bmaeuser/pfsense-analytics
1
0
Fork 0
mirror of https://github.com/lephisto/pfsense-analytics.git synced 2025-12-06 12:19:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Create pfsense_content_pack.json

Browse Source
This commit is contained in:
opc40772
2018-04-04 20:06:44 -04:00
committed by GitHub
parent e73ddeb741
commit 742bfc2a0d
1 changed files with 263 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

263
pfsense_content_pack/pfsense_content_pack.json Normal file
View File

@@ -0,0 +1,263 @@
{
"name":"PFsense Content Pack",
"description":"Input, Extractors, Streams, Lookup Table, Data Adapter and Cache Adapter",
"category":"Firewall",
"inputs":[
{
"id":"5a982448687cf8128c10ce6e",
"title":"Pfsense-Logs",
"configuration":{
"expand_structured_data":false,
"recv_buffer_size":262144,
"port":5442,
"override_source":null,
"force_rdns":false,
"allow_override_date":true,
"bind_address":"0.0.0.0",
"store_full_message":false
},
"static_fields":{
},
"type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput",
"global":false,
"extractors":[
{
"title":"PFsenseExtractor",
"type":"GROK",
"cursor_strategy":"COPY",
"target_field":"",
"source_field":"message",
"configuration":{
"grok_pattern":"%{PFSENSE_LOG_ENTRY}"
},
"converters":[
],
"condition_type":"NONE",
"condition_value":"",
"order":0
},
{
"title":"Port to Service Name",
"type":"LOOKUP_TABLE",
"cursor_strategy":"COPY",
"target_field":"PortServiceName",
"source_field":"dest_port",
"configuration":{
"lookup_table_name":"Service Port Translator"
},
"converters":[
],
"condition_type":"NONE",
"condition_value":"",
"order":0
},
{
"title":"Source Port Name",
"type":"LOOKUP_TABLE",
"cursor_strategy":"COPY",
"target_field":"src_port_name",
"source_field":"src_port",
"configuration":{
"lookup_table_name":"Service Port Translator"
},
"converters":[
],
"condition_type":"NONE",
"condition_value":"",
"order":0
}
]
}
],
"streams":[
{
"id":"5a9827f4687cf8128c10d272",
"title":"pfsense logs",
"description":"Pfsense Logs Stream",
"disabled":false,
"matching_type":"AND",
"stream_rules":[
{
"type":"CONTAINS",
"field":"source",
"value":"filterlog",
"inverted":false,
"description":""
}
],
"outputs":[
],
"default_stream":false
}
],
"outputs":[
],
"dashboards":[
],
"grok_patterns":[
{
"name":"PFSENSE_ICMP_TSTAMP",
"pattern":"%{INT:icmp_tstamp_id},%{INT:icmp_tstamp_sequence}"
},
{
"name":"PFSENSE_IPv4_SPECIFIC_DATA_ECN",
"pattern":"(?<ip_ver>(4)),%{BASE16NUM:tos},%{INT:ecn},%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:proto_id},%{WORD:proto},"
},
{
"name":"PFSENSE_CARP_DATA",
"pattern":"%{WORD:carp_type},%{INT:carp_ttl},%{INT:carp_vhid},%{INT:carp_version},%{INT:carp_advbase},%{INT:carp_advskew}"
},
{
"name":"PFSENSE_APP_ERROR",
"pattern":"webConfigurator (%{DATA:pfsense_ACTION}) for \\'(%{DATA:pfsense_USER})\\' from (%{GREEDYDATA:pfsense_REMOTE_IP})"
},
{
"name":"PFSENSE_ICMP_UNREACHABLE",
"pattern":"%{GREEDYDATA:icmp_unreachable}"
},
{
"name":"PFSENSE_UDP_DATA",
"pattern":"%{INT:src_port},%{INT:dest_port},%{INT:data_length}"
},
{
"name":"PFSENSE_ICMP_ECHO_REQ_REPLY",
"pattern":"%{INT:icmp_echo_id},%{INT:icmp_echo_sequence}"
},
{
"name":"PFSENSE_IGMP_DATA",
"pattern":"datalength=%{INT:data_length}"
},
{
"name":"PFSENSE_TCP_DATA",
"pattern":"%{INT:src_port},%{INT:dest_port},%{INT:data_length},%{WORD:tcp_flags},%{INT:sequence_number},%{INT:ack_number},%{INT:tcp_window},%{DATA:urg_data},%{GREEDYDATA:tcp_options}"
},
{
"name":"PFSENSE_IP_DATA",
"pattern":"%{INT:length},%{IP:src_ip},%{IP:dest_ip},"
},
{
"name":"PFSENSE_ICMP_NEED_FLAG",
