UPDATE:
Fabrice with Inverse looked at the log and it seems all the necessary info is
present. YAY!
Here is a snip from the log that has been sanitized:
http://pastebin.com/gkStjg7k
It is MUCH easier to look at if you can turn line wrapping off.
Fabrice also mentioned that there needs to be a regex that will pull the
necessary info out of the log and into PF. I think I have made some progress
on this front but I need to know where this regex should be located in PF.
What file should I be looking in to place the regex that I have? Also, from
the previous emails it looks as though the PF SNORT integration package
basically adds a remote log file, so if that is the case I should be able to
use syslog on the Security Onion server to send a copy of the logs to the PF
server right?
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
From: Sallee, Stephen (Jake) [mailto:jake.sal...@umhb.edu]
Sent: Wednesday, July 31, 2013 3:25 PM
To: packetfence-devel@lists.sourceforge.net
Subject: Re: [PacketFence-devel] Question about SNORT integration
Fabrice:
I have an export of the log for you, but I am a bit reticent to post it to the
list since it contains internal IPs and such.
Not that I think our community is shady, but Google crawls our lists and I
would feel better knowing that google has not indexed the full text of my SNORT
log : )
I'll send it to you off list in a moment. If any dev wants a copy that cannot
get it from Inverse please contact me off list.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
From: Fabrice DURAND [mailto:fdur...@inverse.ca]
Sent: Wednesday, July 31, 2013 2:30 PM
To:
packetfence-devel@lists.sourceforge.net<mailto:packetfence-devel@lists.sourceforge.net>
Subject: Re: [PacketFence-devel] Question about SNORT integration
Jake,
so you probably be able to install pfdetect remote on the aggregator server and
use the log file from it.
But i suppose that the perl script pfdetectd must be rewrite with new regexp
inside.
Do you have an example of the log ?
Regards
Fabrice
Le 2013-07-31 10:33, Sallee, Stephen (Jake) a écrit :
Fabrice:
Thanks for the suggestion. One problem that complicates this is that the
Security Onion box is not running SNORT directly. It is acting as an
aggregator using a program called SGUIL.
I will have about 50 SNORT boxes running and they all report back to the
Security Onion Mother Ship (at least, that's what we like to call it) via the
SGUIL client.
So far I am led to believe that if I was to use the PF package I would need to
install it on every SNORT sensor and they would all then report directly to the
PF server. For me this seems to be sub-optimal. Since I already have this
server acting as a aggregator it seems much more elegant to take the SNORT
alerts it receives and send a copy of them to the PF server.
In the old days we would have called it a reflector.
On the bright side, I was in brief contact with the primary dev for Security
Onion and he pointed me to a log file that may contain all the info I need. If
that is the case, all I may need to do is use syslog to forward the events to
the PF server and it may "just work".
Oh happy day if that is so!
To that end, is PF expecting to see the snort events in anything other than the
default format? Meaning, when the PF SNORT integration package forwards the
events to the PF server, does it modify the format or does it send it in the
same format it received them in from SNORT?
If we are successful in linking these two tool sets, PF will transcend any
other NAC solution available today. No other offering, closed source or open,
will be able to rival the capabilities of PF and SO together.
***cue maniacal laughter / dramatic music ... and perhaps some lightning and
thunder***
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
From: Fabrice DURAND [mailto:fdur...@inverse.ca]
Sent: Wednesday, July 31, 2013 7:10 AM
To:
packetfence-devel@lists.sourceforge.net<mailto:packetfence-devel@lists.sourceforge.net>
Subject: Re: [PacketFence-devel] Question about SNORT integration
Hello Jake,
you can use
http://inverse.ca/downloads/PacketFence/CentOS6/x86_64/RPMS/packetfence-remote-snort-sensor-4.0.3-1.el6.noarch.rpm
as a remote sensor.
In fact you just have to set an alert file in the snort configuration:
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: alert
append: yes
filetype:
regular
and in the initrd file pfdetectd you can set the path to the alert file (by
default it´s /var/log/snort-compat/alert)
then mkfifo /var/log/snort-compat/alert
and launch snort and pfdetectd.
PS: you can use suricata
Regards
Fabrice
Le 2013-07-30 16:41, Sallee, Stephen (Jake) a écrit :
Hello all-mighty Devs!
I am working on integrating PacketFence with another tool called Security Onion.
I use the term integrating very loosely.
Security Onion has the ability to aggregate several SNORT sensors into a single
interface that can be queried for reporting and nice pretty charts via snorby :
)
My goal is to use this aggregation point to report the SNORT event it sees to
PF.
What I need to know from the PF team is how does PF integrate with SNORT? Is
it enough to simply get the alerts to PF? Is there a daemon that PF uses to
listen for SNORT alerts?
I have read the admin guide and it talks about using SNORT locally on the PF
box, but my scenario would be a remote SNORT server. IF I can find out what PF
is looking for as far as SNORT is concerned I can make sure to deliver the info
in a way the PF is happy with.
Any information is greatly appreciated.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net<mailto:PacketFence-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-devel
--
Fabrice Durand
fdur...@inverse.ca<mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net<mailto:PacketFence-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-devel
--
Fabrice Durand
fdur...@inverse.ca<mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel
