Realtime email alerts for specific events?
-
Hi,
My Mac Mini is generating port 3478 traffic that I block. I would like to find out what is running on the Mac when this happens, but the Mac syslogs have proved useless after the fact. So I would like pfSense to send me an email alert right away, any time port 3478 is used/blocked. I've got email reporting installed and working, but that seems to be schedule-based. I don't really want to bog my Netgate 1100 down with Snort. How to do this?In general is there a way to get realtime email alerts when any firewall rule gets triggered?
-
No, not in pfSense directly.
You would need to export the filter log via syslog to something that can parse and alert you to that.
Steve
-
@beerguzzle Maybe Little Snitch running on the Mac Mini could help identify it. Apple docs say UDP 3478 is FaceTime and GameCenter. https://support.apple.com/en-us/HT202944
-
@beerguzzle According to this page:
https://support.apple.com/en-us/HT202944
Ports 3478–3497 are generally UDP traffic and are from FaceTime or Game Center stuff.
It's also possible that it's Microsoft Teams:
https://docs.microsoft.com/en-us/microsoftteams/3-envision-evaluate-my-environment
-
Ok, would Snort or Suricata give me this capability? Would it be firewall suicide to install either on my 1100? I'm running pfSense 22.01, with the following packages installed: aws-wizard, darkstat, ipsec-profile-wizard, mailreport, nmap, pfblockerNG, Status_Traffic_Totals. The main page shows 41% of my 982 MB of memory in use. The 1100 was purchased this Spring.
-
It's possible but you would need to carefully select the signatures you enable. I would not recommend it.
But it won't alert you in real-time anyway.
I agree with the above; use something running on the Mac to monitor those connections.
Steve
