Hi,
I am still having problem with nessus scan & violation...any helps is
appreciated!!
I have successfuly created a scan policy and I can manually a execute scan
using command pfcmd schedule now <IP>.I see this in packetfence.log:
Aug 18 16:16:32 pfcmd(0) INFO: executing HOME=/usr/local/pf/conf/nessus/
/opt/nessus/bin/nessus -q -V -x --dot-nessus
/usr/local/pf/conf/nessus/remotescan.nessus --policy-name RemoteScan 10.0.10.21
1241 admin <password> --target-file
/tmp/pf_nessus_192.168.2.15_2011-08-18-16:16:32.txt
/usr/local/pf/html/admin/scan/results/dump_192.168.2.15_2011-08-18-16:16:32.nbe
(pf::scan::runScan)A dump file created at
/usr/local/pf/html/admin/scan/result/dump_192.168.2.15_2011-08-18-16\:16\:32.nbe
cat dump_192.168.2.15_2011-08-18-16\:16\:32.nbe
timestamps|||scan_start|Thu Aug 18 16:32:47 2011|
timestamps||192.168.2.15|host_start|Thu Aug 18 16:33:15 2011|
results|192.168.2|192.168.2.15|netbios-ssn (139/tcp)
results|192.168.2|192.168.2.15|epmap (135/tcp)
results|192.168.2|192.168.2.15|device2 (2030/tcp)
results|192.168.2|192.168.2.15|de-cache-query (1255/tcp)
results|192.168.2|192.168.2.15|serialgateway (1243/tcp)
results|192.168.2|192.168.2.15|netbios-ssn (139/tcp)|21725|Security
Hole|\nSynopsis :\n\nSymantec Antivirus Corporate is installed.\n\nDescription
:\n\nThis plugin checks that the remote host has Symantec Antivirus \nCorporate
installed and properly running, and makes sure that the latest \nVdefs are
loaded.\n\nSolution :\n\nMake sure SAVCE is installed, running and using the
latest VDEFS.\n\nRiskfactor :\n\nCritical / CVSS Base Score :
10.0\n(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\nPlugin output :\n\nThe remote host
has an antivirus software from Symantec installed. It has \nbeen fingerprinted
as :\n\nSymantec Endpoint Protection : 13.0.6000.513\nDAT version :
20110617\n\nThe remote host has an out-dated version of the Symantec
\nCorporate virus signatures. Last version is 20110713\n\nAs aresult, the
remote host might be infected by viruses received by\nemail or other
means.\n\ntimestamps||192.168.2.15|host_end|Thu Aug 18 16:33:51
2011|timestamps|||scan_end|Thu Aug 18 16:33:52 2011|Now I try register a
laptop to see if it find violation
packetfence log:
Aug 18 16:28:03 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:03 redir.cgi(0) INFO: Updating node 00:21:70:90:4e:2f user_agent
with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)'
(pf::web::web_node_record_user_agent)
Aug 18 16:28:03 redir.cgi(0) INFO: Static User-Agent lookup data initialized
(pf::useragent::_init)
Aug 18 16:28:03 redir.cgi(0) INFO: 00:21:70:90:4e:2f redirected to registration
page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:08 register.cgi(0) INFO: 192.168.2.15 - 00:21:70:90:4e:2f
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_register_2ecgi::handler)
Aug 18 16:28:20 register.cgi(0) INFO: 192.168.2.15 - 00:21:70:90:4e:2f
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_register_2ecgi::handler)
Aug 18 16:28:20 register.cgi(0) INFO: calling /usr/local/pf/bin/pfcmd 'manage
register 00:21:70:90:4e:2f "usertest" pid="1",user_agent="Mozilla 4.0
compatible; MSIE 8.0; Windows NT 5.1; Trident 4.0; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729 "' (pf::web::_sanitize_and_register)
Aug 18 16:28:21 pfcmd(0) INFO: grace expired on violation 1200001 for node
00:21:70:90:4e:2f (pf::violation::violation_add)
Aug 18 16:28:21 pfcmd(0) INFO: violation 1200001 added for 00:21:70:90:4e:2f
(pf::violation::violation_add)
Aug 18 16:28:21 pfcmd(0) INFO: executing action 'log' on class 1200001
(pf::action::action_execute)
Aug 18 16:28:21 pfcmd(0) INFO: /usr/local/pf/logs/violation.log 2011-08-18
16:28:21: System Scan (1200001) detected on node 00:21:70:90:4e:2f
(192.168.2.15) (pf::action::action_log)
Aug 18 16:28:21 pfcmd(0) INFO: executing action 'trap' on class 1200001
(pf::action::action_execute)
Aug 18 16:28:21 pfcmd(0) INFO: VLAN isolation is enabled and manage_register is
part of adjustswitchportvlanreasons (main::vlan_reevaluation)
Aug 18 16:28:21 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at
10.0.10.2 ifIndex 10105 in VLAN 2 (main::vlan_reevaluation)
Aug 18 16:28:21 pfcmd(0) INFO: highest priority violation for 00:21:70:90:4e:2f
