Created
February 21, 2021 19:38
-
-
Save astr0n8t/69ac2cc8ebeda4cca7d33ca22e8dca25 to your computer and use it in GitHub Desktop.
Graylog Pfsense Extractor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "extractors": [ | |
| { | |
| "title": "pfSense filterlog: IPv4 ICMP Echo", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_ID,ICMP_Sequence" | |
| } | |
| } | |
| ], | |
| "order": 4, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,icmp,.*,(request|reply),.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv4 ICMP Unreachable Protocol", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_DestIP,ICMP_ProtocolID" | |
| } | |
| } | |
| ], | |
| "order": 5, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,icmp,.*,unreachproto,.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv4 ICMP TStamp", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_ID,ICMP_Sequence" | |
| } | |
| } | |
| ], | |
| "order": 6, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,icmp,.*,tstamp,.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv4 ICMP Need Frag", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_DestIP,ICMP_MTU" | |
| } | |
| } | |
| ], | |
| "order": 7, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,icmp,.*,needfrag,.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv4 ICMP Unreachable Port", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_DestIP,ICMP_ProtocolID,ICMP_Port" | |
| } | |
| } | |
| ], | |
| "order": 8, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,icmp,.*,unreachport,.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv4 ICMP Default", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_Description" | |
| } | |
| } | |
| ], | |
| "order": 9, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,icmp,.*,(?!(request|reply|unreachproto|unreachport|unreach|timexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply)),.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv4 ICMP Unreachable Other", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_Description" | |
| } | |
| } | |
| ], | |
| "order": 10, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,icmp,.*,(unreach|timexceed|paramprob|redirect|maskreply),.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv4 ICMP TStamp Reply", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_ID,ICMP_Sequence,ICMP_otime,ICMP_rtime,ICMP_ttime" | |
| } | |
| } | |
| ], | |
| "order": 11, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,icmp,.*,tstampreply,.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv4 TCP", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength,TCPFlags,Sequence,ACK,Window,URG,Options" | |
| } | |
| } | |
| ], | |
| "order": 0, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,tcp,.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv6 TCP", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength,TCPFlags,Sequence,ACK,Window,URG,Options" | |
| } | |
| } | |
| ], | |
| "order": 2, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),6,.*,TCP,.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv6 UDP", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength" | |
| } | |
| } | |
| ], | |
| "order": 3, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),6,.*,UDP,.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv4 UDP", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength" | |
| } | |
| } | |
| ], | |
| "order": 1, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),4,.*,udp,.*$" | |
| }, | |
| { | |
| "title": "pfSense filterlog: IPv6 ICMP", | |
| "extractor_type": "regex", | |
| "converters": [ | |
| { | |
| "type": "csv", | |
| "config": { | |
| "column_header": "RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld" | |
| } | |
| } | |
| ], | |
| "order": 12, | |
| "cursor_strategy": "copy", | |
| "source_field": "full_message", | |
| "target_field": "FilterData", | |
| "extractor_config": { | |
| "regex_value": "filterlog\\s+(.*)$" | |
| }, | |
| "condition_type": "regex", | |
| "condition_value": "filterlog\\s+.*,(in|out),6,.*,ICMPv6,.*$" | |
| } | |
| ], | |
| "version": "3.0.0" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment