<![CDATA[PfSense Regex Help for AlienVault OSSIM]]>Unless anyone has a plugin already written for PfSense 2.X.X im trying to do my own , im not the best person and i am learning as i go, but i do want my logs to show in the OSSIM console. I dont want to reinvent the wheel but if there is no wheel here is what i am asking for help with ….
Am i barking up the wrong tree ???

Below is a line output from PfSense logs being sent to OSSIM.
I'm trying to write a plugin for OSSIM to parse PfSense Logs
I've got the following regex that covers upto where it says filterlog, but i need help identifying what the other bits are

(?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?P<event_type>\s+\w{9}):\s+</event_type></sensor></date>

I'm trying to work out what the

9,16777216,,1000000103

section is from
the what the

4,0x78,,44,47494,0,none,1

is from

Sep  2 15:43:43 192.168.1.9 filterlog: 9,16777216,,1000000103,pppoe2,match,block,in,4,0x78,,44,47494,0,none,1,icmp,71,185.26.144.209,81.154.203.123,unreachport,185.26.144.209,UDP,1004951

event_type=event
date={normalize_date($3)}
sensor={resolv($sensor)}
device={resolv($sensor)}
src_ip={$src_ip}
src_port={$src_port}
dst_ip={$dst_ip}
dst_port={$dst_port}
plugin_sid={translate($action)}
#protocol={$protocol}
interface={$interface}

Anyone able to help me write this regex for the OSSIM plugin?

]]>https://forum.netgate.com/topic/88600/pfsense-regex-help-for-alienvault-ossimRSS for NodeSun, 14 Jun 2026 20:01:09 GMTWed, 02 Sep 2015 17:14:31 GMT60<![CDATA[Reply to PfSense Regex Help for AlienVault OSSIM on Tue, 29 Dec 2015 11:25:39 GMT]]>Alienvault has now release a pfsense plugin.

Check out https://github.com/decay/alienvault-pfsense

]]>https://forum.netgate.com/post/593256https://forum.netgate.com/post/593256Tue, 29 Dec 2015 11:25:39 GMT<![CDATA[Reply to PfSense Regex Help for AlienVault OSSIM on Sat, 05 Sep 2015 14:55:52 GMT]]>i tried to get this working and failed, anyone else managed to create a regex that works ?

]]>https://forum.netgate.com/post/568834https://forum.netgate.com/post/568834Sat, 05 Sep 2015 14:55:52 GMT<![CDATA[Reply to PfSense Regex Help for AlienVault OSSIM on Wed, 02 Sep 2015 22:10:43 GMT]]>This lists and explains all the fields:
https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

]]>https://forum.netgate.com/post/568344https://forum.netgate.com/post/568344Wed, 02 Sep 2015 22:10:43 GMT<![CDATA[Reply to PfSense Regex Help for AlienVault OSSIM on Wed, 02 Sep 2015 17:52:19 GMT]]>

(?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?P<event_type>\s+\w{9}):\s+\d{1}[,]\w{8}[,],,[,]</device></rule></event_type></sensor></date>

I've worked out a bit more, as above

I'm not sure about what $actions are correct so for now i have just given them my own name until i know what to replace them with…

#rule={$rule}
#action={$action}
#direction={$direction}

]]>https://forum.netgate.com/post/568296https://forum.netgate.com/post/568296Wed, 02 Sep 2015 17:52:19 GMT