Hi,
I am still having problem with nessus scan & violation...any helps is
appreciated!!
I have successfuly created a scan policy and I can manually a execute
scan using command pfcmd schedule now <IP>.
*
I see this in packetfence.log:
*
Aug 18 16:16:32 pfcmd(0) INFO: executing
HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x
--dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name
RemoteScan 10.0.10.21 1241 admin <password> --target-file
/tmp/pf_nessus_192.168.2.15_2011-08-18-16:16:32.txt
/usr/local/pf/html/admin/scan/results/dump_192.168.2.15_2011-08-18-16:16:32.nbe
(pf::scan::runScan)
*
A dump file created at
/usr/local/pf/html/admin/scan/result/dump_192.168.2.15_2011-08-18-16\:16\:32.nbe
*
cat dump_192.168.2.15_2011-08-18-16\:16\:32.nbe
timestamps|||scan_start|Thu Aug 18 16:32:47 2011|
timestamps||192.168.2.15|host_start|Thu Aug 18 16:33:15 2011|
results|192.168.2|192.168.2.15|netbios-ssn (139/tcp)
results|192.168.2|192.168.2.15|epmap (135/tcp)
results|192.168.2|192.168.2.15|device2 (2030/tcp)
results|192.168.2|192.168.2.15|de-cache-query (1255/tcp)
results|192.168.2|192.168.2.15|serialgateway (1243/tcp)
results|192.168.2|192.168.2.15|netbios-ssn (139/tcp)|21725|Security
Hole|\nSynopsis :\n\nSymantec Antivirus Corporate is
installed.\n\nDescription :\n\nThis plugin checks that the remote host
has Symantec Antivirus \nCorporate installed and properly running, and
makes sure that the latest \nVdefs are loaded.\n\nSolution :\n\nMake
sure SAVCE is installed, running and using the latest
VDEFS.\n\nRiskfactor :\n\nCritical / CVSS Base Score :
10.0\n(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\nPlugin output :\n\nThe
remote host has an antivirus software from Symantec installed. It has
\nbeen fingerprinted as :\n\nSymantec Endpoint Protection :
13.0.6000.513\nDAT version : 20110617\n\nThe remote host has an
out-dated version of the Symantec \nCorporate virus signatures. Last
version is 20110713\n\nAs aresult, the remote host might be infected
by viruses received by\nemail or other
means.\n\ntimestamps||192.168.2.15|host_end|Thu Aug 18 16:33:51
2011|timestamps|||scan_end|Thu Aug18 16:33:52 2011|
*
Now I try register a laptop to see if it find violation
*
packetfence log:
Aug 18 16:28:03 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:03 redir.cgi(0) INFO: Updating node 00:21:70:90:4e:2f
user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows
NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)' (pf::web::web_node_record_user_agent)
Aug 18 16:28:03 redir.cgi(0) INFO: Static User-Agent lookup data
initialized (pf::useragent::_init)
Aug 18 16:28:03 redir.cgi(0) INFO: 00:21:70:90:4e:2f redirected to
registration page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:08 register.cgi(0) INFO: 192.168.2.15 - 00:21:70:90:4e:2f
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_register_2ecgi::handler)
Aug 18 16:28:20 register.cgi(0) INFO: 192.168.2.15 - 00:21:70:90:4e:2f
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_register_2ecgi::handler)
Aug 18 16:28:20 register.cgi(0) INFO: calling /usr/local/pf/bin/pfcmd
'manage register 00:21:70:90:4e:2f "usertest"
pid="1",user_agent="Mozilla 4.0 compatible; MSIE 8.0; Windows NT 5.1;
Trident 4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729 "' (pf::web::_sanitize_and_register)
Aug 18 16:28:21 pfcmd(0) INFO: grace expired on violation 1200001 for
node 00:21:70:90:4e:2f (pf::violation::violation_add)
Aug 18 16:28:21 pfcmd(0) INFO: violation 1200001 added for
00:21:70:90:4e:2f (pf::violation::violation_add)
Aug 18 16:28:21 pfcmd(0) INFO: executing action 'log' on class 1200001
(pf::action::action_execute)
Aug 18 16:28:21 pfcmd(0) INFO: /usr/local/pf/logs/violation.log
2011-08-18 16:28:21: System Scan (1200001) detected on node
00:21:70:90:4e:2f (192.168.2.15) (pf::action::action_log)
Aug 18 16:28:21 pfcmd(0) INFO: executing action 'trap' on class
1200001 (pf::action::action_execute)
Aug 18 16:28:21 pfcmd(0) INFO: VLAN isolation is enabled and
manage_register is part of adjustswitchportvlanreasons
(main::vlan_reevaluation)
Aug 18 16:28:21 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog
connected at 10.0.10.2 ifIndex 10105 in VLAN 2 (main::vlan_reevaluation)
Aug 18 16:28:21 pfcmd(0) INFO: highest priority violation for
