 or higher (Not tested on older versions)
- 2.0.0 / 2021-07-18
- 3.0.0 / 2024-06-11