Skip to content

pfSense

Overview

pfSense is a firewall software distribution based on FreeBSD.

This intake ingest filterlog from pfSense.

The following Sekoia.io built-in rules match the intake OpenBSD Packet Filter. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x OpenBSD Packet Filter on ATT&CK Navigator

SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Network protocol analysis Packet Filter analyzes passing network packet.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category network
Type connection

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "183,,,41cbdd1cea144179a26efd069e1ee54f,vtnet.9,match,block,out,4,0x0,,63,18292,0,DF,112,vrrp,72,1.2.3.4,5.6.7.8,3,255,13,2,0,1",
    "event": {
        "action": "block",
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "match",
        "type": [
            "denied"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "ip": "5.6.7.8"
    },
    "network": {
        "bytes": 72,
        "direction": "outbound",
        "iana_number": "112",
        "transport": "vrrp"
    },
    "observer": {
        "egress": {
            "interface": {
                "name": "vtnet.9"
            }
        }
    },
    "openbsd": {
        "pf": {
            "carp": {
                "advbase": "1",
                "advskew": "0",
                "type": 3,
                "version": "2",
                "vhid": "13"
            },
            "event": {
                "tracker": {
                    "id": "41cbdd1cea144179a26efd069e1ee54f"
                }
            },
            "routing": {
                "class": "0x0",
                "flags": "DF",
                "hoplimit": 255,
                "offset": 0
            }
        }
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "5.6.7.8"
        ]
    },
    "rule": {
        "id": "183"
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "70,,,6524e587872444838f901ac45cbf807c,vtnet1,match,pass,in,4,0x0,,19,36147,0,none,1,icmp,128,1.2.3.4,5.6.7.8,datalength=108",
    "event": {
        "action": "pass",
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "match",
        "type": [
            "allowed"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "ip": "5.6.7.8"
    },
    "network": {
        "bytes": 128,
        "direction": "inbound",
        "iana_number": "1",
        "transport": "icmp"
    },
    "observer": {
        "ingress": {
            "interface": {
                "name": "vtnet1"
            }
        }
    },
    "openbsd": {
        "pf": {
            "event": {
                "tracker": {
                    "id": "6524e587872444838f901ac45cbf807c"
                }
            },
            "icmp": {
                "datalength": 108
            },
            "routing": {
                "class": "0x0",
                "flags": "none",
                "hoplimit": 19,
                "offset": 0
            }
        }
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "5.6.7.8"
        ]
    },
    "rule": {
        "id": "70"
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "341,,,138b9664ed0d438b9fa1a14116606d50,vtnet9,match,pass,in,4,0x0,,63,26567,0,DF,6,tcp,60,1.2.3.4,5.6.7.8,40234,10050,0,S,3917296601:3917296620,,64240,,mss",
    "event": {
        "action": "pass",
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "match",
        "type": [
            "allowed"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "ip": "5.6.7.8",
        "port": 10050
    },
    "network": {
        "bytes": 60,
        "direction": "inbound",
        "iana_number": "6",
        "transport": "tcp"
    },
    "observer": {
        "ingress": {
            "interface": {
                "name": "vtnet9"
            }
        }
    },
    "openbsd": {
        "pf": {
            "event": {
                "tracker": {
                    "id": "138b9664ed0d438b9fa1a14116606d50"
                }
            },
            "routing": {
                "class": "0x0",
                "flags": "DF",
                "hoplimit": 63,
                "offset": 0
            },
            "transport": {
                "bytes": 0,
                "seq_number": "3917296601:3917296620",
                "tcp_flags": "S",
                "window_size": 64240
            }
        }
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "5.6.7.8"
        ]
    },
    "rule": {
        "id": "341"
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 40234
    }
}
{
    "message": "183,,,41cbdd1cea144179a26efd069e1ee54f,vtnet9,match,pass,in,4,0x0,,63,18292,0,DF,17,udp,72,1.2.3.4,5.6.7.8,18448,53,52",
    "event": {
        "action": "pass",
