All Apps and Add-ons

Read in a pfsense config file?

Builder

All,

I am attempting to read in a pfSense, /tmp/config.cache. Which carries the active running config. I can see some structure to it. Looking to get this loaded into Splunk. Anyone familiar with this file format? It has some sort of structure, but Splunk isn't detecting and I can't say I can detect it either.

a:27:{s:7:"version";s:4:"19.1";s:10:"lastchange";s:0:"";s:6:"system";a:23:{s:12:"optimization";s:6:"normal";s:8:"hostname";s:7:"pfSense";s:6:"domain";s:11:"localdomain";s:9:"dnsserver";a:2:{i:0;s:7:"8.8.8.8";i:1;s:7:"4.2.2.2";}s:16:"dnsallowoverride";s:2:"on";s:5:"group";a:2:{i:0;a:5:{s:4:"name";s:3:"all";s:11:"description";s:9:"All Users";s:5:"scope";s:6:"system";s:3:"gid";s:4:"1998";s:6:"member";a:1:{i:0;s:1:"0";}}i:1;a:6:{s:4:"name";s:6:"admins";s:11:"description";s:21:"System Administrators";s:5:"scope";s:6:"system";s:3:"gid";s:4:"1999";s:6:"member";a:1:{i:0;s:1:"0";}s:4:"priv";a:1:{i:0;s:8:"page-all";}}}s:4:"user";a:1:{i:0;a:7:{s:4:"name";s:5:"admin";s:5:"descr";s:20:"System Administrator";s:5:"scope";s:6:"system";s:9:"groupname";s:6:"admins";s:11:"bcrypt-hash";s:60:"$2y$10$QDCfvt17W67gtAjpEfPgzO0rwz78bkHrEi5BIsDvnMKi3mNNZ7ysq";s:3:"uid";s:1:"0";s:4:"priv";a:1:{i:0;s:17:"user-shell-access";}}}s:7:"nextuid";s:4:"2000";s:7:"nextgid";s:4:"2000";s:11:"timeservers";s:22:"0.pfsense.pool.ntp.org";s:6:"webgui";a:5:{s:8:"protocol";s:5:"https";s:17:"loginautocomplete";s:0:"";s:11:"ssl-certref";s:13:"5e79fb1489ce6";s:16:"dashboardcolumns";s:1:"2";s:12:"althostnames";s:0:"";}s:20:"disablenatreflection";s:3:"yes";s:29:"disablesegmentationoffloading";s:0:"";s:29:"disablelargereceiveoffloading";s:0:"";s:9:"ipv6allow";s:0:"";s:19:"maximumtableentries";s:6:"400000";s:14:"powerd_ac_mode";s:4:"hadp";s:19:"powerd_battery_mode";s:4:"hadp";s:18:"powerd_normal_mode";s:4:"hadp";s:6:"bogons";a:1:{s:8:"interval";s:7:"monthly";}s:26:"already_run_config_upgrade";s:0:"";s:3:"ssh";a:1:{s:6:"enable";s:7:"enabled";}s:8:"timezone";s:7:"Etc/UTC";}s:10:"interfaces";a:1:{s:3:"wan";a:10:{s:6:"enable";s:0:"";s:2:"if";s:3:"em0";s:6:"ipaddr";s:4:"dhcp";s:8:"ipaddrv6";s:5:"dhcp6";s:7:"gateway";s:0:"";s:11:"blockbogons";s:2:"on";s:5:"media";s:0:"";s:8:"mediaopt";s:0:"";s:10:"dhcp6-duid";s:0:"";s:15:"dhcp6-ia-pd-len";s:1:"0";}}s:12:"staticroutes";s:0:"";s:5:"dhcpd";s:0:"";s:7:"dhcpdv6";s:0:"";s:5:"snmpd";a:3:{s:11:"syslocation";s:0:"";s:10:"syscontact";s:0:"";s:11:"rocommunity";s:6:"public