Hi guys,
Forget about this thread, I already found an answer for this, apparently
were some issues with pf and snort, I have now snort 2.9.6 working with
packetfence.
https://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg05709.html,
this thread help me to understand what is going on.
Thanks, if I can help you with this you are welcome to ask me.
Best Regards,
On Fri, Mar 21, 2014 at 11:26 AM, Juan Camilo Valencia <
camilo.valenci...@gmail.com> wrote:
> Hi guys,
>
> I have a problem trying to integrate a newer version of snort in PF.
> Basically I solved several things,
>
> 1. apparently 2.9.6 version doesn't support a pipe file for alert_fast:,
> and that pipe is created by pf if doesn't exist in
> %%install_dir%%/var/alert. When snort start stay in the precise line where
> it tries to create the alert file and can not continue. So anyway, I think
> this a unexpected behavior more from snort that from pf, and I'm trying to
> get an answer from them, because change pf behavior to read a flat file I
> don't know which will be the result. If you have some thoughts they are
> welcome.
>
> 2. I decided to take other strategy and install barnyard2 and left the
> task of the alert pipe to it. The problem that I have is that starting
> snort from pf returns back with a "0" in the pid of snort, (i.e pfcmd
> service snort start > snort|1|0), however snort starts ok, and wrote the
> pid to /var/snort_eth2.pid, even packetfence can't obtain the pid with
> pfcmd service snort status.
>
> 3. From the point before I reviewed the file permissions on snort_eth2.pid
> and it had 600 root root, which is wrong since pf is not part of the root
> group and pf start snort with the option -u pf, I reviewed my logs and I
> discover that snort first writes the pid file and the set the sid and uid
> to the daemon, and that is the reason why the permissions are wrong. Again
> apparently is a unexpected behavior from snort so I will report this to
> know if should be like that or if I have to change the code a little bit.
> However when i changed the permissions manually and when i check the status
> of snort again it fail to read the pid. My questions here are, how I can
> change services.pm or manager.pm in order that pf changes the permissions
> of that files?, what are the correct set of permissions and owners pf that
> files?
>
> Like an extra point, since snort does not support to write directly to a
> database anymore, in order to integrate correctly barnyard2, mysql, snort
> and pf, I mean, to have a mysql database with the acid_schema for the
> events you need to do a couple of things, first you need to add this line
> to the configuration of snort with "output unified2: filename
> PATH_TO_FILE/snort.u2", make sure that barnyard2 read that file, and modify
> in %%install_dir%%/lib/pf/services/manager/snort.pm the line that
> contains "-N -D -l $install_dir/var ...." and rid off the option "-N"
> since that means No logging at all, in that way snort could start to write
> logs in unified2 format and baryarnd2 can read that file to parse the data
> to the database.
> If you want I can help you to make this happens with snort 2.9.4.6 version
> in this way. actually is working like that in the lab.
>
> Best Regards and thanks for your advance,
>
>
> --
> JUAN CAMILO VALENCIA VARGAS
> Ingeniero de Operaciones
> SeguraTec S.A.S
> Calle 11 # 43B-50 of 307
> MedelllĂn Colombia
>
> *"Choose a job you love, and you will never have to work a day in your
> life"*
>
--
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
MedelllĂn Colombia
*"Choose a job you love, and you will never have to work a day in your
life"*
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel