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "match",
        "type": [
            "allowed"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "ip": "5.6.7.8",
        "port": 53
    },
    "network": {
        "bytes": 72,
        "direction": "inbound",
        "iana_number": "17",
        "transport": "udp"
    },
    "observer": {
        "ingress": {
            "interface": {
                "name": "vtnet9"
            }
        }
    },
    "openbsd": {
        "pf": {
            "event": {
                "tracker": {
                    "id": "41cbdd1cea144179a26efd069e1ee54f"
                }
            },
            "routing": {
                "class": "0x0",
                "flags": "DF",
                "hoplimit": 63,
                "offset": 0
            },
            "transport": {
                "bytes": 52
            }
        }
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "5.6.7.8"
        ]
    },
    "rule": {
        "id": "183"
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 18448
    }
}
{
    "message": "123,001,anchor1,label2,eth0,match,pass,in,6,,123,64,12345,0,DF,vrrp,6,80,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:ac1f:0001:0023,3,64,1,2,3,4",
    "event": {
        "action": "pass",
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "match",
        "type": [
            "allowed"
        ]
    },
    "destination": {
        "address": "2001:db8:85a3::ac1f:1:23",
        "ip": "2001:db8:85a3::ac1f:1:23"
    },
    "network": {
        "bytes": 80,
        "direction": "inbound",
        "iana_number": "6",
        "transport": "vrrp"
    },
    "observer": {
        "ingress": {
            "interface": {
                "name": "eth0"
            }
        }
    },
    "openbsd": {
        "pf": {
            "carp": {
                "advbase": "4",
                "advskew": "3",
                "type": 3,
                "version": "2",
                "vhid": "1"
            },
            "event": {
                "tracker": {
                    "id": "label2"
                }
            },
            "routing": {
                "flow": "123",
                "hoplimit": 64
            },
            "rule": {
                "subrulenr": "001"
            }
        }
    },
    "related": {
        "ip": [
            "2001:db8:85a3::8a2e:370:7334",
            "2001:db8:85a3::ac1f:1:23"
        ]
    },
    "rule": {
        "id": "123",
        "ruleset": "anchor1"
    },
    "source": {
        "address": "2001:db8:85a3::8a2e:370:7334",
        "ip": "2001:db8:85a3::8a2e:370:7334"
    }
}
{
    "message": "123,001,anchor1,label2,eth0,match,pass,in,6,,1234,64,tcp,6,60,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:ac1f:0001:0023,12345,80,20,AP,1234,5678,8192,0,MMS=1460 NOP WS=256 SACK_PERM=1",
    "event": {
        "action": "pass",
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "match",
        "type": [
            "allowed"
        ]
    },
    "destination": {
        "address": "2001:db8:85a3::ac1f:1:23",
        "ip": "2001:db8:85a3::ac1f:1:23",
        "port": 80
    },
    "network": {
        "bytes": 60,
        "direction": "inbound",
        "iana_number": "6",
        "transport": "tcp"
    },
    "observer": {
        "ingress": {
            "interface": {
                "name": "eth0"
            }
        }
    },
    "openbsd": {
        "pf": {
            "event": {
                "tracker": {
                    "id": "label2"
                }
            },
            "routing": {
                "flow": "1234",
                "hoplimit": 64
            },
            "rule": {
                "subrulenr": "001"
            },
            "transport": {
                "ack": "5678",
                "bytes": 20,
                "seq_number": "1234",
                "tcp_flags": "AP",
                "urgency": "0",
                "window_size": 8192
            }
        }
    },
    "related": {
        "ip": [
            "2001:db8:85a3::8a2e:370:7334",
            "2001:db8:85a3::ac1f:1:23"
        ]
    },
    "rule": {
        "id": "123",
        "ruleset": "anchor1"
    },
    "source": {
        "address": "2001:db8:85a3::8a2e:370:7334",
        "ip": "2001:db8:85a3::8a2e:370:7334",
        "port": 12345
    }
}
{
    "message": "123,001,anchor1,label2,eth0,match,pass,in,6,,1234,64,udp,17,1024,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:ac1f:0001:0023,12345,80,1024",
    "event": {
        "action": "pass",
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "match",
        "type": [
            "allowed"
        ]
    },
    "destination": {