";}s:4:"diag";a:1:{s:7:"ipv6nat";a:1:{s:6:"ipaddr";s:0:"";}}s:6:"syslog";a:9:{s:18:"filterdescriptions";s:1:"1";s:8:"nentries";s:2:"50";s:12:"remoteserver";s:17:"192.168.1.16:9514";s:13:"remoteserver2";s:0:"";s:13:"remoteserver3";s:0:"";s:8:"sourceip";s:0:"";s:7:"ipproto";s:4:"ipv4";s:6:"logall";s:0:"";s:6:"enable";s:0:"";}s:6:"filter";a:1:{s:4:"rule";a:3:{i:0;a:7:{s:4:"type";s:4:"pass";s:10:"ipprotocol";s:4:"inet";s:5:"descr";s:29:"Default allow LAN to any rule";s:9:"interface";s:3:"lan";s:7:"tracker";s:10:"0100000101";s:6:"source";a:1:{s:7:"network";s:3:"lan";}s:11:"destination";a:1:{s:3:"any";s:0:"";}}i:1;a:7:{s:4:"type";s:4:"pass";s:10:"ipprotocol";s:5:"inet6";s:5:"descr";s:34:"Default allow LAN IPv6 to any rule";s:9:"interface";s:3:"lan";s:7:"tracker";s:10:"0100000102";s:6:"source";a:1:{s:7:"network";s:3:"lan";}s:11:"destination";a:1:{s:3:"any";s:0:"";}}i:2;a:8:{s:6:"source";a:1:{s:3:"any";s:0:"";}s:9:"interface";s:3:"wan";s:8:"protocol";s:3:"tcp";s:11:"destination";a:2:{s:7:"address";s:7:"4.3.2.1";s:4:"port";s:9:"1512-1712";}s:5:"descr";s:10:"NAT wefewf";s:18:"associated-rule-id";s:27:"nat_5e7a6639ad2df8.55902217";s:7:"tracker";s:10:"1585079865";s:7:"created";a:2:{s:4:"time";s:10:"1585079865";s:8:"username";s:16:"NAT Port Forward";}}}}s:5:"ipsec";s:0:"";s:7:"aliases";s:0:"";s:8:"proxyarp";s:0:"";s:4:"cron";a:1:{s:4:"item";a:6:{i:0;a:7:{s:6:"minute";s:4:"1,31";s:4:"hour";s:3:"0-5";s:4:"mday";s:1:"*";s:5:"month";s:1:"*";s:4:"wday";s:1:"*";s:3:"who";s:4:"root";s:7:"command";s:31:"/usr/bin/nice -n20 adjkerntz -a";}i:1;a:7:{s:6:"minute";s:1:"1";s:4:"hour";s:1:"3";s:4:"mday";s:1:"1";s:5:"month";s:1:"*";s:4:"wday";s:1:"*";s:3:"who";s:4:"root";s:7:"command";s:43:"/usr/bin/nice -n20 /etc/rc.update_bogons.sh";}i:2;a:7:{s:6:"minute";s:1:"1";s:4:"hour";s:1:"1";s:4:"mday";s:1:"*";s:5:"month";s:1:"*";s:4:"wday";s:1:"*";s:3:"who";s:4:"root";s:7:"command";s:40:"/usr/bin/nice -n20 /etc/rc.dyndns.update";}i:3;a:7:{s:6:"minute";s:4:"*/60";s:4:"hour";s:1:"*";s:4:"mday";s:1:"*";s:5:"month";s:1:"*";s:4:"wday";s:1:"*";s:3:"who";s:4:"root";s:7:"command";s:67:"/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot";}i:4;a:7:{s:6:"minute";s:2:"30";s:4:"hour";s:2:"12";s:4:"mday";s:1:"*";s:5:"month";s:1:"*";s:4:"wday";s:1:"*";s:3:"who";s:4:"root";s:7:"command";s:43:"/usr/bin/nice -n20 /etc/rc.update_urltables";}i:5;a:7:{s:6:"minute";s:1:"1";s:4:"hour";s:1:"0";s:4:"mday";s:1:"*";s:5:"month";s:1:"*";s:4:"wday";s:1:"*";s:3:"who";s:4:"root";s:7:"command";s:46:"/usr/bin/nice -n20 /etc/rc.update_pkg_metadata";}}}s:3:"wol";s:0:"";s:3:"rrd";a:1:{s:6:"enable";s:0:"";}s:13:"load_balancer";a:1:{s:12:"monitor_type";a:5:{i:0;a:4:{s:4:"name";s:4:"ICMP";s:4:"type";s:4:"icmp";s:5:"descr";s:4:"ICMP";s:7:"options";s:0:"";}i:1;a:4:{s:4:"name";s:3:"TCP";s:4:"type";s:3:"tcp";s:5:"descr";s:11:"Generic TCP";s:7:"options";s:0:"";}i:2;a:4:{s:4:"name";s:4:"HTTP";s:4:"type";s:4:"http";s:5:"descr";s:12:"Generic HTTP";s:7:"options";a:3:{s:4:"path";s:1:"/";s:4:"host";s:0:"";s:4:"code";s:3:"200";}}i:3;a:4:{s:4:"name";s:5:"HTTPS";s:4:"type";s:5:"https";s:5:"descr";s:13:"Generic HTTPS";s:7:"options";a:3:{s:4:"path";s:1:"/";s:4:"host";s:0:"";s:4:"code";s:3:"200";}}i:4;a:4:{s:4:"name";s:4:"SMTP";s:4:"type";s:4:"send";s:5:"descr";s:12:"Generic SMTP";s:7:"options";a:2:{s:4:"send";s:0:"";s:6:"expect";s:5:"220 *";}}}}s:7:"widgets";a:2:{s:8:"sequence";s:88:"system_information:col1:show,netgate_services_and_support:col2:show,interfaces:col2:show";s:6:"period";s:2:"10";}s:7:"openvpn";s:0:"";s:8:"dnshaper";s:0:"";s:7:"unbound";a:8:{s:6:"enable";s:0:"";s:6:"dnssec";s:0:"";s:16:"active_interface";s:0:"";s:18:"outgoing_interface";s:0:"";s:14:"custom_options";s:0:"";s:12:"hideidentity";s:0:"";s:11:"hideversion";s:0:"";s:14:"dnssecstripped";s:0:"";}s:8:"revision";a:3:{s:4:"time";s:10:"1585081388";s:11:"description";s:100:"admin@192.168.1.23 (Local Database): Firewall: NAT: Port Forward - saved/edited a port forward rule.";s:8:"username";s:35:"admin@192.168.1.23 (Local Database)";}s:6:"shaper";s:0:"";s:4:"cert";a:1:{i:0;a:5:{s:5:"refid";s:13:"5e79fb1489ce6";s:5:"descr";s:39:"webConfigurator default (5e79fb1489ce6)";s:4:"type";s:6:"server";s:3:"crt";s:2152:"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVlakNDQTJLZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREJhTVRnd05nWURWUVFLRXk5d1psTmwKYm5ObElIZGxZa052Ym1acFozVnlZWFJ2Y2lCVFpXeG1MVk5wWjI1bFpDQkRaWEowYVdacFkyRjBaVEVlTUJ3RwpBMVVFQXhNVmNHWlRaVzV6WlMwMVpUYzVabUl4TkRnNVkyVTJNQjRYRFRJd01ETXlOREV5TWpBek5sb1hEVEkxCk1Ea3hOREV5TWpBek5sb3dXakU0TURZR0ExVUVDaE12Y0daVFpXNXpaU0IzWldKRGIyNW1hV2QxY21GMGIzSWcKVTJWc1ppMVRhV2R1WldRZ1EyVnlkR2xtYVdOaGRHVXhIakFjQmdOVkJBTVRGWEJtVTJWdWMyVXROV1UzT1daaQpNVFE0T1dObE5qQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUs4M21sc0FUNjhyCk9XRThhUnYydFhudjBVZkh3Q3JLb1oxYjBkd25RSXRJS0RiUmZLK0FtcDlqck1RQUd6TWllME5uLzZMZVNNODEKVzdXRlVtYUxFTnFTSGpuK1h0ajkxbnJVekF6cno4ZVAxR3RvcHEzNzdPdUxzSUlBcXdQaURxQTh5K3dOVkFiSQpzY2dTYXA0WkYxTXRGKzhxOUROMllFTkVVaUdxdzRTU0o1L3U2dkp2blo3MXh2L1FaVFowTkl3TGs5STB4bWhpCnpYOWxwSDVkWG5aVjlLR083eG10azhVdXVyeGx6ZGxRRmdLU214QU9KQzZzTUdXRSt3UGlHZzg4QzdhYmtNMlkKN3R2TnVwa2VzaXMwOThaL1pNa0F1ZTM0RVhzV3hkS3RJRnRKS3o0YVBIdEdpSjRWVCtLS2RlUVk0UjRkQjlLSwplWGhmeDN4YTdDa0NBd0VBQWFPQ0FVa3dnZ0ZGTUFrR0ExVWRFd1FDTUFBd0VRWUpZSVpJQVliNFFnRUJCQVFECkFnWkFNQXNHQTFVZER3UUVBd0lGb0RBekJnbGdoa2dCaHZoQ0FRMEVKaFlrVDNCbGJsTlRUQ0JIWlc1bGNtRjAKWldRZ1UyVnlkbVZ5SUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUWdoaGY2dGsyVmI1SzRDcFdtK1JmUQpFRzFXbVRDQmdnWURWUjBqQkhzd2VZQVVJSVlYK3JaTmxXK1N1QXFWcHZrWDBCQnRWcG1oWHFSY01Gb3hPREEyCkJnTlZCQW9UTDNCbVUyVnVjMlVnZDJWaVEyOXVabWxuZFhKaGRHOXlJRk5sYkdZdFUybG5ibVZrSUVObGNuUnAKWm1sallYUmxNUjR3SEFZRFZRUURFeFZ3WmxObGJuTmxMVFZsTnpsbVlqRTBPRGxqWlRhQ0FRQXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQ0FJQ01DQUdBMVVkRVFRWk1CZUNGWEJtVTJWdWMyVXROV1UzCk9XWmlNVFE0T1dObE5qQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFRYU1iY2xZS3pDRDlKOFJuTnAzMmF1MDkKckxtdnFFckVrSXhUTWkyWG9mZFdUV29KMzVZR2k0aGVKK1k3MEhNN3pOQ054d0lOVHVDY2loSGgzMmNhTXphQgpkczBpVFpoS21JRmdrUkxNMjB6YVFhUzNTTVFDUVJlQWNsUWRSeUg2V3B5WlBYTmNzV292TkRwUGRIbGFSc1djCnVtenlKLzBBWmV2V3IybHRXSktGSmZKUU8wa1l4NnRFcHRnUnlSdWh2cVpPYXBuVDMzaEJhTDdDYnRYazhWczQKZXZyYStpQUYvMkhnSkE5Sy9STGt6YkFjQ2xFMEV1M1Y5Tk9nUDNpOWxHRTRQcWlQSGpZcDJrcDhzZHVHMEoyMQpML2xRcDhFMC9yYlQzK2FXMGRhTEZ2QjNYT2JYREMwTjVyU0JMbmlubllDODdWZWF5aXc4UmUyaG9pOVhwQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K";s:3:"prv";s:2280:"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRQ3ZONXBiQUUrdkt6bGgKUEdrYjlyVjU3OUZIeDhBcXlxR2RXOUhjSjBDTFNDZzIwWHl2Z0pxZlk2ekVBQnN6SW50RFovK2kza2pQTlZ1MQpoVkptaXhEYWtoNDUvbDdZL2RaNjFNd002OC9IajlScmFLYXQrK3pyaTdDQ0FLc0Q0ZzZnUE12c0RWUUd5TEhJCkVtcWVHUmRUTFJmdkt2UXpkbUJEUkZJaHFzT0VraWVmN3VyeWI1MmU5Y2IvMEdVMmREU01DNVBTTk1ab1lzMS8KWmFSK1hWNTJWZlNoanU4WnJaUEZMcnE4WmMzWlVCWUNrcHNRRGlRdXJEQmxoUHNENGhvUFBBdTJtNURObU83Ygp6YnFaSHJJck5QZkdmMlRKQUxudCtCRjdGc1hTclNCYlNTcytHang3Um9pZUZVL2lpblhrR09FZUhRZlNpbmw0Clg4ZDhXdXdwQWdNQkFBRUNnZ0VBQzFDRDN5eDkrTW5Kd3NXcjQrcGlmYVZHMW1QSHZQdW94QWlSM0syTU5YSkwKWm43UWxtU3ZsMnRRVkxmTkNkaElMV29oejlxYXlRYWhEVysyaW5pZ2RmekpodVV1S3NUNWZLVVJLQ1J5SG1qagpScXhUVnhqVmk4QlJmWk9kZDNxNWh3OWwrN0JBcE0rQTYzS0ZBQUNPeVFnNGEzRlNvNkFaUno2Nkx3SmY3Y2VHCjdxNjZJMEpnN3ZhVlJFMU8xMm5nN05xemtEUThoMEhjYnhlZW5LZlRabDVtQlZZbUtGZFRmNmcya2VNeExXZXMKd1Jua2lIQmJNZDFiK3VRdUlpL0t1cVZWc2c2YUcyZ1d1MTZER2RCbjZ5dzlCUmhuU3ZpcmlRREJDRW41MkQ4NQo0VUV4bHhCamJIUEJFRVFDa1c5UFpmMm9GV3U5b1BSL0JQVUFNdEs0SVFLQmdRRGgyN251Q0VpekFXMUpNc3Q1ClpvRVNOSUpxZ0pBMnhsRSttKzlLa3dnYkRYaW55cVVBUEMzZG0xOERtR2taQkxlc21wZGQ2Y2FhamhRSEFIQkoKM3VLaTJQaXA3cU95d0dKK1B4WWVublU5a3RndGZSaFB1czJFRHh4dHV3SG1rYkt4aTl6Zy9EKzBQZ3B2ZXhQOQpQNUdubGhXQXo0Tk9BUTFmUUxzY3hjdWdnd0tCZ1FER21jTTIzY2ZQNnYzVXUrMEVzTzgrQUxGTmNDU0VTcE1IClZIVUp6OWZyN1ZwZmZLWjBoWk5TRFFqdE5zRC9VZUhXdWxUb3plaDNsbVgya1J2amtuMzFYdWpkdEZuYWl1YnkKR01WQWZ3d1NuOXFaMEJkenM3VCttZUZTM3Q4R3pVRDFVSEpvdXJlSjRkSkVjb3dLTTQzT2Q4ODZYOHBySXlVSApRWkFIbzRLSTR3S0JnUURJanlsbjZndEVpYnZXQ0RrUE1LcmswNlFMbHVaNC9Wb2YwckNHOUZGNlZGZ1VCNnJGCnJxcTc0c0JZblBxV3NNMjVnLzF0ODYzY2lOWFg4ZGZFZ1J1WHFEd0lDbFZxNGRPVWI4amduNjFVWkJWN0wxNXIKVG1JNUpvSUVIcy90UXV2L0pVZWFzZVNQMVpmR3J2QnRMZ25WV3p6MUNWQjc4QXREem1OWmhYcndxUUtCZ1FDMwo0cDAvQ3dDOGdoKyt2clpKOXEyK0loUUkySUhuUDhsOUt2VW5QWnYyWmhHY2dpVDVsTWlBVzNOZGVLb2dmYWQzCkU1WVU3THFISittRzhIcjdMcU9UOHVuNGhjb0FzVVgrK1hLQ01tQnlTakswNGxra2wwdEp4aDg4aFFIS0lYZzQKNitEVEdiZGhZb2MzT3p4eElhVDJmRGFUSFNpbUpLZGZYWlJIamwwSjh3S0JnUUM1TDhFLzZUNnZhSkVPLzROYwo2dVJBMm1RYjg4cE9DYXFpUTBWdUtYYWQ0QUxCTlFtdGREcVZFVGVObWszNU55SUJvUG5UUHNpY0FmY003b3kyCjRTMUQ2alc2aUl0bnluUHJLbVBXRkZVYWNsWXF1a0hINTRFWFhOSGdQbUtJbGwraWRHbmxieWhGR05MVzFSVWQKZXBDUW8waXdWWlhxelZON2VZK2pKZXZ2TVE9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==";}}s:4:"ppps";s:0:"";s:3:"nat";a:2:{s:9:"separator";s:0:"";s:4:"rule";a:1:{i:0;a:10:{s:6:"source";a:1:{s:3:"any";s:0:"";}s:11:"destination";a:2:{s:7:"network";s:5:"wanip";s:4:"port";s:6:"22-222";}s:8:"protocol";s:3:"tcp";s:6:"target";s:7:"4.3.2.1";s:10:"local-port";s:4:"1512";s:9:"interface";s:3:"wan";s:5:"descr";s:6:"wefewf";s:18:"associated-rule-id";s:27:"nat_5e7a6639ad2df8.55902217";s:7:"created";a:2:{s:4:"time";s:10:"1585079865";s:8:"username";s:35:"admin@192.168.1.23 (Local Database)";}s:7:"updated";a:2:{s:4:"time";s:10:"1585081388";s:8:"username";s:35:"admin@192.168.1.23 (Local Database)";}}}}}
0 Karma

Motivator

please edit your post ASAP, your have posted your private key (even if it just default/autogen) 🙂

if there is no suitable TA found, you can write your own parser, the data structure is quite strightforward:

  • a first letter (s, i or a) indicates a type: string, integer or array
  • after a semicolon follows a lenght of the corresponding data in bytes for s or i. Don't know what for a - doesn't look like length of array
  • after next semicolon follows quoted (") data
  • some data (in this case this is certificate and private key) is base64 encoded
0 Karma