Help Wanted: Please help test our experimental PFSense Client
We do have a *very* experimental client script to submit logs from PFSense firewalls. Supporting these popular and capable open source firewalls is somewhat challenging. First of all, PFSense is based on BSD, not Linux like most other open source firewall distributions. As a result, our standard Linux clients will not work. The BSD packet filter code uses a different log format. To make things more interesting, PFSense uses a round-robbing log file. Log lines are continuously removed and added to just keep the last 'x' lines.
I managed to put together a quick test. Feedback would be very helpful while I am learning how to turn this into a proper PFSense package.
Since there is no simple package to install right now, you need to install and configure the script manually. The script is written in PHP and heavily leverages existing PHP libraries that are included in PFSesnse.
The script sends logs to DShield via e-mail. You need to have "Notifications" configured. The script will just use the e-mail server settings from your notification configuration.
Please see:
https://isc.sans.edu/clients/dshieldpfsense.txt
for the script. Additional instructions are included at the top. Please check back regularly for updates.
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Correct me if i'm wrong; Thanks for this, as always!
Anonymous
Nov 19th 2015
9 years ago
Parse error: syntax error, unexpected 'positives' (T_STRING) in /var/dshieldpfsense.php on line 67
*** FIXED - bad line wrap when pasted ***
Anonymous
Dec 11th 2015
9 years ago
PHP Errors:
[12-Apr-2016 21:00:00 America/New_York] PHP Fatal error: Call to undefined function parse_filter_line() in /usr/local/pkg/DShield/dshieldpfsense.php on line 63
Anonymous
Apr 13th 2016
8 years ago
Anonymous
Apr 13th 2016
8 years ago
https://isc.sans.edu/clients/dshieldpfsense.txt
if you rather adjust it yourself: replace "parse_filter_line" with "parse_firewall_log_line" (should be line 63-65 ... exact location may depend on you changing the lines at the top)
Anonymous
Apr 13th 2016
8 years ago
Anonymous
Apr 14th 2016
8 years ago