Re: [PacketFence-devel] Fwd: OSSEC Integration

Juan Camilo Valencia Tue, 04 Mar 2014 09:38:45 -0800

Hi jake,

I'll take a look, thanks a lot for your help.


Best regards,


On Tue, Mar 4, 2014 at 12:17 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote:

> Juan:
>
> Here is the link to the GIT pull request I submitted:
>
> https://github.com/inverse-inc/packetfence/pull/122
>
> The new file makes use of the Perl File::Tail module that I do not think
> is included with PF by default.  It is very simple to install it though.
>
> My code also assumes that your network is a 10.0.0.0/8 based network, you
> may need to change that or you can remove that check if you want.  It was
> put there to keep from trying to fire off violations on hosts outside of
> your own network.  If this check is not in place PF will log an error when
> it tries to open a violation since it cant map the MAC to the IP of the
> remote system.  Not a huge problem, but it does waste resources.
>
> ~90% of the file is copied from the current PFDetect module, I just
> replaced the log parsing logic with some that correctly pulls out the
> necessary bits from the syslog entries I get from SecurityOnion.
>
> On my SO box I followed the instructions from here:
>
> https://code.google.com/p/security-onion/wiki/ThirdPartyIntegration
>
> This is written for SO but should be easily adaptable to any service
> sending syslogs.
>
> I also put a cron job in my PF server to rotate the new syslog file every
> day with no retention since the info in that file already exist on the SO
> server and if it was actionable data PF would log that in its own logs.
>
> I am still learning Perl and as such the quality of my code can almost
> assuredly be improved upon.  If you do make any improvements please
> contribute them back if you can.
>
> Now that I have PF working with SO I am resting much easier at night : )
>
> Good luck in your integration!
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> ________________________________
> From: Juan Camilo Valencia [juan.valen...@seguratec.com.co]
> Sent: Tuesday, March 04, 2014 10:18 AM
> To: packetfence-devel@lists.sourceforge.net
> Subject: Re: [PacketFence-devel] Fwd: OSSEC Integration
>
> Hi Jake,
>
> Thanks a lot, I was following your thread last month and look very
> insteresting, if you share with me what you did that will help me figure it
> out several things, Iĺl appreciate if you can send me that, at the same
> time I'll share with you guys how the things going with the integration.
>
> Thanks a lot,
>
>
> On Tue, Mar 4, 2014 at 10:17 AM, Sallee, Jake <jake.sal...@umhb.edu
> <mailto:jake.sal...@umhb.edu>> wrote:
> Juan:
>
> What you are doing is very similar to what I am doing.
>
> I am using a solution called SecurityOnion which is a NSM Linux
> Distribution that has OSSEC built in along with several other tools.
>
> I wrote some custom code to integrate it with PF which you are welcome to
> use if you want.  I have been using it in my testing environment for
> several weeks and it has been very solid.
>
> It may not be exactly what you are looking for but it may help you get
> started.
>
> If you are interested please let me know and I will post the code here.
>
> Good luck.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> ________________________________
> From: Juan Camilo Valencia [juan.valen...@seguratec.com.co<mailto:
> juan.valen...@seguratec.com.co>]
> Sent: Monday, March 03, 2014 1:37 PM
> To: packetfence-devel@lists.sourceforge.net<mailto:
> packetfence-devel@lists.sourceforge.net>
> Subject: Re: [PacketFence-devel] Fwd: OSSEC Integration
>
> Hi Jason,
>
> I'm going to try to summarize my idea because is based on what i have been
> read on the official website and in several forums and articles.
>
> My idea is to have PF centralized in out-of-band mode, with snort
> configured and nessus scan. This is what we got right now in an older
> version.
>
> The idea is to expand this deployment and begin install sensors in the
> network. That sensor should contain snort, ossec-server, and pfdetector.
> Since ossec  deployment is capable to obtain a lot of information from the
> agents and then analyze that data through decoders and finally trigger
> alerts from rules, my integration idea is read that alert log, obtain data,
> srcip, alertid, hostname(if possible),etc, all data useful for pf. Then
> pfsensor parse and send that data to the centralize server and pf should
> take an action.
>
> The idea is to modify the code in a way that we have another configuration
> option for violations, just like snort, suricata, nessus, u openvas.
>
> So far my biggest worries here are the kind of info that ossec send, I
> couldn't see the IP in logs, only hostname, but I need more test I started
> this morning, and the deployment of the agents in the client.
>
> Sorry for my bad English, let me know if the idea is clear or if I can
> explain better,
>
> Best Regards from Colombia,
>
>
> On Mon, Mar 3, 2014 at 12:51 PM, Jason Frisvold <xenoph...@godshell.com
> <mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:
> xenoph...@godshell.com>>> wrote:
> Juan Camilo Valencia wrote:
> > Hi Loick,
> >
> > Thanks for your quick reply, let me know what can I do to help achieve
> > this feature, I am not the most versatile guy in perl but I can't learn,
> > and for testing right now I'm setting up the environment with 4.1
> appliance.
>
> Ok, I'm intrigued ..  What sort of integration are you talking about?
> OSSEC is incredibly powerful, but I'm not sure how it fits together with
> Packetfence, beyond the PF server being a client..
>
> > Thanks a lot,
> >
> > Best regards from Colombia,
>
> --
> ---------------------------
> Jason 'XenoPhage' Frisvold
> xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:
> xenoph...@godshell.com<mailto:xenoph...@godshell.com>>
> ---------------------------
>
> "Any sufficiently advanced magic is indistinguishable from technology.\"
> - Niven's Inverse of Clarke's Third Law
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries.  Built-in WAN optimization and
> the
> freedom to use Git, Perforce or both. Make the move to Perforce.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-devel mailing list
> PacketFence-devel@lists.sourceforge.net<mailto:
> PacketFence-devel@lists.sourceforge.net><mailto:
> PacketFence-devel@lists.sourceforge.net<mailto:
> PacketFence-devel@lists.sourceforge.net>>
> https://lists.sourceforge.net/lists/listinfo/packetfence-devel
>
>
>
> --
> JUAN CAMILO VALENCIA VARGAS
> Ingeniero de Operaciones
> SeguraTec S.A.S
> Calle 11 # 43B-50 of 307
> Medelllín Colombia
>
> “Choose a job you love, and you will never have to work a day in your life”
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries.  Built-in WAN optimization and
> the
> freedom to use Git, Perforce or both. Make the move to Perforce.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-devel mailing list
> PacketFence-devel@lists.sourceforge.net<mailto:
> PacketFence-devel@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-devel
>
>
>
> --
> JUAN CAMILO VALENCIA VARGAS
> Ingeniero de Operaciones
> SeguraTec S.A.S
> Calle 11 # 43B-50 of 307
> Medelllín Colombia
>
> “Choose a job you love, and you will never have to work a day in your life”
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries.  Built-in WAN optimization and
> the
> freedom to use Git, Perforce or both. Make the move to Perforce.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-devel mailing list
> PacketFence-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-devel
>



-- 
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
Medelllín Colombia

*“Choose a job you love, and you will never have to work a day in your
life”*

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel

Re: [PacketFence-devel] Fwd: OSSEC Integration

Reply via email to