Juan: What you are doing is very similar to what I am doing.
I am using a solution called SecurityOnion which is a NSM Linux Distribution that has OSSEC built in along with several other tools. I wrote some custom code to integrate it with PF which you are welcome to use if you want. I have been using it in my testing environment for several weeks and it has been very solid. It may not be exactly what you are looking for but it may help you get started. If you are interested please let me know and I will post the code here. Good luck. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Juan Camilo Valencia [juan.valen...@seguratec.com.co] Sent: Monday, March 03, 2014 1:37 PM To: packetfence-devel@lists.sourceforge.net Subject: Re: [PacketFence-devel] Fwd: OSSEC Integration Hi Jason, I'm going to try to summarize my idea because is based on what i have been read on the official website and in several forums and articles. My idea is to have PF centralized in out-of-band mode, with snort configured and nessus scan. This is what we got right now in an older version. The idea is to expand this deployment and begin install sensors in the network. That sensor should contain snort, ossec-server, and pfdetector. Since ossec deployment is capable to obtain a lot of information from the agents and then analyze that data through decoders and finally trigger alerts from rules, my integration idea is read that alert log, obtain data, srcip, alertid, hostname(if possible),etc, all data useful for pf. Then pfsensor parse and send that data to the centralize server and pf should take an action. The idea is to modify the code in a way that we have another configuration option for violations, just like snort, suricata, nessus, u openvas. So far my biggest worries here are the kind of info that ossec send, I couldn't see the IP in logs, only hostname, but I need more test I started this morning, and the deployment of the agents in the client. Sorry for my bad English, let me know if the idea is clear or if I can explain better, Best Regards from Colombia, On Mon, Mar 3, 2014 at 12:51 PM, Jason Frisvold <xenoph...@godshell.com<mailto:xenoph...@godshell.com>> wrote: Juan Camilo Valencia wrote: > Hi Loick, > > Thanks for your quick reply, let me know what can I do to help achieve > this feature, I am not the most versatile guy in perl but I can't learn, > and for testing right now I'm setting up the environment with 4.1 appliance. Ok, I'm intrigued .. What sort of integration are you talking about? OSSEC is incredibly powerful, but I'm not sure how it fits together with Packetfence, beyond the PF server being a client.. > Thanks a lot, > > Best regards from Colombia, -- --------------------------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com<mailto:xenoph...@godshell.com> --------------------------- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-devel mailing list PacketFence-devel@lists.sourceforge.net<mailto:PacketFence-devel@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-devel -- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 Medelllín Colombia “Choose a job you love, and you will never have to work a day in your life” ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-devel mailing list PacketFence-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-devel
