Pfsense Decoders

<!-- PFSENSE -->
<decoder name="pfsense">
  <prematch>^\d\s\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d</prematch>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>(\w+.\w+.\w+)</regex>
  <order>hostname</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>(\w+)\s(\d+) - -</regex>
  <order>log_type,log_id</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+,(\w+)</regex>
  <order>protocol,src_ip,dst_ip,src_port,dst_port,request_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>match,(\w+),(\w+),</regex>
  <order>action,direction</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>\p\p\p(\d+),(\w+),match,</regex>
  <order>session_id,interface</order>
</decoder><!-- PFSENSE -->
<decoder name="pfsense">
  <prematch>^\d\s\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d</prematch>
</decoder>
<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>(\w+.\w+.\w+)</regex>
  <order>hostname</order>
</decoder>
<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>(\w+)\s(\d+) - -</regex>
  <order>log_type,log_id</order>
</decoder>
<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+,(\w+)</regex>
  <order>protocol,src_ip,dst_ip,src_port,dst_port,request_type</order>
</decoder>
<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>match,(\w+),(\w+),</regex>
  <order>action,direction</order>
</decoder>
<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>\p\p\p(\d+),(\w+),match,</regex>
  <order>session_id,interface</order>
</decoder>
<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>^\d\s(\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d)\s</regex>
  <order>timestamp</order>
</decoder>
<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>,(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+</regex>
  <order>protocol,src_ip,dst_ip,src_port,dst_port</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Attack from "(\d+.\d+.\d+.\d+)" on service (\w+) with danger (\d+)</regex>
  <order>attacker_ip,service,severity_level</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Blocking "(\d+.\d+.\d+.\d+/\d+)" for (\d+ \w+) (\.+)</regex>
  <order>attacker_ip,block_time,block_reason</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Connection closed by (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
  <order>ip_addr,port,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Failed password for (\.+) from (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
  <order>user,src_ip,port,service</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Received disconnect from (\d+.\d+.\d+.\d+) port (\d+):(\d+): (\.+)</regex>
  <order>ip_addr,port,disconnect_code,disconnect_msg</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Invalid user from (\d+.\d+.\d+.\d+) port (\d+)</regex>
  <order>ip_addr,port</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>(\d+.\d+.\d+.\d+): (\w+) after (\.+)</regex>
  <order>ip_addr,type,unblock_time</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>- - (\.+): userauth_finish: </regex>
  <order>status,ip_addr,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>- - (\.+): Timeout before authentication for (\d+.\d+.\d+.\d+) port (\d+)</regex>
  <order>status,ip_addr,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>- - (\w+) from authenticating user (\.+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
  <order>status,user,ip_addr,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>/index.php: webConfigurator authentication error for user '(\.+)' from: (\d+.\d+.\d+.\d+)</regex>
  <order>user,ip_addr</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Connection closed by authenticating user (\w+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
  <order>user,ip_addr,port,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>- - (\.+): signature algorithm (\.+) not in PubkeyAcceptedAlgorithms (\.+)</regex>
  <order>auth_type_fun,algo,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>^\d\s(\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d)\s</regex>
  <order>timestamp</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>,(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+</regex>
  <order>protocol,src_ip,dst_ip,src_port,dst_port</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Attack from "(\d+.\d+.\d+.\d+)" on service (\w+) with danger (\d+)</regex>
  <order>attacker_ip,service,severity_level</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Blocking "(\d+.\d+.\d+.\d+/\d+)" for (\d+ \w+) (\.+)</regex>
  <order>attacker_ip,block_time,block_reason</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Connection closed by (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
  <order>ip_addr,port,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Failed password for (\.+) from (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
  <order>user,src_ip,port,service</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Received disconnect from (\d+.\d+.\d+.\d+) port (\d+):(\d+): (\.+)</regex>
  <order>ip_addr,port,disconnect_code,disconnect_msg</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Invalid user from (\d+.\d+.\d+.\d+) port (\d+)</regex>
  <order>ip_addr,port</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>(\d+.\d+.\d+.\d+): (\w+) after (\.+)</regex>
  <order>ip_addr,type,unblock_time</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>- - (\.+): userauth_finish: </regex>
  <order>status,ip_addr,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>- - (\.+): Timeout before authentication for (\d+.\d+.\d+.\d+) port (\d+)</regex>
  <order>status,ip_addr,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>- - (\w+) from authenticating user (\.+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
  <order>status,user,ip_addr,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>/index.php: webConfigurator authentication error for user '(\.+)' from: (\d+.\d+.\d+.\d+)</regex>
  <order>user,ip_addr</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>Connection closed by authenticating user (\w+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex>
  <order>user,ip_addr,port,auth_type</order>
</decoder>

<decoder name="pfsense">
  <parent>pfsense</parent>
  <regex>- - (\.+): signature algorithm (\.+) not in PubkeyAcceptedAlgorithms (\.+)</regex>
  <order>auth_type_fun,algo,auth_type</order>
</decoder>

