PfSense Regex Help for AlienVault OSSIM
-
Unless anyone has a plugin already written for PfSense 2.X.X im trying to do my own , im not the best person and i am learning as i go, but i do want my logs to show in the OSSIM console. I dont want to reinvent the wheel but if there is no wheel here is what i am asking for help with ….
Am i barking up the wrong tree ???Below is a line output from PfSense logs being sent to OSSIM.
I'm trying to write a plugin for OSSIM to parse PfSense Logs
I've got the following regex that covers upto where it says filterlog, but i need help identifying what the other bits are(?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?P<event_type>\s+\w{9}):\s+</event_type></sensor></date>
I'm trying to work out what the
9,16777216,,1000000103
section is from
the what the4,0x78,,44,47494,0,none,1
is from
Sep 2 15:43:43 192.168.1.9 filterlog: 9,16777216,,1000000103,pppoe2,match,block,in,4,0x78,,44,47494,0,none,1,icmp,71,185.26.144.209,81.154.203.123,unreachport,185.26.144.209,UDP,1004951
event_type=event
date={normalize_date($3)}
sensor={resolv($sensor)}
device={resolv($sensor)}
src_ip={$src_ip}
src_port={$src_port}
dst_ip={$dst_ip}
dst_port={$dst_port}
plugin_sid={translate($action)}
#protocol={$protocol}
interface={$interface}Anyone able to help me write this regex for the OSSIM plugin?
-
(?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?P<event_type>\s+\w{9}):\s+\d{1}[,]\w{8}[,],,[,]</device></rule></event_type></sensor></date>
I've worked out a bit more, as above
I'm not sure about what $actions are correct so for now i have just given them my own name until i know what to replace them with…
#rule={$rule}
#action={$action}
#direction={$direction} -
This lists and explains all the fields:
https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2 -
i tried to get this working and failed, anyone else managed to create a regex that works ?
-
Alienvault has now release a pfsense plugin.
Check out https://github.com/decay/alienvault-pfsense