Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense Regex Help for AlienVault OSSIM

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wifiuk
      last edited by

      Unless anyone has a plugin already written for PfSense 2.X.X im trying to do my own , im not the best person and i am learning as i go, but i do want my logs to show in the OSSIM console. I dont want to reinvent the wheel but if there is no wheel here is what i am asking for help with ….
      Am i barking up the wrong tree ???

      Below is a line output from PfSense logs being sent to OSSIM.
      I'm trying to write a plugin for OSSIM to parse PfSense Logs
      I've got the following regex that covers upto where it says filterlog, but i need help identifying what the other bits are

      (?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?P<event_type>\s+\w{9}):\s+</event_type></sensor></date>

      I'm trying to work out what the

      9,16777216,,1000000103

      section is from
      the what the

      4,0x78,,44,47494,0,none,1

      is from

      Sep  2 15:43:43 192.168.1.9 filterlog: 9,16777216,,1000000103,pppoe2,match,block,in,4,0x78,,44,47494,0,none,1,icmp,71,185.26.144.209,81.154.203.123,unreachport,185.26.144.209,UDP,1004951

      event_type=event
      date={normalize_date($3)}
      sensor={resolv($sensor)}
      device={resolv($sensor)}
      src_ip={$src_ip}
      src_port={$src_port}
      dst_ip={$dst_ip}
      dst_port={$dst_port}
      plugin_sid={translate($action)}
      #protocol={$protocol}
      interface={$interface}

      Anyone able to help me write this regex for the OSSIM plugin?

      1 Reply Last reply Reply Quote 0
      • W
        wifiuk
        last edited by

        (?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?P<event_type>\s+\w{9}):\s+\d{1}[,]\w{8}[,],,[,]</device></rule></event_type></sensor></date>

        I've worked out a bit more, as above

        I'm not sure about what $actions are correct so for now i have just given them my own name until i know what to replace them with…

        #rule={$rule}
        #action={$action}
        #direction={$direction}

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          This lists and explains all the fields:
          https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • W
            wifiuk
            last edited by

            i tried to get this working and failed, anyone else managed to create a regex that works ?

            1 Reply Last reply Reply Quote 0
            • M
              McGlenn
              last edited by

              Alienvault has now release a pfsense plugin.

              Check out https://github.com/decay/alienvault-pfsense

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.