PreviousCustom Decoder & Rules NextPfsense Rules

Last updated 2 months ago

<decoder name="pfsense"> <prematch>^\d\s\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d</prematch> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>(\w+.\w+.\w+)</regex> <order>hostname</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>(\w+)\s(\d+) - -</regex> <order>log_type,log_id</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+,(\w+)</regex> <order>protocol,src_ip,dst_ip,src_port,dst_port,request_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>match,(\w+),(\w+),</regex> <order>action,direction</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>\p\p\p(\d+),(\w+),match,</regex> <order>session_id,interface</order> </decoder> <decoder name="pfsense"> <prematch>^\d\s\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d</prematch> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>(\w+.\w+.\w+)</regex> <order>hostname</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>(\w+)\s(\d+) - -</regex> <order>log_type,log_id</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+,(\w+)</regex> <order>protocol,src_ip,dst_ip,src_port,dst_port,request_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>match,(\w+),(\w+),</regex> <order>action,direction</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>\p\p\p(\d+),(\w+),match,</regex> <order>session_id,interface</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>^\d\s(\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d)\s</regex> <order>timestamp</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>,(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+</regex> <order>protocol,src_ip,dst_ip,src_port,dst_port</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Attack from "(\d+.\d+.\d+.\d+)" on service (\w+) with danger (\d+)</regex> <order>attacker_ip,service,severity_level</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Blocking "(\d+.\d+.\d+.\d+/\d+)" for (\d+ \w+) (\.+)</regex> <order>attacker_ip,block_time,block_reason</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Connection closed by (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex> <order>ip_addr,port,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Failed password for (\.+) from (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex> <order>user,src_ip,port,service</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Received disconnect from (\d+.\d+.\d+.\d+) port (\d+):(\d+): (\.+)</regex> <order>ip_addr,port,disconnect_code,disconnect_msg</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Invalid user from (\d+.\d+.\d+.\d+) port (\d+)</regex> <order>ip_addr,port</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>(\d+.\d+.\d+.\d+): (\w+) after (\.+)</regex> <order>ip_addr,type,unblock_time</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>- - (\.+): userauth_finish: </regex> <order>status,ip_addr,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>- - (\.+): Timeout before authentication for (\d+.\d+.\d+.\d+) port (\d+)</regex> <order>status,ip_addr,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>- - (\w+) from authenticating user (\.+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex> <order>status,user,ip_addr,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>/index.php: webConfigurator authentication error for user '(\.+)' from: (\d+.\d+.\d+.\d+)</regex> <order>user,ip_addr</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Connection closed by authenticating user (\w+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex> <order>user,ip_addr,port,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>- - (\.+): signature algorithm (\.+) not in PubkeyAcceptedAlgorithms (\.+)</regex> <order>auth_type_fun,algo,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>^\d\s(\w\w\w\w-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d:\d\d)\s</regex> <order>timestamp</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>,(\w+),\d+,(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),(\d+),(\d+),\d+</regex> <order>protocol,src_ip,dst_ip,src_port,dst_port</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Attack from "(\d+.\d+.\d+.\d+)" on service (\w+) with danger (\d+)</regex> <order>attacker_ip,service,severity_level</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Blocking "(\d+.\d+.\d+.\d+/\d+)" for (\d+ \w+) (\.+)</regex> <order>attacker_ip,block_time,block_reason</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Connection closed by (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex> <order>ip_addr,port,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Failed password for (\.+) from (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex> <order>user,src_ip,port,service</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Received disconnect from (\d+.\d+.\d+.\d+) port (\d+):(\d+): (\.+)</regex> <order>ip_addr,port,disconnect_code,disconnect_msg</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Invalid user from (\d+.\d+.\d+.\d+) port (\d+)</regex> <order>ip_addr,port</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>(\d+.\d+.\d+.\d+): (\w+) after (\.+)</regex> <order>ip_addr,type,unblock_time</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>- - (\.+): userauth_finish: </regex> <order>status,ip_addr,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>- - (\.+): Timeout before authentication for (\d+.\d+.\d+.\d+) port (\d+)</regex> <order>status,ip_addr,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>- - (\w+) from authenticating user (\.+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex> <order>status,user,ip_addr,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>/index.php: webConfigurator authentication error for user '(\.+)' from: (\d+.\d+.\d+.\d+)</regex> <order>user,ip_addr</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>Connection closed by authenticating user (\w+) (\d+.\d+.\d+.\d+) port (\d+) (\.+)</regex> <order>user,ip_addr,port,auth_type</order> </decoder> <decoder name="pfsense"> <parent>pfsense</parent> <regex>- - (\.+): signature algorithm (\.+) not in PubkeyAcceptedAlgorithms (\.+)</regex> <order>auth_type_fun,algo,auth_type</order> </decoder>