-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpfsense.xml
48 lines (43 loc) · 3.02 KB
/
pfsense.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<ruleset name="pfsense">
<pattern>pf</pattern>
<rules>
<rule provider="ELSA" class="2" id="2">
<patterns>
<pattern>@ESTRING:: block in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING:: @@IPv4:i1:@.@NUMBER:i2: @@ESTRING:: @@ESTRING:: @@IPv4:i3:@.@NUMBER:i4: @</pattern>
<pattern>@ESTRING:: block in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING::) @@IPv4:i1:@.@NUMBER:i2: @@ESTRING:: @@ESTRING:: @@IPv4:i3:@.@NUMBER:i4: @</pattern>
<pattern>@ESTRING:: block in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING::) @@IPv4:i1:@@ESTRING:: @@ESTRING:: @@IPv4:i3:@@ANYSTRING@</pattern>
</patterns>
<examples>
<example>
<test_message program="pf">00:00:00.514558 rule 35/0(match): block in on vr1: (tos 0x0, ttl 226, id 61440, offset 0, flags [none], proto UDP (17), length 78) 192.168.1.34.137 > 192.168.2.34.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST</test_message>
<test_value name="s0">vr1</test_value>
<test_value name="i0">UDP</test_value>
<test_value name="i1">192.168.1.34</test_value>
<test_value name="i2">137</test_value>
<test_value name="i3">192.168.2.34</test_value>
<test_value name="i4">137</test_value>
</example>
</examples>
</rule>
</rules>
<rules>
<rule provider="ELSA" class="3" id="3">
<patterns>
<pattern>@ESTRING:: pass in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING:: @@IPv4:i1:@.@NUMBER:i2: @@ESTRING:: @@ESTRING:: @@IPv4:i3:@.@NUMBER:i4: @</pattern>
<pattern>@ESTRING:: pass in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING::) @@IPv4:i1:@.@NUMBER:i2: @@ESTRING:: @@ESTRING:: @@IPv4:i3:@.@NUMBER:i4: @</pattern>
<pattern>@ESTRING:: pass in on @@ESTRING:s0:: (@@ESTRING::proto @@ESTRING:i0: @@ESTRING::) @@IPv4:i1:@@ESTRING:: @@ESTRING:: @@IPv4:i3:@@ANYSTRING@</pattern>
</patterns>
<examples>
<example>
<test_message program="pf">00:00:00.514558 rule 35/0(match): block in on vr1: (tos 0x0, ttl 226, id 61440, offset 0, flags [none], proto UDP (17), length 78) 192.168.1.34.137 > 192.168.2.34.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST</test_message>
<test_value name="s0">vr1</test_value>
<test_value name="i0">UDP</test_value>
<test_value name="i1">192.168.1.34</test_value>
<test_value name="i2">137</test_value>
<test_value name="i3">192.168.2.34</test_value>
<test_value name="i4">137</test_value>
</example>
</examples>
</rule>
</rules>
</ruleset>