Last active
February 24, 2018 00:17
-
-
Save Caligatio/878002ab4aa591747a3dcdbd1101db41 to your computer and use it in GitHub Desktop.
pfSense 2.3 Grok Pattern
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GROK Custom Patterns (add to patterns directory and reference in GROK filter for pfSense events): | |
| # GROK Patterns for pfSense 2.3 Logging Format | |
| # | |
| # Created 27 Jan 2015 by J. Pisano (Handles TCP, UDP, and ICMP log entries) | |
| # Edited 14 Feb 2015 by Elijah Paul [email protected] | |
| # Edited 10 Mar 2015 by Bernd Zeimetz <[email protected]> | |
| # Edited 6 Aug 2016 by Brian Turek <[email protected]> | |
| # taken from https://gist.github.com/elijahpaul/3d80030ac3e8138848b5 | |
| # - adding PFSENSE_IGMP_DATA | |
| # - moved and tweaked IPv4 ECN pattern (ecn is a WORD, not INT) | |
| # - made PFSENSE_PROTOCOL_DATA optional in pattern (for ICMPv6) | |
| # - added overall PFSENSE_LOG_ENTRY pattern | |
| # - moved the ip_ver detection to version-specific rule to ensure proper identification | |
| # | |
| # TODO: Add support for IPv6 "Options" messages. Optional PFSENSE_PROTOCOL_DATA still allows this to be parsed, albeit not fully. | |
| # | |
| # Usage: Use the PFSENSE_LOG_ENTRY pattern | |
| PFSENSE_LOG_ENTRY %{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}? | |
| PFSENSE_LOG_DATA %{INT:rule},%{INT:sub_rule},,%{INT:tracker},%{WORD:iface},%{WORD:reason},%{WORD:action},%{WORD:direction}, | |
| PFSENSE_IP_SPECIFIC_DATA %{PFSENSE_IPv4_SPECIFIC_DATA}|%{PFSENSE_IPv6_SPECIFIC_DATA} | |
| PFSENSE_IPv4_SPECIFIC_DATA (?<ip_ver>(4)),%{BASE16NUM:tos},%{WORD:ecn}?,%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:proto_id},%{WORD:proto}, | |
| PFSENSE_IPv6_SPECIFIC_DATA (?<ip_ver>(6)),%{BASE16NUM:class},%{DATA:flow_label},%{INT:hop_limit},%{WORD:proto},%{INT:proto_id}, | |
| PFSENSE_IP_DATA %{INT:length},%{IP:src_ip},%{IP:dest_ip}, | |
| PFSENSE_PROTOCOL_DATA %{PFSENSE_TCP_DATA}|%{PFSENSE_UDP_DATA}|%{PFSENSE_ICMP_DATA}|%{PFSENSE_CARP_DATA}|%{PFSENSE_IGMP_DATA} | |
| PFSENSE_TCP_DATA %{INT:src_port},%{INT:dest_port},%{INT:data_length},%{WORD:tcp_flags},%{INT:sequence_number},%{INT:ack_number},%{INT:tcp_window},%{DATA:urg_data},%{DATA:tcp_options} | |
| PFSENSE_UDP_DATA %{INT:src_port},%{INT:dest_port},%{INT:data_length} | |
| PFSENSE_IGMP_DATA datalength=%{INT:data_length} | |
| PFSENSE_ICMP_DATA %{PFSENSE_ICMP_TYPE}%{PFSENSE_ICMP_RESPONSE} | |
| PFSENSE_ICMP_TYPE (?<icmp_type>(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply)), | |
| PFSENSE_ICMP_RESPONSE %{PFSENSE_ICMP_ECHO_REQ_REPLY}|%{PFSENSE_ICMP_UNREACHPORT}| %{PFSENSE_ICMP_UNREACHPROTO}|%{PFSENSE_ICMP_UNREACHABLE}|%{PFSENSE_ICMP_NEED_FLAG}|%{PFSENSE_ICMP_TSTAMP}|%{PFSENSE_ICMP_TSTAMP_REPLY} | |
| PFSENSE_ICMP_ECHO_REQ_REPLY %{INT:icmp_echo_id},%{INT:icmp_echo_sequence} | |
| PFSENSE_ICMP_UNREACHPORT %{IP:icmp_unreachport_dest_ip},%{WORD:icmp_unreachport_protocol},%{INT:icmp_unreachport_port} | |
| PFSENSE_ICMP_UNREACHPROTO %{IP:icmp_unreach_dest_ip},%{WORD:icmp_unreachproto_protocol} | |
| PFSENSE_ICMP_UNREACHABLE %{GREEDYDATA:icmp_unreachable} | |
| PFSENSE_ICMP_NEED_FLAG %{IP:icmp_need_flag_ip},%{INT:icmp_need_flag_mtu} | |
| PFSENSE_ICMP_TSTAMP %{INT:icmp_tstamp_id},%{INT:icmp_tstamp_sequence} | |
| PFSENSE_ICMP_TSTAMP_REPLY %{INT:icmp_tstamp_reply_id},%{INT:icmp_tstamp_reply_sequence},%{INT:icmp_tstamp_reply_otime},%{INT:icmp_tstamp_reply_rtime},%{INT:icmp_tstamp_reply_ttime} | |
| PFSENSE_CARP_DATA %{WORD:carp_type},%{INT:carp_ttl},%{INT:carp_vhid},%{INT:carp_version},%{INT:carp_advbase},%{INT:carp_advskew} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment