Skip to content

Commit

Permalink
[pfsense] Add SNORT log processing (#11182)
Browse files Browse the repository at this point in the history 
* [pfsense] Add SNORT log processing

* Update changelog with PR number

* Address code review

* Address code review feedback
  • Loading branch information
@aleksmaus
aleksmaus authored Sep 24, 2024
1 parent a788bf9 commit 7991db9
Show file tree
Hide file tree
Showing 8 changed files with 243 additions and 2 deletions.
5 changes: 5 additions & 0 deletions packages/pfsense/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.20.0"
changes:
- description: Add SNORT log processing
type: enhancement
link: https://github.com/elastic/integrations/pull/11182
- version: "1.19.2"
changes:
- description: Fix firewall ICMPv6 message parsing error
Expand Down
2 changes: 2 additions & 0 deletions packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-snort.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
<190>Jul 23 18:12:00 snort[87537]: [136:1:1] (spp_reputation) packets blacklisted [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 67.43.156.1:16856 -> 89.160.20.128:2222
<190>Jul 23 18:12:00 snort[87537]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 67.43.156.0:63651 -> 89.160.20.128:8080
186 changes: 186 additions & 0 deletions packages/pfsense/data_stream/log/_dev/test/pipeline/test-pfsense-snort.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,186 @@
{
"expected": [
{
"@timestamp": "2024-07-23T18:12:00.000-04:00",
"destination": {
"address": "89.160.20.128",
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "89.160.20.128",
"port": 2222
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"network"
],
"kind": "event",
"original": "<190>Jul 23 18:12:00 snort[87537]: [136:1:1] (spp_reputation) packets blacklisted [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 67.43.156.1:16856 -> 89.160.20.128:2222",
"provider": "snort",
"timezone": "-04:00"
},
"log": {
"syslog": {
"priority": 190
}
},
"message": "[136:1:1] (spp_reputation) packets blacklisted [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 67.43.156.1:16856 -> 89.160.20.128:2222",
"network": {
"protocol": "tcp",
"type": "ipv4"
},
"observer": {
"type": "firewall",
"vendor": "netgate"
},
"process": {
"name": "snort",
"pid": 87537
},
"related": {
"ip": [
"89.160.20.128",
"67.43.156.1"
]
},
"snort": {
"alert_message": "packets blacklisted",
"classification": "Potentially Bad Traffic",
"generator_id": "136",
"preprocessor": "spp_reputation",
"priority": 2,
"signature_id": "1",
"signature_revision": "1"
},
"source": {
"address": "67.43.156.1",
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.1",
"port": 16856
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2024-07-23T18:12:00.000-04:00",
"destination": {
"address": "89.160.20.128",
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "89.160.20.128",
"port": 8080
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"network"
],
"kind": "event",
"original": "<190>Jul 23 18:12:00 snort[87537]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 67.43.156.0:63651 -> 89.160.20.128:8080",
"provider": "snort",
"timezone": "-04:00"
},
"log": {
"syslog": {
"priority": 190
}
},
"message": "[119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 67.43.156.0:63651 -> 89.160.20.128:8080",
"network": {
"protocol": "tcp",
"type": "ipv4"
},
"observer": {
"type": "firewall",
"vendor": "netgate"
},
"process": {
"name": "snort",
"pid": 87537
},
"related": {
"ip": [
"89.160.20.128",
"67.43.156.0"
]
},
"snort": {
"alert_message": "BARE BYTE UNICODE ENCODING",
"classification": "Not Suspicious Traffic",
"generator_id": "119",
"preprocessor": "http_inspect",
"priority": 3,
"signature_id": "4",
"signature_revision": "1"
},
"source": {
"address": "67.43.156.0",
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.0",
"port": 63651
},
"tags": [
"preserve_original_event"
]
}
]
}
5 changes: 4 additions & 1 deletion packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,11 @@ processors:
- pipeline:
name: '{{ IngestPipeline "squid" }}'
if: ctx.event.provider == 'squid'
- pipeline:
name: '{{ IngestPipeline "snort" }}'
if: ctx.event.provider == 'snort'
- drop:
if: '!["filterlog", "openvpn", "charon", "dhcpd", "dhclient", "dhcp6c", "unbound", "haproxy", "php-fpm", "squid"].contains(ctx.event?.provider)'
if: '!["filterlog", "openvpn", "charon", "dhcpd", "dhclient", "dhcp6c", "unbound", "haproxy", "php-fpm", "squid", "snort"].contains(ctx.event?.provider)'
- append:
field: event.category
value: network
Expand Down
14 changes: 14 additions & 0 deletions packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/snort.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
description: Pipeline for PFsense SNORT logs.
processors:
- grok:
field: message
patterns:
- '\[%{NUMBER:snort.generator_id}:%{NUMBER:snort.signature_id}:%{NUMBER:snort.signature_revision}\] \(%{DATA:snort.preprocessor}\) %{GREEDYDATA:snort.alert_message} \[Classification: %{DATA:snort.classification}\] \[Priority: %{NONNEGINT:snort.priority:long}\] \{%{WORD:network.protocol}\} %{IP:source.address}:%{NUMBER:source.port:long} -> %{IP:destination.address}:%{NUMBER:destination.port:long}'
- lowercase:
field: network.protocol
ignore_missing: true
on_failure:
- set:
field: error.message
value: "{{{ _ingest.on_failure_message }}}"
24 changes: 24 additions & 0 deletions packages/pfsense/data_stream/log/fields/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,3 +281,27 @@
- name: hierarchy_status
type: keyword
description: The proxy hierarchy route; the route Content Gateway used to retrieve the object.
- name: snort
type: group
fields:
- name: alert_message
type: keyword
description: Snort alert message.
- name: classification
type: keyword
description: Snort classification.
- name: generator_id
type: keyword
description: Snort generator id.
- name: preprocessor
type: keyword
description: Snort preprocessor.
- name: priority
type: long
description: Snort priority.
- name: signature_id
type: keyword
description: Snort signature id.
- name: signature_revision
type: keyword
description: Snort signature revision.
7 changes: 7 additions & 0 deletions packages/pfsense/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,13 @@ An example event for `log` looks as following:
| server.ip | IP address of the server (IPv4 or IPv6). | ip |
| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
| server.port | Port of the server. | long |
| snort.alert_message | Snort alert message. | keyword |
| snort.classification | Snort classification. | keyword |
| snort.generator_id | Snort generator id. | keyword |
| snort.preprocessor | Snort preprocessor. | keyword |
| snort.priority | Snort priority. | long |
| snort.signature_id | Snort signature id. | keyword |
| snort.signature_revision | Snort signature revision. | keyword |
| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
| source.as.organization.name | Organization name. | keyword |
Expand Down
2 changes: 1 addition & 1 deletion packages/pfsense/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: pfsense
title: pfSense
version: "1.19.2"
version: "1.20.0"
description: Collect logs from pfSense and OPNsense with Elastic Agent.
type: integration
icons:
Expand Down

0 comments on commit 7991db9

Please sign in to comment.