        "address": "2001:db8:85a3::ac1f:1:23",
        "ip": "2001:db8:85a3::ac1f:1:23",
        "port": 80
    },
    "network": {
        "bytes": 1024,
        "direction": "inbound",
        "iana_number": "17",
        "transport": "udp"
    },
    "observer": {
        "ingress": {
            "interface": {
                "name": "eth0"
            }
        }
    },
    "openbsd": {
        "pf": {
            "event": {
                "tracker": {
                    "id": "label2"
                }
            },
            "routing": {
                "flow": "1234",
                "hoplimit": 64
            },
            "rule": {
                "subrulenr": "001"
            },
            "transport": {
                "bytes": 1024
            }
        }
    },
    "related": {
        "ip": [
            "2001:db8:85a3::8a2e:370:7334",
            "2001:db8:85a3::ac1f:1:23"
        ]
    },
    "rule": {
        "id": "123",
        "ruleset": "anchor1"
    },
    "source": {
        "address": "2001:db8:85a3::8a2e:370:7334",
        "ip": "2001:db8:85a3::8a2e:370:7334",
        "port": 12345
    }
}
{
    "message": "183,,,41cbdd1cea144179a26efd069e1ee54f,vtnet9,match,pass,in,4,0x0,,63,18292,0,DF,17,udp,72,1.2.3.4,5.6.7.8,18448,53,52",
    "event": {
        "action": "pass",
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "match",
        "type": [
            "allowed"
        ]
    },
    "destination": {
        "address": "5.6.7.8",
        "ip": "5.6.7.8",
        "port": 53
    },
    "network": {
        "bytes": 72,
        "direction": "inbound",
        "iana_number": "17",
        "transport": "udp"
    },
    "observer": {
        "ingress": {
            "interface": {
                "name": "vtnet9"
            }
        }
    },
    "openbsd": {
        "pf": {
            "event": {
                "tracker": {
                    "id": "41cbdd1cea144179a26efd069e1ee54f"
                }
            },
            "routing": {
                "class": "0x0",
                "flags": "DF",
                "hoplimit": 63,
                "offset": 0
            },
            "transport": {
                "bytes": 52
            }
        }
    },
    "related": {
        "ip": [
            "1.2.3.4",
            "5.6.7.8"
        ]
    },
    "rule": {
        "id": "183"
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "port": 18448
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
destination.ip ip IP address of the destination.
destination.port long Port of the destination.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
network.bytes long Total bytes transferred in both directions.
network.direction keyword Direction of the network traffic.
network.iana_number keyword IANA Protocol Number.
network.transport keyword Protocol Name corresponding to the field iana_number.
observer.egress.interface.name keyword Interface name
observer.ingress.interface.name keyword Interface name
openbsd.pf.carp.advbase keyword
openbsd.pf.carp.advskew keyword
openbsd.pf.carp.type number
openbsd.pf.carp.version keyword
openbsd.pf.carp.vhid keyword The identifier of the virtual host that the appliance belong to in the CARP virtual group
openbsd.pf.event.tracker.id tracker tracker ID
openbsd.pf.icmp.datalength long the length of the content of the ICMP packet
openbsd.pf.routing.class keyword
openbsd.pf.routing.flags keyword
openbsd.pf.routing.flow keyword
openbsd.pf.routing.hoplimit number
openbsd.pf.routing.offset number
openbsd.pf.rule.subrulenr integer number of the subrule
openbsd.pf.transport.ack keyword
openbsd.pf.transport.bytes number
openbsd.pf.transport.classification keyword
openbsd.pf.transport.options keyword
openbsd.pf.transport.seq_number keyword
openbsd.pf.transport.tcp_flags keyword
openbsd.pf.transport.urgency keyword
openbsd.pf.transport.window_size number
rule.id keyword Rule ID
rule.ruleset keyword Rule ruleset
source.ip ip IP address of the source.
source.port long Port of the source.

Configure

This setup guide will show you how to forward your Firewall logs to Sekoia.io by means of a syslog transport channel.

Prerequisites

  • Have an internal log concentrator

Enable Syslog forwarding

  1. Follow the official guide to enable syslog forwarding from your pfSense firewall to the internal log concentrator.

  2. Define your log concentrator as a remote syslog server and select Firewall Events as the remote syslog content.

  3. Save your changes.

Create the intake

Go to the intake page and create a new intake from the format OpenBSD Packet Filter.

Forward logs to Sekoia.io

Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.