How to send pfBlockerNG logs to remote log server (wazuh siem)

keyser

@mauro-tridici A common misconception is that pfBlockerNG is doing firewall’ing (blocking and allowing) on its own.
It does not - not even close.

The only thing is does is create lists of IP addresses - either from GEOIP, Feeds, Txtfiles, or manually entered lists.
It then has two modes of operation:

1: With autorule creation it automatically attempts to create the Block rules on the Interfaces where you asked it to block. But this can cause issues with rule ordering. This is the reason many use the secondd mode.

2: Autorule creation disabled, and configured to just created combined BLOCK or PERMIT ALIASes out of your feed setups (visible in FIREWALL -> ALIASES). You then have to use these ALIASES and create the proper block or permit rules yourselv - with logging enabled if you want pfBlockerNG to create a separate logfile for hits.

I MUCH prefer the 2nd method as it gives me much more control, and I have created a lot of lists to use for all og my general rules - Fx. A custom list of only my own countrys GEOIP and PLEX’s AWS IPs to allow access to my plex server :-)

michmoor

@keyser Why do you always have to be so fancy :)

EDIT:
I use autorule creeation but with Floating Rules enabled. That way it doesnt interfere with the rules on the interfaces themselves. I want the IPv4 blcoks (or permits) to be hit first before the rules on the interface.

keyser

@michmoor said in How to send pfBlockerNG logs to remote log server (wazuh siem):

@keyser Why do you always have to be so fancy :)

EDIT:
I use autorule creeation but with Floating Rules enabled. That way it doesnt interfere with the rules on the interfaces themselves. I want the IPv4 blcoks (or permits) to be hit first before the rules on the interface.

That’s a pretty good way to do it if blocking is your primary use of pfBlockerNG. For me blocking is a fairly small part - so I just created a few floating rules for that my self (general bad countries and actors). But my main use is for limited publishing instead of ANY for the various services i run.

michmoor

@keyser said in How to send pfBlockerNG logs to remote log server (wazuh siem):

But my main use is for limited publishing instead of ANY for the various services i run.

Thats interesting. Can you eloborate a bit on that? Might help me change my approach when using pfblocker.

mauro.tridici

@keyser your support is really professional, thank you :)

Now, with your help and reloading pfBlockerNG, I can see that the public IP of my mobile phone is blocked by pfBlockerNG (I'm still using the first method you mentioned, in the next step I will try to use manual rules).

So, in STATUS - SYSTEM LOGS - FIREWALL, I can see a lot of lines similar to the following ones:

X Jun 5 20:09:32 WAN pfB_ip_cred_theft auto rule (1770009099) (MOBILE IP):2928 (WAN IP):3351 TCP:S

and my phone public IP is actually blocked.
Anyway, no ip_block.log file has been created in /var/log/pfblockerng directory in pfsense.
I can only see the relevant entries in /var/log/filter.log file:

/var/log: grep -R (MOBILE IP) *
filter.log:Jun 5 20:10:36 pfSense_WAN filterlog[40217]: 145,,,1770009099,em0,match,block,in,4,0x0,,49,29056,0,DF,6,tcp,60,(MOBILE IP),(WAN IP),2687,1,0,S,2732915126,,65535,,mss;sackOK;TS;nop;wscale

And I can see also these lines in my SIEM since /var/log/filter.log is correctly sent to my SIEM using "standard/default" syslog service.

Could you please help to understand where is my fault?

Many thanks again,
Mauro

keyser

@michmoor said in How to send pfBlockerNG logs to remote log server (wazuh siem):

Thats interesting. Can you eloborate a bit on that? Might help me change my approach when using pfblocker.