00:21:70:90:4e:2f is 1200001. Target VLAN for violation:
registrationVlan (2) (pf::vlan::getViolationVlan)
Aug 18 16:28:21 register.cgi(0) INFO: more violations yet to come for
00:21:70:90:4e:2f
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_register_2ecgi::handler)
Aug 18 16:28:21 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:21 redir.cgi(0) INFO: captive portal redirect on
violation vid: 1200001, redirect url:
/content/index.php?template=system_scan&admin=yes
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:21 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
Aug 18 16:28:21 redir.cgi(0) INFO: captive portal redirect on
violation vid: 1200001, redirect url:
/content/index.php?template=system_scan&admin=yes
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_redir_2ecgi::handler)
*
On the laptop I see Quanrantine Established page and if I hit scan, I
will see this on my log file but nothing is scan
*
Aug 18 16:31:36 release.cgi(0) INFO: scanning 192.168.2.15 by
calling*/usr/local/pf/bin/pfcmd schedule now 192.168.2.15 1>/dev/null
2>&1
*(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_cgi_2dbin_release_2ecgi::handler)
Aug 18 16:31:36 release.cgi(0) INFO: violation for mac
00:21:70:90:4e:2f vid 1200001 modified (pf::violation::violation_modify)
*
It seems it execute the command but nothing happening. if I check at
packetfence Violation tab I see System scan (1200001) with status
open. For some reasons my Scan ID 1200003 was never detected.
**
This is my pf.conf file
*
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=packetfence.local
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the domain
in Apache rewriting rules and therefore must be resolvable by clients.
hostname=pf-zen
#
# general.dnsservers
#
# Comma-delimited list of DNS servers. Passthroughs are created to
allow queries to these servers from even "trapped" nodes.
dnsservers=10.0.10.10
#
# general.dhcpservers
#
# Comma-delimited list of DHCP servers. Passthroughs are created to
allow DHCP transactions from even "trapped" nodes.
dhcpservers=10.0.10.10
[network]
#
# network.mode
#
# Defines the mode in which PacketFence will operate.
#
# When deployed in arp mode, PacketFence uses ARP manipulation inject
itself into the datastream of unregistered or
# trapped nodes. The major failing of arp mode is that
# it's not 100% in catching all traffic - spurious packets can and
will occasionaly get through.
mode=vlan
[trapping]
#
# trapping.testing
#
# Disables sending of ARPs - note that this has implications on node
detection and timeouts.
testing=disabled
#
# trapping.range
#
# Comma-delimited list of address ranges/CIDR blocks that PacketFence
will monitor/detect/trap on. Gateway, network, and
# broadcast addresses are ignored.
range=10.0.10.0/24,192.168.2.0/24,192.168.3.0/24
#
# trapping.registration
#
# If enabled, nodes will be required to register on first network
access. Further registration options are configured in the
# registration section.
registration=enabled
detection=enabled
[registration]
auth=ldap
#
[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence.
pass=pfz3n
[vlan]
#
# vlan.dhcpd
#
# Should DHCPd be started ?
#
dhcpd=enabled
#
#
# vlan.named
#
# Should named be started ?
#
named=enabled
[interface eth0]
mask=255.255.255.0
type=dhcplistener,internal,managed,monitor
gateway=10.0.10.1
ip=10.0.10.10
authorizedips=
[captive_portal]
network_detection_ip=10.0.10.10,10.0.10.0/24,192.168.2.0/24
[scan]
ssl=enabled
pass=password
user=admin
port=1241
host=10.0.10.21
registration=enabled
nessusclient_file=remotescan.nessus
nessusclient_policy=RemoteScan
live_tids=21725
*
This is my violations.conf
*
# Most of the snort rules are from Emerging Threats
(http://www.emergingthreats.net/)
#
# In order to use different rulesets, please point the variable
snort_rules,
# defined below (in [defaults]), to your local file(s).
#
[defaults]
priority=4
max_enable=3
actions=trap,email,log
auto_enable=Y
disable=Y
grace=120m
button_text=Enable Network
snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malwar
e.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-virus.rules
,emerging-worm.rules
# vlan: The vlan parameter allows you to define in what vlan a node
with a violation will be put in.
