[pfSense] SNORT log processing

[Maurice-De]

Hi, currently in the PFSense integration everything that is not recognized by the pipeline is being dropped. So I am missing quite a few logs. Now I am new to these integrations and don't know how to properly request such changes. In my testing environment I made changes to get the SNORT messages processed. I think the following changes are needed to start accepting/parsing basic SNORT messages. Maybe someone can take a look at this and test/merge these changes to the pfsense integration?

https://github.com/elastic/integrations/blob/main/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml between line 88 and 89 add:

  - pipeline:
      name: '{{ IngestPipeline "snort" }}'
      if: ctx.event.provider == 'snort'

change line 90: if: '!["filterlog", "openvpn", "charon", "dhcpd", "dhclient", "dhcp6c", "unbound", "haproxy", "php-fpm", "squid", "snort"].contains(ctx.event?.provider)'

add a new file called "snort.yaml" in location: https://github.com/elastic/integrations/tree/main/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline

---
description: Pipeline for PFsense SNORT logs.
processors: 
  - grok:
      field: message
patterns:
      - '\[%{NUMBER:generator_id}:%{NUMBER:signature_id}:%{NUMBER:signature_revision}\] \(%{DATA:preprocessor}\) %{GREEDYDATA:alert_message} \[Classification: %{DATA:classification}\] \[Priority: %{NUMBER:priority:int}\] \{%{WORD:protocol}\} %{IP:src_ip}:%{NUMBER:src_port:int} -> %{IP:dst_ip}:%{NUMBER:dst_port:int}'
on_failure:
   - set:
      field: error.message
      value: '{{{ _ingest.on_failure_message }}}'

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[Lexinga]

• alot of stuff from the original project is simly not working https://github.com/pfelk/pfelk/tree/main