Blumira and Netgate/pfSense

We are testing out Blumira and seriously considering adding it to our security stack. I believe Blumira is working on a firewall parser for pfSense (future integration) … however it is currently not available. Just curious if anyone is currently capturing pfSense logs into Blumira in a useful way?

So far, our testing shows the false positives to be very low which is fantastic. Reminds me of Huntress :wink:

Mark

I will bug them again about officially finishing the pfsense integration, I think it’s still their most requested one.

1 Like

So like Tom said, there isn’t an official parser for it yet, but it is possible to get the logs in a generic format if you need to. You can reach out to Blumira and they can create a report that will essentially give you a timestamp and a “message” column, which will contain the entire string from pfSense. Not the best, but can be useful if you need to do some forensics.

1 Like

Thanks Frank. We have also submitted in integration request for pfSense here:
https://portal.productboard.com/blumira/1-blumira-product-portal/c/16-additional-integrations
(selecting the importance at the bottom)

Fingers crossed Blumira releases something soon.

I am curious if a pfSense integration would include Suricata and/or Snort log monitoring. Ie. through Detection Rules. Or if something more would be required.
Cheers,
Mark

I’ve been wondering the same about snort/suricata, but figure I’ll take it one step at a time and not bombard them :slight_smile: . I will say I’ve been extremely happy with their support the times I have reached out though.

Don’t worry about bothering us! I suspect that as we look at a pfsense integration, we will start by focusing only on pfsense itself and not too many additional packages.

That being said, I think at some point it will make sense for us to look at IDS/IPS logs. We do not have anything on the roadmap right now there but at least in cases where there are firewalls that can run one of those two packages, it might make sense to look at those logs.

I can tell you based on my personal testing that if you run Snort on a unix endpoint and send us those logs, the Snort logs will parse. I did not have luck sending the logs into the unix server’s rsyslog, but if I set the snort output to the the IP address of the Blumira sensor on my network, I was able to see the Snort logs with the rest of the unix logs. We do not have any detection rules on Snort right now but at the least you can see them. TBH I have not tested this with pfsense yet, but I run OPNsense at home and that is something that I plan on testing out at some point. I am not sure if the logging format is the same as it would be in a unix server.

Also in general, we are able to log from unix endpoints using rsyslog without issue. That is our preferred way to get logs from unix. Just in the case of Snort, even though you can send its logs to rsyslog, for some reason I could not get those into Blumira. I bet someone that knows more about it could get it to work, but it was really easy to change the Snort config to a syslog output and that worked just fine.

You are welcome to send over IDS/IPS requests to the blumira.com/ideas as well. It is really helpful to hear directly from our customers or potential customers on what you are looking for. If you do submit notes to us about feature requests, it is helpful to hear both what you are looking for, why, and how you would use it. That ensures that as we work towards potential development on that feature, we are thinking about how you would use it, and then hopefully if we deliver that feature, we deliver it in a way that works for you.

I am planning to hang out in these forums so if you have any questions or anything just let me know. My name is Chris (obviously), and I am an SE on the MSP team. I really enjoy having technical discussions with our partners, I am always down for a chat if you ever want to have a Zoom meeting or anything like that. Cheers!

3 Likes