# accepted values are the vlan names: isolationVlan, normalVlan,
registrationVlan, macDetectionVlan, guestVlan,
# customVlan1, customVlan2, customVlan3, customVlan4, customVlan5
# (see switches.conf)
vlan=isolationVlan
# if you add a category here, nodes in these categories will be immune
to the violation
whitelisted_categories=
[1100001]
desc=Scan
url=/content/index.php?template=failed_scan
priority=4
max_enable=4
button_text=Scan my computer again
trigger=Scan::21725,Scan::10861,Scan::10943,Scan::11177,Scan::11231,Scan::11302,Scan::11304,Scan::11528,Scan::1159
5,Scan::11664,Scan::11787,Scan::11790,Scan::11803,Scan::11808,Scan::11835,Scan::11878,Scan::11886,Scan::11887,Scan
::11921,Scan::12051,Scan::12052,Scan::12054,Scan::12092,Scan::12208,Scan::12209,Scan::13641,Scan::13852,Scan::1472
4,Scan::15460,Scan::15894,Scan::15970,Scan::16324,Scan::16326,Scan::16327,Scan::16328,Scan::16329,Scan::18020,Scan
::18021,Scan::18023,Scan::18025,Scan::18027,Scan::18028,Scan::18215,Scan::18482,Scan::18483,Scan::18490,Scan::1850
2,Scan::18681,Scan::18682,Scan::19401,Scan::19402,Scan::19406,Scan::19408,Scan::20005,Scan::20172,Scan::20299,Scan
::20368,Scan::20382,Scan::20389,Scan::20390,Scan::20904,Scan::20905,Scan::21213,Scan::21332,Scan::21685,Scan::2168
7,Scan::22030,Scan::22034,Scan::22183,Scan::22184,Scan::22185,Scan::22186,Scan::22187,Scan::22192,Scan::22194,Scan
::22332,Scan::22449,Scan::22530,Scan::23644,Scan::23646,Scan::23647,Scan::23833,Scan::23835,Scan::23837,Scan::2383
8,Scan::23999,Scan::24000
actions=email,log,trap
disable=N
# for faster remediation, it is recommended to leave an offending
client in the registration vlan (where it is sca
nned)
vlan=registrationVlan
#
# Example config to block a whole class of devices based on their MAC
address
# Trigger format: The number is a decimal representation of the OUI
(Vendor) portion of the MAC.
# To generate such a representation you can use perl -e "print
hex('001620');"
# There is a copy of the oui.txt file in conf/ to help you match
vendor name and vendor mac.
#
[1100002]
desc=MAC Vendor isolation example
url=/content/index.php?template=banned_devices
trigger=VENDORMAC::5664
actions=trap,email,log
disable=Y
#
# Example config to block an OS based on their dhcp fingerprint
# Trigger format: an id (defined as os_id in os_type table)
# Right now the only way to find the os id is to query the database
but it should be feasible
# from the pfcmd tool or the web gui in the future.
# From a MySQL prompt, a 'select * from os_type;' will give you what
you need. Just put in
# the os_id next to OS::. In exemple to block Windows 95 you would
use: OS::104
#
# The below example blocks Windows 95, 98, 98SE, NT4 and ME.
#
[1100003]
desc=Ancient OS isolation example
url=/content/index.php?template=banned_os
trigger=OS::104,OS::103,OS::106,OS::105,OS::102,OS::100
actions=trap,email,log
disable=N
#
# Example config to block a specific Browser User Agent
# This works in the same way as OS does.
# Trigger format: an id (as in configuration -> user-agent )
#
[1100004]
desc=Browser isolation example
url=/content/index.php?template=banned_devices
trigger=USERAGENT::101,USERAGENT::102
actions=trap,email,log
disable=Y
[1100005]
desc=P2P Isolation (snort example)
url=/content/index.php?template=p2p
trigger=Detect::2001808,Detect::2000334,Detect::2000357,Detect::2000369,Detect::2000330,Detect::2000331,Detect::2000332,Detect::2000333,Detect::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::2001305,Detect::2001300,Detect::2001664,Detect::2002760,Detect::2002761,Detect::2001796,Detect::2001812
actions=trap,email,log
disable=Y
[1100006]
desc=Auto-register Device example
priority=1
trigger=OS::3,OS::6,OS::7,OS::8,OS::10,OS::12,OS::13
actions=log,autoreg
disable=Y
[1100007]
desc=Disable NATing Routers and APs
url=/content/index.php?template=nat
trigger=Detect::1100005,Detect::1100006,Detect::1100007,OS::4
actions=trap,email,log
disable=Y
[1100010]
desc=Rogue DHCP
url=/content/index.php?template=roguedhcp
actions=email,log
trigger=
disable=Y
#
# 1200000 - 120099 Reserved for required administration violations
#
[1200001]
priority=9
desc=System Scan
url=/content/index.php?template=system_scan&admin=yes
actions=log,trap
button_text=Scan
trigger=
disable=N
vlan=registrationVlan
*
[1200003]