is 1200001. Target VLAN for violation: registrationVlan (2)
(pf::vlan::getViolationVlan)
Aug 18 16:28:21 register.cgi(0) INFO: more violations yet to come for
00:21:70:90:4e:2f
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_register_2ecgi::handler)
Aug 18 16:28:21 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:21 redir.cgi(0) INFO: captive portal redirect on violation vid:
1200001, redirect url: /content/index.php?template=system_scan&admin=yes
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:21 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:21 redir.cgi(0) INFO: captive portal redirect on violation vid:
1200001, redirect url: /content/index.php?template=system_scan&admin=yes
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
On the laptop I see Quanrantine Established page and if I hit scan, I will see
this on my log file but nothing is scan
Aug 18 16:31:36 release.cgi(0) INFO: scanning 192.168.2.15 by
calling/usr/local/pf/bin/pfcmd schedule now 192.168.2.15 1>/dev/null 2>&1
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_release_2ecgi::handler)
Aug 18 16:31:36 release.cgi(0) INFO: violation for mac 00:21:70:90:4e:2f vid
1200001 modified (pf::violation::violation_modify)It seems it execute the
command but nothing happening. if I check at packetfence Violation tab I see
System scan (1200001) with status open. For some reasons my Scan ID 1200003 was
never detected. This is my pf.conf file
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=packetfence.local
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the domain in
Apache rewriting rules and therefore must be resolvable by clients.
hostname=pf-zen
#
# general.dnsservers
#
# Comma-delimited list of DNS servers. Passthroughs are created to allow
queries to these servers from even "trapped" nodes.
dnsservers=10.0.10.10
#
# general.dhcpservers
#
# Comma-delimited list of DHCP servers. Passthroughs are created to allow DHCP
transactions from even "trapped" nodes.
dhcpservers=10.0.10.10
[network]
#
# network.mode
#
# Defines the mode in which PacketFence will operate.
#
# When deployed in arp mode, PacketFence uses ARP manipulation inject itself
into the datastream of unregistered or
# trapped nodes. The major failing of arp mode is that
# it's not 100% in catching all traffic - spurious packets can and will
occasionaly get through.
mode=vlan
[trapping]
#
# trapping.testing
#
# Disables sending of ARPs - note that this has implications on node detection
and timeouts.
testing=disabled
#
# trapping.range
#
# Comma-delimited list of address ranges/CIDR blocks that PacketFence will
monitor/detect/trap on. Gateway, network, and
# broadcast addresses are ignored.
range=10.0.10.0/24,192.168.2.0/24,192.168.3.0/24
#
# trapping.registration
#
# If enabled, nodes will be required to register on first network access.
Further registration options are configured in the
# registration section.
registration=enabled
detection=enabled
[registration]
auth=ldap
#
[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence.
pass=pfz3n
[vlan]
#
# vlan.dhcpd
#
# Should DHCPd be started ?
#
dhcpd=enabled
#
#
# vlan.named
#
# Should named be started ?
#
named=enabled
[interface eth0]
mask=255.255.255.0
type=dhcplistener,internal,managed,monitor
gateway=10.0.10.1
ip=10.0.10.10
authorizedips=
[captive_portal]
network_detection_ip=10.0.10.10,10.0.10.0/24,192.168.2.0/24
[scan]
ssl=enabled
pass=password
user=admin
port=1241
host=10.0.10.21
registration=enabled
nessusclient_file=remotescan.nessus
nessusclient_policy=RemoteScan
live_tids=21725
This is my violations.conf
# Most of the snort rules are from Emerging Threats
(http://www.emergingthreats.net/)
#
# In order to use different rulesets, please point the variable snort_rules,
# defined below (in [defaults]), to your local file(s).
#
[defaults]
priority=4
max_enable=3
actions=trap,email,log
auto_enable=Y
disable=Y
grace=120m
button_text=Enable Network
snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malwar
e.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-virus.rules
,emerging-worm.rules
# vlan: The vlan parameter allows you to define in what vlan a node with a
violation will be put in.