Sure, fx. I use my boxes for mobileuser VPN, but it only from a few countries in EU that I actually have workers living/traveling while working.
So I disabled the built-in netgate VPN rules (ANY -> 500UDP, ANY -> 4500UDP, ANY -> ESP), and created a list of my own containing only those 3 countries and set pfBlockerNG to ALIAS PERMIT for that list. I then created the VPN rules myself, but the source is now the pfb_allowedVPN_countries ALIAS instead of ANY.
A similar example is my PLEX server. I created a ALIAS PERMIT list with just my own country and PLEX’es published list of AWS IP addresses in use for their proxies. My own firewall rule the publishes the PLEX to only that Source ALIAS list.
I have numerous other examples of publishing rules where I only publish to a few countries, or a published list of Azure service addresses.

The idea here is that the same could be achived by creating a BLOCK list containing the whole world apart from those 3 countries (in the VPN case), but that would become an ENORMOUS list and consume way to much memory and cpu to use generally.

keyser

@mauro-tridici Did you enable logging for the LIST or globally in pfBlocker? If you do not set the list for LOGGING in pfBlocker, the filterservice will not scrape the firewall log for entries created by that rule. Again reload - all is needed when you change the logging settings.

But remember, your SIEM will then get the block twice. Both from the firewall log, and from the pfBlockerNG log. The block will be both places. The pfBlockerNG log is mostly used for its own builtin analysis and visualization feature. But you can use it specifically for getting a list of blocks specifically caused by pfBlocker.

mauro.tridici

hello @keyser ,

yes I enabled logging for each LIST defined in pfBlockerNG. PfBlockerNG has been reloaded.
Anyway, I can see the block entries only in /var/log/filter.log file and they are correctly sent to the SIEM.

I would like to send both block logs (firewall + pfblocker logs) to the SIEM in order to get a list of blocks specifically caused by pfblocker (as you said), but, for the time being, it's okay to receive it once if we can't solve the problem.

This is the current configuration of the test LIST of pfblocker:

Thank you in advance,
Mauro

keyser

@mauro-tridici That’s a good question, I would expect it to work if that is your list that does the mobileip blocking (under custom).

I can’t really think of what might cause it not to be scraped… does that also mean you have no hits to look at/analyse under Firewall -> pfBlockerNG - Reports?
What about the pfBlocker Widget on the dashboard? Does that show your IP block list as registering any hits?

mauro.tridici

Hi @keyser ,

thanks for your reply and patience.
Yes, the screenshot above is related to the list that does the mobileip blocking (under custom).

Below you can find some the answers to your questions and some additional info that can help.

• under Firewall - pfBlockerNG there is no "Reports" choice (please take a look at the picture below)

• the pfBlockerNG Widget show the IP block lists but it doesn't show any hits

In addition, I noticed that:

• pfBlockerNG is quite out-of-date and I think it should be updated (if you are agree);

• the pfBlockerNG "rules" have been (correctly) auto-added to the pfsense floating rules;

• no pfBlockerNG related rules have been auto-added to the WAN interface firewall rules;

• this is the configuration of pFBlockerNG

PfBlockerNG rules should be executed before all other rules, but it seems that blocked IPs are logged in the /var/log/filter.log file (and they are sent to the SIEM without any differentiator tag/label to distinguish the IPs blocked by pfsense firewall or by pfBlockerNG)

Thank you in advance,
Mauro

keyser

@mauro-tridici Oh, that’s a VERY VERY old version of pfBlockerNG. The v. 3.x current series is almost a completely different product - im not even sure your version has the reporting and log scraping features.
What version of pfSense are you using?

I would remove the “keep settings” selection, uninstall your pfBlockerNG, and then install the new v3.1.x from scratch. I would not bet on a succesfull upgrade - even if it is supported (I don’t know if it is).

The try again with the current pfBlockerNG. I’m sure that will work like intended (and described by me)

michmoor

@keyser Do you know where the syslog-ng configuration is stored. Im running into an issue where if i include another Source/Destination/Log config syslog-ng wont start. Weird.

EDIT: Found the file. Can you spot a problem??

