Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-11-18 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Help Wanted: Please help test our experimental PFSense Client

Published: 2015-11-18
Last Updated: 2015-11-18 18:41:43 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

We do have a *very* experimental client script to submit logs from PFSense firewalls. Supporting these popular and capable open source firewalls is somewhat challenging. First of all, PFSense is based on BSD, not Linux like most other open source firewall distributions. As a result, our standard Linux clients will not work. The BSD packet filter code uses a different log format. To make things more interesting, PFSense uses a round-robbing log file. Log lines are continuously removed and added to just keep the last 'x' lines. 

I managed to put together a quick test. Feedback would be very helpful while I am learning how to turn this into a proper PFSense package.

Since there is no simple package to install right now, you need to install and configure the script manually. The script is written in PHP and heavily leverages existing PHP libraries that are included in PFSesnse.

The script sends logs to DShield via e-mail. You need to have "Notifications" configured. The script will just use the e-mail server settings from your notification configuration.

Please see: 

https://isc.sans.edu/clients/dshieldpfsense.txt

for the script. Additional instructions are included at the top. Please check back regularly for updates.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
6 comment(s)
ISC StormCast for Wednesday, November 18th 2015 http://isc.sans.edu/podcastdetail.html?id=4751
Diary Archives