Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense + Ossim

    General pfSense Questions
    6
    16
    12067
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      henze last edited by

      hey ,
      I've installed a pfSense firewall which I'd like to send the logs to OSSIM to get all the flashy security bits of OSSIM .
      Has anyone got any ideas to get this working? because i put Ossim in a dmz of pfsense but it didn't work ! and i didn't find a documentation that can help me

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        What didn't work? Not able to parse the pfSense logs correctly?
        This patch may still be valid, but could easily not be! It's old. Might give you an idea though:
        https://forum.pfsense.org/index.php?topic=48363.0

        Steve

        1 Reply Last reply Reply Quote 0
        • H
          henze last edited by

          thanks for your answer, i saw it before i posted ! but i didn't help me
          at the begining my problem is that where i should placed Ossim ! is in the one of  Pfsense interface
          or in the same level (that's mean wan Pfsense 192.168.1.X and Ossim 192.168.1.X ) ??
          also in Pfsense i had SNort , Ntop and Nmap worked , so how can i manage it in Ossim ?

          1 Reply Last reply Reply Quote 0
          • BBcan177
            BBcan177 Moderator last edited by

            I don't use OSSIM, but I expect that it needs the syslogs to be in a single line? Currently pfSense sends its syslogs in a 2-line format. I use Security Onion and I had to apply the following patch. To use, you need to install the package "Patches" and use the latest patch that I know of for 2.1.1  [ [url=http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff]http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff  ]

            https://forum.pfsense.org/index.php?topic=69544.30

            1 Reply Last reply Reply Quote 0
            • H
              henze last edited by

              Thanks  BBcan ,
              can you explain to me more !
              the idea is that log of Pfsense will be send to OSSIM . Si i should upload a patch ! after in (Status..>System log ) i enbale to log to a server and i put the ip of Ossim !
              is it true what i say ? and what about rules ? and where should i place OSSIm in a lan  Pfsense interface or in wan interface ?

              1 Reply Last reply Reply Quote 0
              • H
                henze last edited by

                see my attachement! patch fail ! it didn't work :(


                1 Reply Last reply Reply Quote 0
                • BBcan177
                  BBcan177 Moderator last edited by

                  @henze:

                  Thanks  BBcan ,
                  can you explain to me more !
                  the idea is that log of Pfsense will be send to OSSIM . Si i should upload a patch ! after in (Status..>System log ) i enbale to log to a server and i put the ip of Ossim !
                  is it true what i say ? and what about rules ? and where should i place OSSIm in a lan  Pfsense interface or in wan interface ?

                  Hi, henze,

                  First you need to install the package "Patches"  [ [b]System:Packages:Available Packages "System Patches" ]

                  In the System:Patches menu, select "+" and add a new patch

                  If you're on 2.1.x, add this patch:
                  http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff

                  Once you have entered the patch details, you need to "Fetch" and than "Apply"

                  (HELP LINK) https://doc.pfsense.org/index.php/System_Patches

                  In  [  [b]Status:System Logs:Settings  ], you will see "Enable Remote Logging" Put a check.

                  Remote Syslog Servers, enter the LAN ip address of the OSSIM machine.

                  Select which logs you want to send to Ossim (Contents settings)

                  Make sure that Ossim has UFW open to receive the Syslogs on port 514 UDP.

                  [ [b]sudo ufw status ] in OSSIM

                  You can change the default port by changing the pfSense "Remote Syslog Servers" Lan address to be

                  x.x.x.x:PORT

                  1 Reply Last reply Reply Quote 0
                  • H
                    henze last edited by

                    thanks for ur explication !
                    but i had Pfsense 2.1.2 so this didn"t work ! did u have another to give it to me  ?

                    1 Reply Last reply Reply Quote 0
                    • BBcan177
                      BBcan177 Moderator last edited by

                      @henze:

                      thanks for ur explication !
                      but i had Pfsense 2.1.2 so this didn"t work ! did u have another to give it to me  ?

                      I don't know if there is another patch available for 2.1.3, I use the 2.1.1 on 2.1.3 and it works.

                      You might have to reboot the box? Or if it doesn't work after a reboot, try removing the patch, reboot and than add the patch again.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10
                        stephenw10 Netgate Administrator last edited by

                        The patch is not particularly extensive, only two files and small changes. You can probably apply it manually in 2.1.3.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • BBcan177
                          BBcan177 Moderator last edited by

                          You could also try this command in an OSSIM shell to see if you are receiving the syslogs from pfSense.

                          **  [  sudo tcpdump -nnvvAi eth0 -s0 | grep xx.xx.xx.xx  ]**

                          change the xx.xx.xx.xx to your pfSense LAN address. And change the eth0 to your OSSIMs listening interface.

                          1 Reply Last reply Reply Quote 0
                          • W
                            wifiuk last edited by

                            has anyone got pfsense to parse logs to OSSIM on the most recent version ?

                            1 Reply Last reply Reply Quote 0
                            • W
                              wifiuk last edited by

                              i tweeted pfsense and alienvault about this, they said its great idea, but someone needs to make a pfsense side plugin to make it work.

                              So i started making a regex to import that data into OSSIM but i failed, doesnt work as i cant get ther egex correct.

                              Maybe someone else can have a crack, but if we can get the two systems to work together it would be so great

                              1 Reply Last reply Reply Quote 0
                              • K
                                killmasta93 last edited by

                                wifiuk I would rather use ELK see the link on my tutorials

                                1 Reply Last reply Reply Quote 0
                                • stephenw10
                                  stephenw10 Netgate Administrator last edited by

                                  It should be easier in 2.2.X because the log format has changed. It's now single line: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    McGlenn last edited by

                                    Alienvault has now release a pfsense plugin.

                                    Check out https://github.com/decay/alienvault-pfsense

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post

                                    Products

                                    • Platform Overview
                                    • TNSR
                                    • pfSense Plus
                                    • Appliances

                                    Services

                                    • Training
                                    • Professional Services

                                    Support

                                    • Subscription Plans
                                    • Contact Support
                                    • Product Lifecycle
                                    • Documentation

                                    News

                                    • Media Coverage
                                    • Press
                                    • Events

                                    Resources

                                    • Blog
                                    • FAQ
                                    • Find a Partner
                                    • Resource Library
                                    • Security Information

                                    Company

                                    • About Us
                                    • Careers
                                    • Partners
                                    • Contact Us
                                    • Legal
                                    Our Mission

                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                    Subscribe to our Newsletter

                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                    © 2021 Rubicon Communications, LLC | Privacy Policy