Pfsense + Ossim
-
hey ,
I've installed a pfSense firewall which I'd like to send the logs to OSSIM to get all the flashy security bits of OSSIM .
Has anyone got any ideas to get this working? because i put Ossim in a dmz of pfsense but it didn't work ! and i didn't find a documentation that can help me -
What didn't work? Not able to parse the pfSense logs correctly?
This patch may still be valid, but could easily not be! It's old. Might give you an idea though:
https://forum.pfsense.org/index.php?topic=48363.0Steve
-
thanks for your answer, i saw it before i posted ! but i didn't help me
at the begining my problem is that where i should placed Ossim ! is in the one of Pfsense interface
or in the same level (that's mean wan Pfsense 192.168.1.X and Ossim 192.168.1.X ) ??
also in Pfsense i had SNort , Ntop and Nmap worked , so how can i manage it in Ossim ? -
I don't use OSSIM, but I expect that it needs the syslogs to be in a single line? Currently pfSense sends its syslogs in a 2-line format. I use Security Onion and I had to apply the following patch. To use, you need to install the package "Patches" and use the latest patch that I know of for 2.1.1 [ [url=http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff]http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff ]
-
Thanks BBcan ,
can you explain to me more !
the idea is that log of Pfsense will be send to OSSIM . Si i should upload a patch ! after in (Status..>System log ) i enbale to log to a server and i put the ip of Ossim !
is it true what i say ? and what about rules ? and where should i place OSSIm in a lan Pfsense interface or in wan interface ? -
see my attachement! patch fail ! it didn't work :(
-
Thanks BBcan ,
can you explain to me more !
the idea is that log of Pfsense will be send to OSSIM . Si i should upload a patch ! after in (Status..>System log ) i enbale to log to a server and i put the ip of Ossim !
is it true what i say ? and what about rules ? and where should i place OSSIm in a lan Pfsense interface or in wan interface ?Hi, henze,
First you need to install the package "Patches" [ [b]System:Packages:Available Packages "System Patches" ]
In the System:Patches menu, select "+" and add a new patch
If you're on 2.1.x, add this patch:
http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diffOnce you have entered the patch details, you need to "Fetch" and than "Apply"
(HELP LINK) https://doc.pfsense.org/index.php/System_Patches
In [ [b]Status:System Logs:Settings ], you will see "Enable Remote Logging" Put a check.
Remote Syslog Servers, enter the LAN ip address of the OSSIM machine.
Select which logs you want to send to Ossim (Contents settings)
Make sure that Ossim has UFW open to receive the Syslogs on port 514 UDP.
[ [b]sudo ufw status ] in OSSIM
You can change the default port by changing the pfSense "Remote Syslog Servers" Lan address to be
x.x.x.x:PORT
-
thanks for ur explication !
but i had Pfsense 2.1.2 so this didn"t work ! did u have another to give it to me ? -
thanks for ur explication !
but i had Pfsense 2.1.2 so this didn"t work ! did u have another to give it to me ?I don't know if there is another patch available for 2.1.3, I use the 2.1.1 on 2.1.3 and it works.
You might have to reboot the box? Or if it doesn't work after a reboot, try removing the patch, reboot and than add the patch again.
-
The patch is not particularly extensive, only two files and small changes. You can probably apply it manually in 2.1.3.
Steve
-
You could also try this command in an OSSIM shell to see if you are receiving the syslogs from pfSense.
** [ sudo tcpdump -nnvvAi eth0 -s0 | grep xx.xx.xx.xx ]**
change the xx.xx.xx.xx to your pfSense LAN address. And change the eth0 to your OSSIMs listening interface.
-
has anyone got pfsense to parse logs to OSSIM on the most recent version ?
-
i tweeted pfsense and alienvault about this, they said its great idea, but someone needs to make a pfsense side plugin to make it work.
So i started making a regex to import that data into OSSIM but i failed, doesnt work as i cant get ther egex correct.
Maybe someone else can have a crack, but if we can get the two systems to work together it would be so great
-
wifiuk I would rather use ELK see the link on my tutorials
-
It should be easier in 2.2.X because the log format has changed. It's now single line: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2
Steve
-
Alienvault has now release a pfsense plugin.
Check out https://github.com/decay/alienvault-pfsense