# accepted values are the vlan names: isolationVlan, normalVlan,
registrationVlan, macDetectionVlan, guestVlan,
# customVlan1, customVlan2, customVlan3, customVlan4, customVlan5
# (see switches.conf)
vlan=isolationVlan
# if you add a category here, nodes in these categories will be immune to the
violation
whitelisted_categories=
[1100001]
desc=Scan
url=/content/index.php?template=failed_scan
priority=4
max_enable=4
button_text=Scan my computer again
trigger=Scan::21725,Scan::10861,Scan::10943,Scan::11177,Scan::11231,Scan::11302,Scan::11304,Scan::11528,Scan::1159
5,Scan::11664,Scan::11787,Scan::11790,Scan::11803,Scan::11808,Scan::11835,Scan::11878,Scan::11886,Scan::11887,Scan
::11921,Scan::12051,Scan::12052,Scan::12054,Scan::12092,Scan::12208,Scan::12209,Scan::13641,Scan::13852,Scan::1472
4,Scan::15460,Scan::15894,Scan::15970,Scan::16324,Scan::16326,Scan::16327,Scan::16328,Scan::16329,Scan::18020,Scan
::18021,Scan::18023,Scan::18025,Scan::18027,Scan::18028,Scan::18215,Scan::18482,Scan::18483,Scan::18490,Scan::1850
2,Scan::18681,Scan::18682,Scan::19401,Scan::19402,Scan::19406,Scan::19408,Scan::20005,Scan::20172,Scan::20299,Scan
::20368,Scan::20382,Scan::20389,Scan::20390,Scan::20904,Scan::20905,Scan::21213,Scan::21332,Scan::21685,Scan::2168
7,Scan::22030,Scan::22034,Scan::22183,Scan::22184,Scan::22185,Scan::22186,Scan::22187,Scan::22192,Scan::22194,Scan
::22332,Scan::22449,Scan::22530,Scan::23644,Scan::23646,Scan::23647,Scan::23833,Scan::23835,Scan::23837,Scan::2383
8,Scan::23999,Scan::24000
actions=email,log,trap
disable=N
# for faster remediation, it is recommended to leave an offending client in the
registration vlan (where it is sca
nned)
vlan=registrationVlan
#
# Example config to block a whole class of devices based on their MAC address
# Trigger format: The number is a decimal representation of the OUI (Vendor)
portion of the MAC.
# To generate such a representation you can use perl -e "print hex('001620');"
# There is a copy of the oui.txt file in conf/ to help you match vendor name
and vendor mac.
#
[1100002]
desc=MAC Vendor isolation example
url=/content/index.php?template=banned_devices
trigger=VENDORMAC::5664
actions=trap,email,log
disable=Y
#
# Example config to block an OS based on their dhcp fingerprint
# Trigger format: an id (defined as os_id in os_type table)
# Right now the only way to find the os id is to query the database but it
should be feasible
# from the pfcmd tool or the web gui in the future.
# From a MySQL prompt, a 'select * from os_type;' will give you what you need.
Just put in
# the os_id next to OS::. In exemple to block Windows 95 you would use: OS::104
#
# The below example blocks Windows 95, 98, 98SE, NT4 and ME.
#
[1100003]
desc=Ancient OS isolation example
url=/content/index.php?template=banned_os
trigger=OS::104,OS::103,OS::106,OS::105,OS::102,OS::100
actions=trap,email,log
disable=N
#
# Example config to block a specific Browser User Agent
# This works in the same way as OS does.
# Trigger format: an id (as in configuration -> user-agent )
#
[1100004]
desc=Browser isolation example
url=/content/index.php?template=banned_devices
trigger=USERAGENT::101,USERAGENT::102
actions=trap,email,log
disable=Y
[1100005]
desc=P2P Isolation (snort example)
url=/content/index.php?template=p2p
trigger=Detect::2001808,Detect::2000334,Detect::2000357,Detect::2000369,Detect::2000330,Detect::2000331,Detect::2000332,Detect::2000333,Detect::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::2001305,Detect::2001300,Detect::2001664,Detect::2002760,Detect::2002761,Detect::2001796,Detect::2001812
actions=trap,email,log
disable=Y
[1100006]
desc=Auto-register Device example
priority=1
trigger=OS::3,OS::6,OS::7,OS::8,OS::10,OS::12,OS::13
actions=log,autoreg
disable=Y
[1100007]
desc=Disable NATing Routers and APs
url=/content/index.php?template=nat
trigger=Detect::1100005,Detect::1100006,Detect::1100007,OS::4
actions=trap,email,log
disable=Y
[1100010]
desc=Rogue DHCP
url=/content/index.php?template=roguedhcp
actions=email,log
trigger=
disable=Y
#
# 1200000 - 120099 Reserved for required administration violations
#
[1200001]
priority=9
desc=System Scan
url=/content/index.php?template=system_scan&admin=yes
actions=log,trap
button_text=Scan
trigger=
disable=N
vlan=registrationVlan[1200003]
