forked from lawrencesystems/graylog_extractors
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pfsense_2023.json
94 lines (94 loc) · 3.29 KB
/
pfsense_2023.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
{
"extractors": [
{
"title": "pfSense filterlog: IPv4 ICMP",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "FilterData",
"extractor_config": {
"regex_value": "^filterlog\\[.+\\]:(.+)"
},
"condition_type": "regex",
"condition_value": "^filterlog\\[.+\\]:(.+),(in|out),4,.*,icmp,.*$"
},
{
"title": "pfSense filterlog: IPv4 UDP",
"extractor_type": "regex",
"converters": [
{
"type": "csv",
"config": {
"trim_leading_whitespace": false,
"column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength",
"strict_quotes": false
}
}
],
"order": 2,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "FilterData",
"extractor_config": {
"regex_value": "^filterlog\\[.+\\]:(.+)"
},
"condition_type": "regex",
"condition_value": "^filterlog\\[.+\\]:(.+),(in|out),4,.*,udp,.*$"
},
{
"title": "pfSense filterlog: IPv4 TCP",
"extractor_type": "regex",
"converters": [
{
"type": "csv",
"config": {
"trim_leading_whitespace": false,
"column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength,TCPFlags,Sequence,ACK,Window,URG,Options",
"strict_quotes": false
}
}
],
"order": 1,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "FilterData",
"extractor_config": {
"regex_value": "^filterlog\\[.+\\]:(.+)"
},
"condition_type": "regex",
"condition_value": "^filterlog\\[.+\\]:(.+),(in|out),4,.*,tcp,.*$"
},
{
"title": "pfsense OpenVPN",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "^openvpn\\[%{NUMBER:openvpn_pid}\\]: %{IP:client_ip}:%{NUMBER:client_port} \\[%{DATA:client_username}\\] Peer Connection Initiated with \\[AF_INET\\]%{IP:target_ip}:%{NUMBER:target_port} \\(via \\[AF_INET\\]%{IP:via_ip}%\\)",
"named_captures_only": true
},
"condition_type": "string",
"condition_value": "openvpn"
},
{
"title": "Suricata alerts",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:process}\\[%{INT:process_id}\\]: \\[%{INT:rule_id}:%{INT:rev_id}:%{INT:sig_id}\\] %{DATA:alert_msg} \\[Classification: %{DATA:classification}\\] \\[Priority: %{INT:priority}\\] \\{%{WORD:protocol}\\} %{IP:src_ip}:%{INT:src_port} -> %{IP:dst_ip}:%{INT:dst_port}"
},
"condition_type": "string",
"condition_value": "suricata"
}
],
"version": "5.0.7"
}