PFsense Firewall and IDS

A pfSense dashboard that displays IDS (suricata) and Firewall events. Uses Graylog as the backend.

PFsense Firewall and IDS screenshot 1

This dashboard shows Firewall and IDS Events along with logs pulled from Graylog. Designed to work with pfsense. To setup pfsense and graylog, use this excellent write-up by Jake -

https://jake.stride.me.uk/posts/2020/06/28/pfsense-suricata-and-snort-syslog-to-graylog.html

https://jake.stride.me.uk/posts/2020/07/04/pfsense-graylog-parsing.html

Additional note - these setup instructions have a few problems. Barnyard2 is deprecated. Using suricata, enable sending alerts to syslog. This completely bypasses the need for Barnyard2. I also recommend running your IDS on your LAN interface(s), and not your WAN interface(s). This will give you better alerts (internal server being hit rather than the external IP) and reduce the alerts, because most packets are blocked by the firewall anyways. No reason to scan packets that will be dropped by the firewall!

Please note: You may need to tweak your elasticsearch install a bit - this dashboard allows you to drill down in firewall logs, which can have obscene numbers of different source and destination IP addresses. Edit the elasticsearch.yml file (/etc/elasticsearch/elasticsearch.yml) and place this at the bottom:

indices.query.bool.max_clause_count: 10240

This will help in the event you want to select bunches of different IPs in the dropdowns, or if you have tons of WAN ip addresses. Please note that the dropdowns have a maximum number they can display (1000) so all IPs in your log may not show up in the dropdown. This is a grafana limitation.

If you have difficulties, hit me up on reddit: u/althornin

Revisions
RevisionDescriptionCreated

Get this dashboard

Import the dashboard template

or

Download JSON

Datasource
Dependencies