From 725c17bfd0114f5f347dbdd7b61be104cf497667 Mon Sep 17 00:00:00 2001 From: opc40772 <30729683+opc40772@users.noreply.github.com> Date: Wed, 4 Apr 2018 20:04:51 -0400 Subject: [PATCH] Add files via upload --- pfsense_content_pack.json | 262 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 262 insertions(+) create mode 100644 pfsense_content_pack.json diff --git a/pfsense_content_pack.json b/pfsense_content_pack.json new file mode 100644 index 0000000..8bfabb8 --- /dev/null +++ b/pfsense_content_pack.json @@ -0,0 +1,262 @@ +{ "name":"PFsense Content Pack", + "description":"Input, Extractors, Streams, Lookup Table, Data Adapter and Cache Adapter", + "category":"Firewall", + "inputs":[ + { + "id":"5a982448687cf8128c10ce6e", + "title":"Pfsense-Logs", + "configuration":{ + "expand_structured_data":false, + "recv_buffer_size":262144, + "port":5442, + "override_source":null, + "force_rdns":false, + "allow_override_date":true, + "bind_address":"0.0.0.0", + "store_full_message":false + }, + "static_fields":{ + + }, + "type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput", + "global":false, + "extractors":[ + { + "title":"PFsenseExtractor", + "type":"GROK", + "cursor_strategy":"COPY", + "target_field":"", + "source_field":"message", + "configuration":{ + "grok_pattern":"%{PFSENSE_LOG_ENTRY}" + }, + "converters":[ + + ], + "condition_type":"NONE", + "condition_value":"", + "order":0 + }, + { + "title":"Port to Service Name", + "type":"LOOKUP_TABLE", + "cursor_strategy":"COPY", + "target_field":"PortServiceName", + "source_field":"dest_port", + "configuration":{ + "lookup_table_name":"Service Port Translator" + }, + "converters":[ + + ], + "condition_type":"NONE", + "condition_value":"", + "order":0 + }, + { + "title":"Source Port Name", + "type":"LOOKUP_TABLE", + "cursor_strategy":"COPY", + "target_field":"src_port_name", + "source_field":"src_port", + "configuration":{ + "lookup_table_name":"Service Port Translator" + }, + "converters":[ + + ], + "condition_type":"NONE", + "condition_value":"", + "order":0 + } + ] + } + ], + "streams":[ + { + "id":"5a9827f4687cf8128c10d272", + "title":"pfsense logs", + "description":"Pfsense Logs Stream", + "disabled":false, + "matching_type":"AND", + "stream_rules":[ + { + "type":"CONTAINS", + "field":"source", + "value":"filterlog", + "inverted":false, + "description":"" + } + ], + "outputs":[ + + ], + "default_stream":false + } + ], + "outputs":[ + + ], + "dashboards":[ + + ], + "grok_patterns":[ + { + "name":"PFSENSE_ICMP_TSTAMP", + "pattern":"%{INT:icmp_tstamp_id},%{INT:icmp_tstamp_sequence}" + }, + { + "name":"PFSENSE_IPv4_SPECIFIC_DATA_ECN", + "pattern":"(?(4)),%{BASE16NUM:tos},%{INT:ecn},%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:proto_id},%{WORD:proto}," + }, + { + "name":"PFSENSE_CARP_DATA", + "pattern":"%{WORD:carp_type},%{INT:carp_ttl},%{INT:carp_vhid},%{INT:carp_version},%{INT:carp_advbase},%{INT:carp_advskew}" + }, + { + "name":"PFSENSE_APP_ERROR", + "pattern":"webConfigurator (%{DATA:pfsense_ACTION}) for \\'(%{DATA:pfsense_USER})\\' from (%{GREEDYDATA:pfsense_REMOTE_IP})" + }, + { + "name":"PFSENSE_ICMP_UNREACHABLE", + "pattern":"%{GREEDYDATA:icmp_unreachable}" + }, + { + "name":"PFSENSE_UDP_DATA", + "pattern":"%{INT:src_port},%{INT:dest_port},%{INT:data_length}" + }, + { + "name":"PFSENSE_ICMP_ECHO_REQ_REPLY", + "pattern":"%{INT:icmp_echo_id},%{INT:icmp_echo_sequence}" + }, + { + "name":"PFSENSE_IGMP_DATA", + "pattern":"datalength=%{INT:data_length}" + }, + { + "name":"PFSENSE_TCP_DATA", + "pattern":"%{INT:src_port},%{INT:dest_port},%{INT:data_length},%{WORD:tcp_flags},%{INT:sequence_number},%{INT:ack_number},%{INT:tcp_window},%{DATA:urg_data},%{GREEDYDATA:tcp_options}" + }, + { + "name":"PFSENSE_IP_DATA", + "pattern":"%{INT:length},%{IP:src_ip},%{IP:dest_ip}," + }, + { + "name":"PFSENSE_ICMP_NEED_FLAG", + "pattern":"%{IP:icmp_need_flag_ip},%{INT:icmp_need_flag_mtu}" + }, + { + "name":"PFSENSE_APP_DATA", + "pattern":"(%{PFSENSE_APP_LOGOUT}|%{PFSENSE_APP_LOGIN}|%{PFSENSE_APP_ERROR}|%{PFSENSE_APP_GEN})" + }, + { + "name":"PFSENSE_APP_LOGOUT", + "pattern":"User (%{DATA:pfsense_ACTION}) for user \\'(%{DATA:pfsense_USER})\\' from: (%{GREEDYDATA:pfsense_REMOTE_IP})" + }, + { + "name":"PFSENSE_ICMP_DATA", + "pattern":"%{PFSENSE_ICMP_TYPE}%{PFSENSE_ICMP_RESPONSE}" + }, + { + "name":"PFSENSE_IPv4_SPECIFIC_DATA", + "pattern":"(?(4)),%{BASE16NUM:tos},%{WORD:ecn}?,%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:proto_id},%{WORD:proto}," + }, + { + "name":"PFSENSE_IPv6_SPECIFIC_DATA", + "pattern":"(?(6)),%{BASE16NUM:ipv6_Flag1},%{WORD:ipv6_Flag2},%{WORD:flow_label},%{WORD:options},%{INT:protocol_id},%{INT:length},%{IPV6:src_ip},%{IPV6:dest_ip},%{WORD:ipv6_HPH},%{WORD:ipv6_padn},%{WORD:ipv6_Alert},%{BASE16NUM:ipv6_Flag3}," + }, + { + "name":"PFSENSE_ICMP_UNREACHPROTO", + "pattern":"%{IP:icmp_unreach_dest_ip},%{WORD:icmp_unreachproto_protocol}" + }, + { + "name":"PFSENSE_APP_LOGIN", + "pattern":"(%{DATA:pfsense_ACTION}) for user \\'(%{DATA:pfsense_USER})\\' from: (%{GREEDYDATA:pfsense_REMOTE_IP})" + }, + { + "name":"PFSENSE_LOG_DATA", + "pattern":"%{INT:rule},%{INT:sub_rule}?,,%{INT:tracker},%{WORD:iface},%{WORD:reason},%{WORD:action},%{WORD:direction}," + }, + { + "name":"PFSENSE_PROTOCOL_DATA", + "pattern":"%{PFSENSE_TCP_DATA}|%{PFSENSE_UDP_DATA}|%{PFSENSE_ICMP_DATA}|%{PFSENSE_CARP_DATA}|%{PFSENSE_IGMP_DATA}" + }, + { + "name":"PFSENSE_LOG_ENTRY", + "pattern":"%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}?" + }, + { + "name":"PFSENSE_APP", + "pattern":"(%{DATA:pfsense_APP}):" + }, + { + "name":"PFSENSE_IP_SPECIFIC_DATA", + "pattern":"%{PFSENSE_IPv4_SPECIFIC_DATA}|%{PFSENSE_IPv6_SPECIFIC_DATA}" + }, + { + "name":"PFSENSE_APP_GEN", + "pattern":"(%{GREEDYDATA:pfsense_ACTION})" + }, + { + "name":"PFSENSE_ICMP_RESPONSE", + "pattern":"%{PFSENSE_ICMP_ECHO_REQ_REPLY}|%{PFSENSE_ICMP_UNREACHPORT}| %{PFSENSE_ICMP_UNREACHPROTO}|%{PFSENSE_ICMP_UNREACHABLE}|%{PFSENSE_ICMP_NEED_FLAG}|%{PFSENSE_ICMP_TSTAMP}|%{PFSENSE_ICMP_TSTAMP_REPLY}" + }, + { + "name":"PFSENSE_ICMP_UNREACHPORT", + "pattern":"%{IP:icmp_unreachport_dest_ip},%{WORD:icmp_unreachport_protocol},%{INT:icmp_unreachport_port}" + }, + { + "name":"PFSENSE_ICMP_TYPE", + "pattern":"(?(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply))," + }, + { + "name":"PFSENSE_ICMP_TSTAMP_REPLY", + "pattern":"%{INT:icmp_tstamp_reply_id},%{INT:icmp_tstamp_reply_sequence},%{INT:icmp_tstamp_reply_otime},%{INT:icmp_tstamp_reply_rtime},%{INT:icmp_tstamp_reply_ttime}" + } + ], + "lookup_tables":[ + { + "title":"Service Port Translator", + "description":"Service Port Translator to name service", + "name":"Service Port Translator", + "cache_name":"cache-service-port", + "data_adapter_name":"cvs-port-translate", + "default_single_value":"", + "default_single_value_type":"NULL", + "default_multi_value":"", + "default_multi_value_type":"NULL" + } + ], + "lookup_caches":[ + { + "title":"Cache Service Port", + "description":"Cache Service Port", + "name":"cache-service-port", + "config":{ + "type":"guava_cache", + "max_size":1000, + "expire_after_access":60, + "expire_after_access_unit":"SECONDS", + "expire_after_write":0, + "expire_after_write_unit":null + } + } + ], + "lookup_data_adapters":[ + { + "title":"CVS Port Translate", + "description":"Table CVS for translate port service to service name", + "name":"cvs-port-translate", + "config":{ + "type":"csvfile", + "path":"/etc/graylog/server/service-names-port-numbers.csv", + "separator":",", + "quotechar":"\"", + "key_column":"Port", + "value_column":"Service", + "check_interval":3, + "case_insensitive_lookup":false + } + } + ] +} \ No newline at end of file