There are a few blogs out there on the internet that walk you through setting up a pfSense Splunk forwarder, and a few more that talk about getting your Suricata IDS logs into your Splunk, but there is not an all-in-one guide to help you do both. Today we hope to solve that problem and give you an all-in-one guide on how to do this.
For those who don’t know what pfSense is, it’s an open source router software based on FreeBSD that can be run on anything from an old desktop tower to a brand new 1U server or virtual machine. The project originally started in 2004 as a fork of a project called “m0n0wall,” and it has been growing in popularity as one of the favorite home and business router operating systems. If you aren’t familiar with the project and would like to give it a try, I recommend heading to pfSense’s website to download the current version and install it in a dev environment.
Suricata is an open source IDS project to help detect and stop network attacks based off of predefined rules or rules that you wrote yourself! Luckily, there is a pfSense package available for you to download and easily configure to stop malicious traffic from accessing your network.
Note: The following steps were written around the latest pfSense 2.4.5-release; future updates may cause this guide to be out-of-date.
Step 1: pfSense SSH Setup
The first thing you’ll need to do is log into your pfSense web GUI and go to System > Advanced to enable secure shell access to your router if you have not done so. This will be needed for future steps.
Best practice here would be to set up access with a public key and password but for sake of demonstration, we’re simply going to enable password authentication at this time.