Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Help Wanted: Please help test our experimental PFSense Client - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Help Wanted: Please help test our experimental PFSense Client

We do have a *very* experimental client script to submit logs from PFSense firewalls. Supporting these popular and capable open source firewalls is somewhat challenging. First of all, PFSense is based on BSD, not Linux like most other open source firewall distributions. As a result, our standard Linux clients will not work. The BSD packet filter code uses a different log format. To make things more interesting, PFSense uses a round-robbing log file. Log lines are continuously removed and added to just keep the last 'x' lines. 

I managed to put together a quick test. Feedback would be very helpful while I am learning how to turn this into a proper PFSense package.

Since there is no simple package to install right now, you need to install and configure the script manually. The script is written in PHP and heavily leverages existing PHP libraries that are included in PFSesnse.

The script sends logs to DShield via e-mail. You need to have "Notifications" configured. The script will just use the e-mail server settings from your notification configuration.

Please see: 

https://isc.sans.edu/clients/dshieldpfsense.txt

for the script. Additional instructions are included at the top. Please check back regularly for updates.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3535 Posts
ISC Handler
I personally don't use pfSense (anymore), but I now use OPNSense. I'd like to compare this to what could be done there. I haven't done much plugin stuff for OPNSense (yet) but I understand it as simply dealing with PKG files, instead of a custom method of implementation.

Correct me if i'm wrong; Thanks for this, as always!
c0psrul3

1 Posts
[2.2.4-RELEASE][admin@pfsense.parallel42.ca]/var: ./dshieldpfsense.php

Parse error: syntax error, unexpected 'positives' (T_STRING) in /var/dshieldpfsense.php on line 67


*** FIXED - bad line wrap when pasted ***
Chavez243

15 Posts
Been using the script since it was released :-) pfSense 2.3 was released and now the script errors out

PHP Errors:
[12-Apr-2016 21:00:00 America/New_York] PHP Fatal error: Call to undefined function parse_filter_line() in /usr/local/pkg/DShield/dshieldpfsense.php on line 63
f34rinc

2 Posts
I just upgraded. let me take a look tomorrow. I guess they changed the internal PHP libraries.
Johannes

3535 Posts
ISC Handler
I just released an updated client that will work for 2.2 and 2.3
isc.sans.edu/clients/…

if you rather adjust it yourself: replace "parse_filter_line" with "parse_firewall_log_line" (should be line 63-65 ... exact location may depend on you changing the lines at the top)
Johannes

3535 Posts
ISC Handler
New changes work :-) thank you for all your work
f34rinc

2 Posts

Sign Up for Free or Log In to start participating in the conversation!