Juan: Here is the link to the GIT pull request I submitted:
https://github.com/inverse-inc/packetfence/pull/122 The new file makes use of the Perl File::Tail module that I do not think is included with PF by default. It is very simple to install it though. My code also assumes that your network is a 10.0.0.0/8 based network, you may need to change that or you can remove that check if you want. It was put there to keep from trying to fire off violations on hosts outside of your own network. If this check is not in place PF will log an error when it tries to open a violation since it cant map the MAC to the IP of the remote system. Not a huge problem, but it does waste resources. ~90% of the file is copied from the current PFDetect module, I just replaced the log parsing logic with some that correctly pulls out the necessary bits from the syslog entries I get from SecurityOnion. On my SO box I followed the instructions from here: https://code.google.com/p/security-onion/wiki/ThirdPartyIntegration This is written for SO but should be easily adaptable to any service sending syslogs. I also put a cron job in my PF server to rotate the new syslog file every day with no retention since the info in that file already exist on the SO server and if it was actionable data PF would log that in its own logs. I am still learning Perl and as such the quality of my code can almost assuredly be improved upon. If you do make any improvements please contribute them back if you can. Now that I have PF working with SO I am resting much easier at night : ) Good luck in your integration! Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Juan Camilo Valencia [juan.valen...@seguratec.com.co] Sent: Tuesday, March 04, 2014 10:18 AM To: packetfence-devel@lists.sourceforge.net Subject: Re: [PacketFence-devel] Fwd: OSSEC Integration Hi Jake, Thanks a lot, I was following your thread last month and look very insteresting, if you share with me what you did that will help me figure it out several things, Iĺl appreciate if you can send me that, at the same time I'll share with you guys how the things going with the integration. Thanks a lot, On Tue, Mar 4, 2014 at 10:17 AM, Sallee, Jake <jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu>> wrote: Juan: What you are doing is very similar to what I am doing. I am using a solution called SecurityOnion which is a NSM Linux Distribution that has OSSEC built in along with several other tools. I wrote some custom code to integrate it with PF which you are welcome to use if you want. I have been using it in my testing environment for several weeks and it has been very solid. It may not be exactly what you are looking for but it may help you get started. If you are interested please let me know and I will post the code here. Good luck. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Juan Camilo Valencia [juan.valen...@seguratec.com.co<mailto:juan.valen...@seguratec.com.co>] Sent: Monday, March 03, 2014 1:37 PM To: packetfence-devel@lists.sourceforge.net<mailto:packetfence-devel@lists.sourceforge.net> Subject: Re: [PacketFence-devel] Fwd: OSSEC Integration Hi Jason, I'm going to try to summarize my idea because is based on what i have been read on the official website and in several forums and articles. My idea is to have PF centralized in out-of-band mode, with snort configured and nessus scan. This is what we got right now in an older version. The idea is to expand this deployment and begin install sensors in the network. That sensor should contain snort, ossec-server, and pfdetector. Since ossec deployment is capable to obtain a lot of information from the agents and then analyze that data through decoders and finally trigger alerts from rules, my integration idea is read that alert log, obtain data, srcip, alertid, hostname(if possible),etc, all data useful for pf. Then pfsensor parse and send that data to the centralize server and pf should take an action. The idea is to modify the code in a way that we have another configuration option for violations, just like snort, suricata, nessus, u openvas. So far my biggest worries here are the kind of info that ossec send, I couldn't see the IP in logs, only hostname, but I need more test I started this morning, and the deployment of the agents in the client. Sorry for my bad English, let me know if the idea is clear or if I can explain better, Best Regards from Colombia, On Mon, Mar 3, 2014 at 12:51 PM, Jason Frisvold <xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>>> wrote: Juan Camilo Valencia wrote: > Hi Loick, > > Thanks for your quick reply, let me know what can I do to help achieve > this feature, I am not the most versatile guy in perl but I can't learn, > and for testing right now I'm setting up the environment with 4.1 appliance. Ok, I'm intrigued .. What sort of integration are you talking about? OSSEC is incredibly powerful, but I'm not sure how it fits together with Packetfence, beyond the PF server being a client.. > Thanks a lot, > > Best regards from Colombia, -- --------------------------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>> --------------------------- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-devel mailing list PacketFence-devel@lists.sourceforge.net<mailto:PacketFence-devel@lists.sourceforge.net><mailto:PacketFence-devel@lists.sourceforge.net<mailto:PacketFence-devel@lists.sourceforge.net>> https://lists.sourceforge.net/lists/listinfo/packetfence-devel -- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 Medelllín Colombia “Choose a job you love, and you will never have to work a day in your life” ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-devel mailing list PacketFence-devel@lists.sourceforge.net<mailto:PacketFence-devel@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-devel -- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 Medelllín Colombia “Choose a job you love, and you will never have to work a day in your life” ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-devel mailing list PacketFence-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-devel
