Pfsense Rules

<!-- PFSENSE -->
<group name="pfsense,syslog,">
  <rule id="100050" level="0">
    <decoded_as>pfsense</decoded_as>
    <description>pfsense messages grouped.</description>
  </rule>
  <rule id="100051" level="9">
    <if_sid>100050</if_sid>
    <action>block</action>
    <match>in</match>
    <description>$(pf_hostname): Incoming $(protocol)$(request_type) traffic from $(src_ip):$(src_port) is blocked.</description>
  </rule>
  <rule id="100052" level="9">
    <if_sid>100050</if_sid>
    <action>block</action>
    <match>out</match>
    <description>$(pf_hostname): Outgoing $(protocol)$(request_type) traffic to $(dst_ip):$(dst_port) is blocked.</description>
  </rule>
  <rule id="100053" level="3">
    <if_sid>100050</if_sid>
    <action>pass</action>
    <match>out</match>
    <description>$(pf_hostname): Outgoing $(protocol)$(request_type) traffic to $(dst_ip):$(dst_port) is allowed.</description>
  </rule>
   <rule id="100054" level="3">
    <if_sid>100050</if_sid>
    <action>pass</action>
    <match>in</match>
    <description>$(pf_hostname): Incoming $(protocol)$(request_type) traffic from $(src_ip):$(src_port) is allowed.</description>
  </rule>
<rule id="100055" level="9">
    <if_sid>100050</if_sid>
    <action>block</action>
    <match>in</match>
    <description>$(pf_hostname): Incoming $(protocol) traffic from $(src_ip):$(src_port) is blocked.</description>
  </rule>
  <rule id="100056" level="9">
    <if_sid>100050</if_sid>
    <action>block</action>
    <match>out</match>
    <description>$(pf_hostname): Outgoing $(protocol) traffic to $(dst_ip):$(dst_port) is blocked.</description>
  </rule>
  <rule id="100057" level="3">
    <if_sid>100050</if_sid>
    <action>pass</action>
    <match>out</match>
    <description>$(pf_hostname): Outgoing $(protocol) traffic to $(dst_ip):$(dst_port) is allowed.</description>
  </rule>
   <rule id="100058" level="3">
    <if_sid>100050</if_sid>
    <action>pass</action>
    <match>in</match>
    <description>$(pf_hostname): Incoming $(protocol) traffic from $(src_ip):$(src_port) is allowed.</description>
  </rule>
</group>

Output :

PreviousPfsense Decoders NextSecurity Operations Center Tools (Wazuh)

Last updated 2 months ago

<group name="pfsense,syslog,"> <rule id="100050" level="0"> <decoded_as>pfsense</decoded_as> <description>pfsense messages grouped.</description> </rule> <rule id="100051" level="9"> <if_sid>100050</if_sid> <action>block</action> <match>in</match> <description>$(pf_hostname): Incoming $(protocol)$(request_type) traffic from $(src_ip):$(src_port) is blocked.</description> </rule> <rule id="100052" level="9"> <if_sid>100050</if_sid> <action>block</action> <match>out</match> <description>$(pf_hostname): Outgoing $(protocol)$(request_type) traffic to $(dst_ip):$(dst_port) is blocked.</description> </rule> <rule id="100053" level="3"> <if_sid>100050</if_sid> <action>pass</action> <match>out</match> <description>$(pf_hostname): Outgoing $(protocol)$(request_type) traffic to $(dst_ip):$(dst_port) is allowed.</description> </rule> <rule id="100054" level="3"> <if_sid>100050</if_sid> <action>pass</action> <match>in</match> <description>$(pf_hostname): Incoming $(protocol)$(request_type) traffic from $(src_ip):$(src_port) is allowed.</description> </rule> <rule id="100055" level="9"> <if_sid>100050</if_sid> <action>block</action> <match>in</match> <description>$(pf_hostname): Incoming $(protocol) traffic from $(src_ip):$(src_port) is blocked.</description> </rule> <rule id="100056" level="9"> <if_sid>100050</if_sid> <action>block</action> <match>out</match> <description>$(pf_hostname): Outgoing $(protocol) traffic to $(dst_ip):$(dst_port) is blocked.</description> </rule> <rule id="100057" level="3"> <if_sid>100050</if_sid> <action>pass</action> <match>out</match> <description>$(pf_hostname): Outgoing $(protocol) traffic to $(dst_ip):$(dst_port) is allowed.</description> </rule> <rule id="100058" level="3"> <if_sid>100050</if_sid> <action>pass</action> <match>in</match> <description>$(pf_hostname): Incoming $(protocol) traffic from $(src_ip):$(src_port) is allowed.</description> </rule> </group>