Technology Add-on for pfsense

Original Author: Barakat A. B. Abweh Updated by: W. Scott Howard

Version:

Supported products:

Supported CIM Version:

Supported CIM Datamodels:

Sourcetypes:

Add-on contains:

Input requirements:

This release requires pfsense to send data in syslog format
Adjust pfsense sed replacements to remove duplicate timestamps / or set no_appending_timestamp = true in inputs.conf for udp input

Using this Technology Add-on

The add-on has to be installed on both indexers & Search Heads
If data is collected through Intermediate Heavy Forwarders, it has to be installed on Heavy Forwarders, otherwise on indexers
The add-on expects an initial sourcetype named pfsense, the sourcetype will be transformed into more specific ones (see sourcetype list)
A sample inputs.conf is provided (default/inputs.conf.sample)
Another way to ingest the logs is to send them to a syslog server and then send them using the universal forwarder with the sourcetype pfsense

Since IDS/IPS action is not found in snort's logs and also the action can be modified manually, I added a new lookup file to use for action based on the SID. So please make sure to update the lookup file based on your ruleset action
- sid,interface_name,interface_description,action
- xxx,lan(re0),lan,alert

Log in to your firewall
Go to Services->snort->interface and configure the IDS/IPS to work in inline mode
Go to Services->snort->interface->interface_rules and modify the rules action based on your needs
After that update the lookup file to match the sid,action pairs and the lookup will automatically work