PfSense Regex Help for AlienVault OSSIM



  • Unless anyone has a plugin already written for PfSense 2.X.X im trying to do my own , im not the best person and i am learning as i go, but i do want my logs to show in the OSSIM console. I dont want to reinvent the wheel but if there is no wheel here is what i am asking for help with ….
    Am i barking up the wrong tree ???

    Below is a line output from PfSense logs being sent to OSSIM.
    I'm trying to write a plugin for OSSIM to parse PfSense Logs
    I've got the following regex that covers upto where it says filterlog, but i need help identifying what the other bits are

    (?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?P<event_type>\s+\w{9}):\s+</event_type></sensor></date>
    

    I'm trying to work out what the

    9,16777216,,1000000103
    

    section is from
    the what the

    4,0x78,,44,47494,0,none,1

    is from

    Sep  2 15:43:43 192.168.1.9 filterlog: 9,16777216,,1000000103,pppoe2,match,block,in,4,0x78,,44,47494,0,none,1,icmp,71,185.26.144.209,81.154.203.123,unreachport,185.26.144.209,UDP,1004951
    

    event_type=event
    date={normalize_date($3)}
    sensor={resolv($sensor)}
    device={resolv($sensor)}
    src_ip={$src_ip}
    src_port={$src_port}
    dst_ip={$dst_ip}
    dst_port={$dst_port}
    plugin_sid={translate($action)}
    #protocol={$protocol}
    interface={$interface}

    Anyone able to help me write this regex for the OSSIM plugin?



  • (?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?P<event_type>\s+\w{9}):\s+\d{1}[,]\w{8}[,],,[,]</device></rule></event_type></sensor></date>

    I've worked out a bit more, as above

    I'm not sure about what $actions are correct so for now i have just given them my own name until i know what to replace them with…

    #rule={$rule}
    #action={$action}
    #direction={$direction}


  • Rebel Alliance Developer Netgate



  • i tried to get this working and failed, anyone else managed to create a regex that works ?



  • Alienvault has now release a pfsense plugin.

    Check out https://github.com/decay/alienvault-pfsense


Log in to reply