pfSense
Overview
pfSense is a firewall software distribution based on FreeBSD.
This intake ingest filterlog from pfSense.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake OpenBSD Packet Filter. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x OpenBSD Packet Filter on ATT&CK Navigator
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network protocol analysis |
Packet Filter analyzes passing network packet. |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | event |
| Category | network |
| Type | connection |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "183,,,41cbdd1cea144179a26efd069e1ee54f,vtnet.9,match,block,out,4,0x0,,63,18292,0,DF,112,vrrp,72,1.2.3.4,5.6.7.8,3,255,13,2,0,1",
"event": {
"action": "block",
"category": [
"network"
],
"kind": "event",
"reason": "match",
"type": [
"denied"
]
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8"
},
"network": {
"bytes": 72,
"direction": "outbound",
"iana_number": "112",
"transport": "vrrp"
},
"observer": {
"egress": {
"interface": {
"name": "vtnet.9"
}
}
},
"openbsd": {
"pf": {
"carp": {
"advbase": "1",
"advskew": "0",
"type": 3,
"version": "2",
"vhid": "13"
},
"event": {
"tracker": {
"id": "41cbdd1cea144179a26efd069e1ee54f"
}
},
"routing": {
"class": "0x0",
"flags": "DF",
"hoplimit": 255,
"offset": 0
}
}
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"id": "183"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "70,,,6524e587872444838f901ac45cbf807c,vtnet1,match,pass,in,4,0x0,,19,36147,0,none,1,icmp,128,1.2.3.4,5.6.7.8,datalength=108",
"event": {
"action": "pass",
"category": [
"network"
],
"kind": "event",
"reason": "match",
"type": [
"allowed"
]
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8"
},
"network": {
"bytes": 128,
"direction": "inbound",
"iana_number": "1",
"transport": "icmp"
},
"observer": {
"ingress": {
"interface": {
"name": "vtnet1"
}
}
},
"openbsd": {
"pf": {
"event": {
"tracker": {
"id": "6524e587872444838f901ac45cbf807c"
}
},
"icmp": {
"datalength": 108
},
"routing": {
"class": "0x0",
"flags": "none",
"hoplimit": 19,
"offset": 0
}
}
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"id": "70"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "341,,,138b9664ed0d438b9fa1a14116606d50,vtnet9,match,pass,in,4,0x0,,63,26567,0,DF,6,tcp,60,1.2.3.4,5.6.7.8,40234,10050,0,S,3917296601:3917296620,,64240,,mss",
"event": {
"action": "pass",
"category": [
"network"
],
"kind": "event",
"reason": "match",
"type": [
"allowed"
]
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 10050
},
"network": {
"bytes": 60,
"direction": "inbound",
"iana_number": "6",
"transport": "tcp"
},
"observer": {
"ingress": {
"interface": {
"name": "vtnet9"
}
}
},
"openbsd": {
"pf": {
"event": {
"tracker": {
"id": "138b9664ed0d438b9fa1a14116606d50"
}
},
"routing": {
"class": "0x0",
"flags": "DF",
"hoplimit": 63,
"offset": 0
},
"transport": {
"bytes": 0,
"seq_number": "3917296601:3917296620",
"tcp_flags": "S",
"window_size": 64240
}
}
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"id": "341"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 40234
}
}
{
"message": "183,,,41cbdd1cea144179a26efd069e1ee54f,vtnet9,match,pass,in,4,0x0,,63,18292,0,DF,17,udp,72,1.2.3.4,5.6.7.8,18448,53,52",
"event": {
"action": "pass",
"category": [
"network"
],
"kind": "event",
"reason": "match",
"type": [
"allowed"
]
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 53
},
"network": {
"bytes": 72,
"direction": "inbound",
"iana_number": "17",
"transport": "udp"
},
"observer": {
"ingress": {
"interface": {
"name": "vtnet9"
}
}
},
"openbsd": {
"pf": {
"event": {
"tracker": {
"id": "41cbdd1cea144179a26efd069e1ee54f"
}
},
"routing": {
"class": "0x0",
"flags": "DF",
"hoplimit": 63,
"offset": 0
},
"transport": {
"bytes": 52
}
}
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"id": "183"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 18448
}
}
{
"message": "123,001,anchor1,label2,eth0,match,pass,in,6,,123,64,12345,0,DF,vrrp,6,80,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:ac1f:0001:0023,3,64,1,2,3,4",
"event": {
"action": "pass",
"category": [
"network"
],
"kind": "event",
"reason": "match",
"type": [
"allowed"
]
},
"destination": {
"address": "2001:db8:85a3::ac1f:1:23",
"ip": "2001:db8:85a3::ac1f:1:23"
},
"network": {
"bytes": 80,
"direction": "inbound",
"iana_number": "6",
"transport": "vrrp"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"openbsd": {
"pf": {
"carp": {
"advbase": "4",
"advskew": "3",
"type": 3,
"version": "2",
"vhid": "1"
},
"event": {
"tracker": {
"id": "label2"
}
},
"routing": {
"flow": "123",
"hoplimit": 64
},
"rule": {
"subrulenr": "001"
}
}
},
"related": {
"ip": [
"2001:db8:85a3::8a2e:370:7334",
"2001:db8:85a3::ac1f:1:23"
]
},
"rule": {
"id": "123",
"ruleset": "anchor1"
},
"source": {
"address": "2001:db8:85a3::8a2e:370:7334",
"ip": "2001:db8:85a3::8a2e:370:7334"
}
}
{
