New package submitted for OSSEC server

laleger · Oct 14, 2013, 2:44 AM

Hello, I just submitted a pull request for a OSSEC server package and wanted to give everyone a heads up. I was working on this a few months ago as part of an effort with my company to use pfSense on a new security appliance we were creating. Our security appliance project has been put on hold but I thought it might be a good time to share this with the community.

Our intentions for creating this package was not to monitor the local pfSense installation itself, but rather serve as a manager for many OSSEC agents. Please keep in mind that this package is in the ALPHA phase and should be considered extremely experimental and not for production use. I have limited time for package development these days, but please let me know if you encounter any major bugs and I will do my best to fix them.

Cheers,

Lance

alex_uk · Oct 22, 2013, 1:25 PM

Hi, I'm a relative newbie to pfsense but have been using for a month or two now, with quite a few plugins.

This package would be great, how would I go about getting access to download this package, appreciating it is in 'alpha'? Do I have to wait for a new pfsense release, or is it going through some sort of testing before it shows up in available packages?

Thanks
Alex

xelacomp · Dec 12, 2013, 7:48 AM

Any chance of posting your code somewhere? I'd be happy to help. I've been using the zabbix proxy and agent for my clients for some time, ossec would be a great addition. I'd like to see this as a stable package someday for everyone.

marcelloc · Dec 13, 2013, 2:21 PM

It's still waiting core team review

https://github.com/pfsense/pfsense-packages/pulls

BBcan177 · Dec 13, 2013, 6:55 PM

Cant wait to see the finished package!

I am running an OSSEC server currently. Is it possible to have the OSSEC Manager Running in pfSense work in tandem with the primary OSSEC server to block offenders ip's in pfSense with Active-Response?

RpR · Jun 26, 2014, 12:14 PM

@BBcan177:

Cant wait to see the finished package!

I am running an OSSEC server currently. Is it possible to have the OSSEC Manager Running in pfSense work in tandem with the primary OSSEC server to block offenders ip's in pfSense with Active-Response?

idd is active response active using the plugin.
I have a server park with pfsense in front of all the servers.
Now I ban ip's using csf but that is just server based.

BBcan177 · Jun 26, 2014, 4:59 PM

Hi RpR,

I sent an email to laleger, but I don't think that he is actively pursuing getting the OSSEC package implemented for pfSense.

Here is his Github link https://github.com/pfsense/pfsense-packages/pull/526

In regards to your question about banning IPs at a server and how to push/pull them into pfSense:

At a high Level, choose what software you want on the Servers (fail2ban, CSF or Ossec) are good options. I don't have any experience with fail2ban or CSF, but I do have Security Onion that has OSSEC pre-installed (You still have to configure it). If you want help with that I am willing to share what I know…

Once the server has found a malicious activity, it should produce a Block on its local machine for a certain duration. You need to be able to push or pull this text file from the server to pfSense. Once pfSense has the file, it can be added to an "Alias Table".

pfBlocker has the ability to use "local" files. I also wrote a Script "pf IP Reputation Manager" that can also do this.

So If you can Block on the Server for one hour, you need to get that block file into pfSense within that timeframe to protect all of the other LAN devices.

enriluis · Oct 17, 2014, 5:36 PM

hello all, that's good news, I'm waiting to test this package
where I can download ?