Hi Guys,
I want to develop packet analysis skills. I would like to packet capture and log all the network traffic that goes through the pfsense. I have a smart switch on it, so port mirroring is an option.
My question is, is there a way to log all the traffic 24/7 and put it into a siem or something? Free open source if possible. It’s for training purposes for a soc role and trying to understand the tech better.
Thanks for your thoughts and contributions in advance!
Puff-Jelly!
You should be able to forward syslogs for allowed and blocked connections. As for the syslog server, there are easy ways to capture the data, but sorting through it not so much. I am trying NXlog and Graylog in my lab. No updates yet though.
If you are willing to dig in and learn it, https://securityonion.net/ is a great open source tool for analysis.
Thanks FredDerrell. Currently got the pfsense doing syslog to a splunk server. It’s definitely a steep learning curve and I’m not sure if the syslog is reporting everything I want.
Also Thanks Tom for the suggestion. Will look into it 
I’m just reading up on Security Onion and it looks FRICKEN AWESOME!
Just went through the hardware recommendations and it’s kinda scaring me. Got a spare Ryzen 5 1600AF. Will see how much I can push it.
Got it running properly. Had a problem in proxmox where it was filtering out mirrored packets that weren’t destined for the monitoring port. Thanks again Tom for the recommendation On to developing analysis skills.