# This file is automatically generated by pfSense
# Do not edit manually !
@version:4.1
destination d_pfB_permit { network("192.168.50.198" transport(udp) port(1524)); };
destination d_squid { network("192.168.50.198" transport(udp) port(1523)); };
destination pf_block { network("192.168.50.198" transport(udp) port(1522)); };
destination _DEFAULT { file("/var/syslog-ng/default.log"); };
log { source(s_squid); destination(d_squid); };
log { source(s_pfB_permit); destination(d_pfB_permit); };
log { source(source_pfblocker); destination(pf_block); };
log { source(_DEFAULT); destination(_DEFAULT); };
source s_pfB_permit {
file("/var/log/pfblockerng/ip_permit.log");
};
source s_squid {
file("/var/squid/logs/access.log");
};
source source_pfblocker {
file("/var/log/pfblockerng/dnsbl.log");
};
source _DEFAULT { internal(); syslog(transport(udp) port(5140) ip(192.168.50.254)); };

michmoor

Found the issue. Syslog-NG does not like sending to the same destination port. I had 1522 listed twice. Not sure why it even cares about something like that but it does. Changed to 1523 and starts normally.

stephenw10

It may use it as the source port also (and is already using it). Though there's no good reason for that AFAIK, syslog is old!

mauro.tridici

Hi @keyser ,

thanks to your help, I had been able to solve the issue :)
Now, I can see the ip_block.log file (and other files) and a lot of additional interesting features provided by pfBlockerNG.
I really appreciated your patience and support, thanks again.

Now, I have to solve the last problem :P

It seems that the ip_block.log file content is not sent to the SIEM.
In the SIEM syslog target file, I can only see the logs coming from pfsense filter.log file.

Could you please help me to check the syslog-ng configuration?

name: SRC_PFBLOCKERNG
type: SOURCE

{ file("/var/log/pfblockerng/ip_block.log" flags(no-parse)); };

name: LOG_PFBLOCKERNG
type: LOG

{ source(SRC_PFBLOCKERNG); destination(DST_WAZUH); };

name: DST_WAZUH
type: DESTINATION
{ syslog("x.x.x.x" transport("udp") port(514)); };

If the syslog-ng client configuration is ok, I think that the problem is related to the target syslog server installed on the SIEM.
In fact, in the syslog server configuration file I recently added the following line:

if $HOSTNAME == 'pfsense' then /var/log/pfsense/pfsense.log
& stop

It works with the filter.log content because it contains the hostname "pfsense", but the ip_block.log file doesn't contain the hostname (so the server doesn't accept the logs).
How did you collected pfblockerng logs in your configuration? can I send the pfblocker logs to a different file on the syslog server?

EDIT:

this source log line type is correctly processed by syslog server:
Jun 7 14:11:13 pfSense_LAN filterlog[40553]: 4,,,1000000103,lagg0.35,match,block,in,4,0x0,,1,15015,0,DF,17,udp,601,IP1,IP2,5060,5060,581

this source log line type is not correctly processed by syslog server:
Jun 7 13:57:35,1770008703,em0,DMZ,block,4,6,TCP-S,IPSRC,IPDEST,56382,44215,in,RU,pfB_Top_v4,83.97.73.0/24,RU_v4,Unknown,wan,null,+

Thank you in advance,
Mauro

mauro.tridici

@mauro-tridici

UPDATE:

I just noticed that also the pfblocker logs from pfsense are saved in the target syslog server.
they are not saved in the pfsense.log destination file, but in /var/log/messages.

example:

Jun 7 14:19:47 pfSense_LAN - Jun 7 14:19:45,1770023929,em0,DMZ,block,4,17,UDP,IP1,IP2,47529,53,out,RU,pfB_Top_v4,194.85.252.0/22,RU_v4,b.dns.ripn.net,wan,null,-

I think I have to find the right syslog filter to send this kind of logs to a different file on syslog server.

Thanks,
Mauro

mauro.tridici

@mauro-tridici

CASE closed: adding a new filter rule in /etc/rsyslog.conf I had been able to have a new file with only the information related to pfBlockerNG logs.

Many thanks to all of you for the help.
Mauro