"pattern":"%{IP:icmp_need_flag_ip},%{INT:icmp_need_flag_mtu}"
},
{
"name":"PFSENSE_APP_DATA",
"pattern":"(%{PFSENSE_APP_LOGOUT}|%{PFSENSE_APP_LOGIN}|%{PFSENSE_APP_ERROR}|%{PFSENSE_APP_GEN})"
},
{
"name":"PFSENSE_APP_LOGOUT",
"pattern":"User (%{DATA:pfsense_ACTION}) for user \\'(%{DATA:pfsense_USER})\\' from: (%{GREEDYDATA:pfsense_REMOTE_IP})"
},
{
"name":"PFSENSE_ICMP_DATA",
"pattern":"%{PFSENSE_ICMP_TYPE}%{PFSENSE_ICMP_RESPONSE}"
},
{
"name":"PFSENSE_IPv4_SPECIFIC_DATA",
"pattern":"(?<ip_ver>(4)),%{BASE16NUM:tos},%{WORD:ecn}?,%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:proto_id},%{WORD:proto},"
},
{
"name":"PFSENSE_IPv6_SPECIFIC_DATA",
"pattern":"(?<ip_ver>(6)),%{BASE16NUM:ipv6_Flag1},%{WORD:ipv6_Flag2},%{WORD:flow_label},%{WORD:options},%{INT:protocol_id},%{INT:length},%{IPV6:src_ip},%{IPV6:dest_ip},%{WORD:ipv6_HPH},%{WORD:ipv6_padn},%{WORD:ipv6_Alert},%{BASE16NUM:ipv6_Flag3},"
},
{
"name":"PFSENSE_ICMP_UNREACHPROTO",
"pattern":"%{IP:icmp_unreach_dest_ip},%{WORD:icmp_unreachproto_protocol}"
},
{
"name":"PFSENSE_APP_LOGIN",
"pattern":"(%{DATA:pfsense_ACTION}) for user \\'(%{DATA:pfsense_USER})\\' from: (%{GREEDYDATA:pfsense_REMOTE_IP})"
},
{
"name":"PFSENSE_LOG_DATA",
"pattern":"%{INT:rule},%{INT:sub_rule}?,,%{INT:tracker},%{WORD:iface},%{WORD:reason},%{WORD:action},%{WORD:direction},"
},
{
"name":"PFSENSE_PROTOCOL_DATA",
"pattern":"%{PFSENSE_TCP_DATA}|%{PFSENSE_UDP_DATA}|%{PFSENSE_ICMP_DATA}|%{PFSENSE_CARP_DATA}|%{PFSENSE_IGMP_DATA}"
},
{
"name":"PFSENSE_LOG_ENTRY",
"pattern":"%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}?"
},
{
"name":"PFSENSE_APP",
"pattern":"(%{DATA:pfsense_APP}):"
},
{
"name":"PFSENSE_IP_SPECIFIC_DATA",
"pattern":"%{PFSENSE_IPv4_SPECIFIC_DATA}|%{PFSENSE_IPv6_SPECIFIC_DATA}"
},
{
"name":"PFSENSE_APP_GEN",
"pattern":"(%{GREEDYDATA:pfsense_ACTION})"
},
{
"name":"PFSENSE_ICMP_RESPONSE",
"pattern":"%{PFSENSE_ICMP_ECHO_REQ_REPLY}|%{PFSENSE_ICMP_UNREACHPORT}| %{PFSENSE_ICMP_UNREACHPROTO}|%{PFSENSE_ICMP_UNREACHABLE}|%{PFSENSE_ICMP_NEED_FLAG}|%{PFSENSE_ICMP_TSTAMP}|%{PFSENSE_ICMP_TSTAMP_REPLY}"
},
{
"name":"PFSENSE_ICMP_UNREACHPORT",
"pattern":"%{IP:icmp_unreachport_dest_ip},%{WORD:icmp_unreachport_protocol},%{INT:icmp_unreachport_port}"
},
{
"name":"PFSENSE_ICMP_TYPE",
"pattern":"(?<icmp_type>(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply)),"
},
{
"name":"PFSENSE_ICMP_TSTAMP_REPLY",
"pattern":"%{INT:icmp_tstamp_reply_id},%{INT:icmp_tstamp_reply_sequence},%{INT:icmp_tstamp_reply_otime},%{INT:icmp_tstamp_reply_rtime},%{INT:icmp_tstamp_reply_ttime}"
}
],
"lookup_tables":[
{
"title":"Service Port Translator",
"description":"Service Port Translator to name service",
"name":"Service Port Translator",
"cache_name":"cache-service-port",
"data_adapter_name":"cvs-port-translate",
"default_single_value":"",
"default_single_value_type":"NULL",
"default_multi_value":"",
"default_multi_value_type":"NULL"
}
],
"lookup_caches":[
{
"title":"Cache Service Port",
"description":"Cache Service Port",
"name":"cache-service-port",
"config":{
"type":"guava_cache",
"max_size":1000,
"expire_after_access":60,
"expire_after_access_unit":"SECONDS",
"expire_after_write":0,
"expire_after_write_unit":null
}
}
],
"lookup_data_adapters":[
{
"title":"CVS Port Translate",
"description":"Table CVS for translate port service to service name",
"name":"cvs-port-translate",
"config":{
"type":"csvfile",
"path":"/etc/graylog/server/service-names-port-numbers.csv",
"separator":",",
"quotechar":"\"",
"key_column":"Port",
"value_column":"Service",
"check_interval":3,
"case_insensitive_lookup":false
}
}
]
}