"message": "123,001,anchor1,label2,eth0,match,pass,in,6,,1234,64,tcp,6,60,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:ac1f:0001:0023,12345,80,20,AP,1234,5678,8192,0,MMS=1460 NOP WS=256 SACK_PERM=1",
"event": {
"action": "pass",
"category": [
"network"
],
"kind": "event",
"reason": "match",
"type": [
"allowed"
]
},
"destination": {
"address": "2001:db8:85a3::ac1f:1:23",
"ip": "2001:db8:85a3::ac1f:1:23",
"port": 80
},
"network": {
"bytes": 60,
"direction": "inbound",
"iana_number": "6",
"transport": "tcp"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"openbsd": {
"pf": {
"event": {
"tracker": {
"id": "label2"
}
},
"routing": {
"flow": "1234",
"hoplimit": 64
},
"rule": {
"subrulenr": "001"
},
"transport": {
"ack": "5678",
"bytes": 20,
"seq_number": "1234",
"tcp_flags": "AP",
"urgency": "0",
"window_size": 8192
}
}
},
"related": {
"ip": [
"2001:db8:85a3::8a2e:370:7334",
"2001:db8:85a3::ac1f:1:23"
]
},
"rule": {
"id": "123",
"ruleset": "anchor1"
},
"source": {
"address": "2001:db8:85a3::8a2e:370:7334",
"ip": "2001:db8:85a3::8a2e:370:7334",
"port": 12345
}
}
{
"message": "123,001,anchor1,label2,eth0,match,pass,in,6,,1234,64,udp,17,1024,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:ac1f:0001:0023,12345,80,1024",
"event": {
"action": "pass",
"category": [
"network"
],
"kind": "event",
"reason": "match",
"type": [
"allowed"
]
},
"destination": {
"address": "2001:db8:85a3::ac1f:1:23",
"ip": "2001:db8:85a3::ac1f:1:23",
"port": 80
},
"network": {
"bytes": 1024,
"direction": "inbound",
"iana_number": "17",
"transport": "udp"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"openbsd": {
"pf": {
"event": {
"tracker": {
"id": "label2"
}
},
"routing": {
"flow": "1234",
"hoplimit": 64
},
"rule": {
"subrulenr": "001"
},
"transport": {
"bytes": 1024
}
}
},
"related": {
"ip": [
"2001:db8:85a3::8a2e:370:7334",
"2001:db8:85a3::ac1f:1:23"
]
},
"rule": {
"id": "123",
"ruleset": "anchor1"
},
"source": {
"address": "2001:db8:85a3::8a2e:370:7334",
"ip": "2001:db8:85a3::8a2e:370:7334",
"port": 12345
}
}
{
"message": "183,,,41cbdd1cea144179a26efd069e1ee54f,vtnet9,match,pass,in,4,0x0,,63,18292,0,DF,17,udp,72,1.2.3.4,5.6.7.8,18448,53,52",
"event": {
"action": "pass",
"category": [
"network"
],
"kind": "event",
"reason": "match",
"type": [
"allowed"
]
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 53
},
"network": {
"bytes": 72,
"direction": "inbound",
"iana_number": "17",
"transport": "udp"
},
"observer": {
"ingress": {
"interface": {
"name": "vtnet9"
}
}
},
"openbsd": {
"pf": {
"event": {
"tracker": {
"id": "41cbdd1cea144179a26efd069e1ee54f"
}
},
"routing": {
"class": "0x0",
"flags": "DF",
"hoplimit": 63,
"offset": 0
},
"transport": {
"bytes": 52
}
}
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"id": "183"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 18448
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
network.bytes |
long |
Total bytes transferred in both directions. |
network.direction |
keyword |
Direction of the network traffic. |
network.iana_number |
keyword |
IANA Protocol Number. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number. |
observer.egress.interface.name |
keyword |
Interface name |
observer.ingress.interface.name |
keyword |
Interface name |
openbsd.pf.carp.advbase |
keyword |
|
openbsd.pf.carp.advskew |
keyword |
|
openbsd.pf.carp.type |
number |
|
openbsd.pf.carp.version |
keyword |
|
openbsd.pf.carp.vhid |
keyword |
The identifier of the virtual host that the appliance belong to in the CARP virtual group |
openbsd.pf.event.tracker.id |
tracker |
tracker ID |
openbsd.pf.icmp.datalength |
long |
the length of the content of the ICMP packet |
openbsd.pf.routing.class |
keyword |
|
openbsd.pf.routing.flags |
keyword |
|
openbsd.pf.routing.flow |
keyword |
|
openbsd.pf.routing.hoplimit |
number |
|
openbsd.pf.routing.offset |
number |
|
openbsd.pf.rule.subrulenr |
integer |
number of the subrule |
openbsd.pf.transport.ack |
keyword |
|
openbsd.pf.transport.bytes |
number |
|
openbsd.pf.transport.classification |
keyword |
|
openbsd.pf.transport.options |
keyword |
|
openbsd.pf.transport.seq_number |
keyword |
|
openbsd.pf.transport.tcp_flags |
keyword |
|
openbsd.pf.transport.urgency |
keyword |
|
openbsd.pf.transport.window_size |
number |
|
rule.id |
keyword |
Rule ID |
rule.ruleset |
keyword |
Rule ruleset |
source.ip |
ip |
IP address of the source. |
source.port |
long |
Port of the source. |
Configure
This setup guide will show you how to forward your Firewall logs to Sekoia.io by means of a syslog transport channel.
Prerequisites
- Have an internal log concentrator
Enable Syslog forwarding
-
Follow the official guide to enable syslog forwarding from your pfSense firewall to the internal log concentrator.
-
Define your log concentrator as a remote syslog server and select
Firewall Eventsas the remote syslog content. -
Save your changes.
Create the intake
Go to the intake page and create a new intake from the format OpenBSD Packet Filter.
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.