priority=1
desc=Check Antivirus Updates
url=/content/index.php?template=system_scan&admin=yes
actions=email,log,trap
priority=1
trigger=Scan::21725
disable=N
max_enable=1
vlan=registrationVlan
*
#
# Scan is taking place in the registration vlan don't change this value.
#
# 1300000 - 1399999 Reserved for PacketFence violations
#
[1300000]
desc=Generic
priority=8
actions=trap,log
url=/content/index.php?template=generic
disable=N
[1300001]
desc=Spam
priority=6
actions=trap,log
url=/content/index.php?template=spam
disable=N
#
# 1400000 - 1499999 Reserved for local violations
#
#
# 2000000 - 2099999 Snort violations
#
[2000000]
desc=Malware
priority=4
url=/content/index.php?template=malware
disable=Y
action=trap,email,log
# For conficker:
Detect::2008802,Detect::2008803,Detect::2009024,Detect::2009114,Detect::2009200,Detect::2009201
trigger=Detect::2008802,Detect::2008803,Detect::2009024,Detect::2009114,Detect::2009200,Detect::2009201
[2000032]
desc=LSASS Exploit
priority=4
url=/content/index.php?template=lsass
redirect_url=/proxies/tools/stinger.exe
disable=Y
trigger=Detect::2000032,Detect::2000033,Detect::2000046,Detect::2001286,Detect::2001337,Detect::2001302
[2002030]
desc=IRC Trojan
priority=3
auto_enable=N
url=/content/index.php?template=trojan
disable=Y
trigger=Detect::2002029,Detect::2002030,Detect::2002031,Detect::2002032,Detect::2002033,Detect::2000345,Detect::2000347,Detect::2000348,Detect::2000349,Detect::2000350,Detect::2000351,Detect::2000352
actions=trap,email,log
# The following signatures replace the generic portscan detector. It
was notoriously noisy, expecially
# for BitTorrent clients. These new signatures look for most of the
"worm-like" scanning behaviors.
[2002201]
desc=Zotob (W32.Zotob and variants)
priority=4
url=/content/index.php?template=zotob
disable=Y
trigger=Detect::2002201,Detect::2002203
[2001904]
desc=Telnet Scan
priority=6
url=/content/index.php?template=scanning
disable=Y
auto_enable=N
trigger=Detect::2001904
[2001972]
desc=Remote Desktop Scan
priority=6
url=/content/index.php?template=scanning
disable=Y
auto_enable=N
trigger=Detect::2001972
[2001569]
desc=NetBIOS Scan
priority=6
url=/content/index.php?template=scanning
disable=Y
auto_enable=N
trigger=Detect::2001569,Detect::2001579,Detect::2001580,Detect::2001581,Detect::2001582,Detect::2001583
# The following are peer-to-peer (P2P) signatures. They can be
exceedingly loud, but seem fairly accurate in our experience.
# Since P2P is not considered illicit on all networks, they are all
shipped disabled - set disable=N to enable.
[2000334]
desc=P2P (BitTorrent)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2000334,Detect::2000357,Detect::2000369
[2001808]
desc=P2P (Limewire)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2001808
[2000330]
desc=P2P (eDonkey)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2000330,Detect::2000331,Detect::2000332,Detect::2000333,Detect::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::2001305,Detect::2001300
[2001664]
desc=P2P (Gnutella)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2001664,Detect::2002760,Detect::2002761
[2001812]
desc=P2P (Kazaa)
priority=8
url=/content/index.php?template=p2p
disable=Y
max_enable=1
trigger=Detect::2001796,Detect::2001812
#
# 3000000 - 3099999 Device bans
#
[3000001]
desc=Block all mobile devices
url=/content/index.php?template=banned_devices
actions=email,log,trap
disable=Y
priority=10
trigger=USERAGENT::300,OS::11
[3000002]
desc=Block iPhone and iPod touch
url=/content/index.php?template=banned_devices
actions=trap,email,log
disable=Y
priority=10
trigger=OS::1102,USERAGENT::101,USERAGENT::102
# MAC vendors: 00:0f:86, 00:1c:cc, 00:21:06, 00:23:7a, 00:24:9f, 00:25:57
[3000003]
desc=Block BlackBerries
url=/content/index.php?template=banned_devices
actions=trap,email,log
disable=Y
priority=10
trigger=VENDORMAC::3974,VENDORMAC::7372,VENDORMAC::8454,VENDORMAC::9082,VENDORMAC::9375,VENDORMAC::9559,USERAGENT::103
[3000004]
desc=Block PS3 and PSP
url=/content/index.php?template=banned_devices
actions=trap,email,log
disable=Y
priority=10
trigger=USERAGENT::111,USERAGENT::112,OS::605
# MAC vendor: 00:13:b6
[3000005]
desc=Block Slingbox
url=/content/index.php?template=banned_devices
actions=trap,email,log
disable=Y
priority=10
trigger=VENDORMAC::5046,OS::703
------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