priority=1
desc=Check Antivirus Updates
url=/content/index.php?template=system_scan&admin=yes
actions=email,log,trap
priority=1
trigger=Scan::21725
disable=N
max_enable=1
vlan=registrationVlan
#
# Scan is taking place in the registration vlan don't change this value.
#
# 1300000 - 1399999 Reserved for PacketFence violations
#
[1300000]
desc=Generic
priority=8
actions=trap,log
url=/content/index.php?template=generic
disable=N
[1300001]
desc=Spam
priority=6
actions=trap,log
url=/content/index.php?template=spam
disable=N
#
# 1400000 - 1499999 Reserved for local violations
#
#
# 2000000 - 2099999 Snort violations
#
[2000000]
desc=Malware
priority=4
url=/content/index.php?template=malware
disable=Y
action=trap,email,log
# For conficker:
Detect::2008802,Detect::2008803,Detect::2009024,Detect::2009114,Detect::2009200,Detect::2009201
trigger=Detect::2008802,Detect::2008803,Detect::2009024,Detect::2009114,Detect::2009200,Detect::2009201
[2000032]
desc=LSASS Exploit
priority=4
url=/content/index.php?template=lsass
redirect_url=/proxies/tools/stinger.exe
disable=Y
trigger=Detect::2000032,Detect::2000033,Detect::2000046,Detect::2001286,Detect::2001337,Detect::2001302
[2002030]
desc=IRC Trojan
priority=3
auto_enable=N
url=/content/index.php?template=trojan
disable=Y
trigger=Detect::2002029,Detect::2002030,Detect::2002031,Detect::2002032,Detect::2002033,Detect::2000345,Detect::2000347,Detect::2000348,Detect::2000349,Detect::2000350,Detect::2000351,Detect::2000352
actions=trap,email,log
# The following signatures replace the generic portscan detector. It was
notoriously noisy, expecially
# for BitTorrent clients. These new signatures look for most of the "worm-like"
scanning behaviors.
[2002201]
desc=Zotob (W32.Zotob and variants)
priority=4
url=/content/index.php?template=zotob
disable=Y
trigger=Detect::2002201,Detect::2002203
[2001904]
desc=Telnet Scan
priority=6
url=/content/index.php?template=scanning
disable=Y
auto_enable=N
trigger=Detect::2001904
[2001972]
desc=Remote Desktop Scan
priority=6
url=/content/index.php?template=scanning
disable=Y
auto_enable=N
trigger=Detect::2001972
[2001569]
desc=NetBIOS Scan
priority=6
url=/content/index.php?template=scanning
disable=Y
auto_enable=N
trigger=Detect::2001569,Detect::2001579,Detect::2001580,Detect::2001581,Detect::2001582,Detect::2001583
# The following are peer-to-peer (P2P) signatures. They can be exceedingly
loud, but seem fairly accurate in our experience.
# Since P2P is not considered illicit on all networks, they are all shipped
disabled - set disable=N to enable.
[2000334]
desc=P2P (BitTorrent)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2000334,Detect::2000357,Detect::2000369
[2001808]
desc=P2P (Limewire)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2001808
[2000330]
desc=P2P (eDonkey)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2000330,Detect::2000331,Detect::2000332,Detect::2000333,Detect::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::2001305,Detect::2001300
[2001664]
desc=P2P (Gnutella)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2001664,Detect::2002760,Detect::2002761
[2001812]
desc=P2P (Kazaa)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2001796,Detect::2001812
#
# 3000000 - 3099999 Device bans
#
[3000001]
desc=Block all mobile devices
url=/content/index.php?template=banned_devices
actions=email,log,trap
disable=Y
priority=10
trigger=USERAGENT::300,OS::11
[3000002]
desc=Block iPhone and iPod touch
url=/content/index.php?template=banned_devices
actions=trap,email,log
disable=Y
priority=10
trigger=OS::1102,USERAGENT::101,USERAGENT::102
# MAC vendors: 00:0f:86, 00:1c:cc, 00:21:06, 00:23:7a, 00:24:9f, 00:25:57
[3000003]
desc=Block BlackBerries
url=/content/index.php?template=banned_devices
actions=trap,email,log
disable=Y
priority=10
trigger=VENDORMAC::3974,VENDORMAC::7372,VENDORMAC::8454,VENDORMAC::9082,VENDORMAC::9375,VENDORMAC::9559,USERAGENT::103
[3000004]
desc=Block PS3 and PSP
url=/content/index.php?template=banned_devices
actions=trap,email,log
disable=Y
priority=10
trigger=USERAGENT::111,USERAGENT::112,OS::605
# MAC vendor: 00:13:b6
[3000005]
desc=Block Slingbox
url=/content/index.php?template=banned_devices
actions=trap,email,log
disable=Y
priority=10
trigger=VENDORMAC::5046,OS::703
------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
