Re: [Packetfence-users] Packetfence & Nessus Configuration

andy nguyen Fri, 26 Aug 2011 05:14:52 -0700

Francois, Thanks you very much for your help!!! I have dowloaded the latest 
trunk as you suggested & successfully installed (the pf 3.0 beta). I still have 
problem when test with Nessus. Again the command ( pfcmd schedule now ip) is 
run fine and I can see my test laptop being scan but not when I tried to 
register the the laptop through packetfence. I am not sure this if a bug on 
3.0. Below is config file and packetfence log file. Any ideas to try???
***packetfence violation tab*** I always see violation 1200001
　27 00:21:70:90:4e:2f2009-8168-03 open System Scan 2011-08-25 11:33:28　
　
****Violations.conf*****
　
[1100011]
desc=Check Antivirus Updates
priority=5
url=/remediation.php?template=system_scan
actions=log,trap
trigger=Scan::21725
disable=N
vlan=registrationVlan
#
# 1200000 - 120099 Reserved for required administration violations
#
[1200001]
priority=9
desc=System Scan
# someone should always be able to try to scan its system again
max_enable=0
grace=1s
url=/remediation.php?template=system_scan
actions=trap,log
button_text=Scan
disable=Y
# Scan is taking place in the registration vlan don't change this value.
vlan=registrationVlan
　
***Packetfence log *****
　
Aug 25 11:32:35 pfmon(1) INFO: Starting cleanup thread (main::cleanup)
Aug 25 11:32:35 pfmon(1) INFO: closing open iplogs (just in case) 
(main::cleanup)
Aug 25 11:32:35 pfmon(1) INFO: closing open iplogs (pf::iplog::iplog_shutdown)
Aug 25 11:33:01 pfdhcplistener(8302) INFO: 00:21:70:90:4e:2f requested an IP. 
DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp 
= 2011-08-25 11:33:01,computername = 2009-8168-03,dhcp_fingerprint = 
1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp)
Aug 25 11:33:01 pfdhcplistener(8303) INFO: 00:21:70:90:4e:2f requested an IP. 
DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp 
= 2011-08-25 11:33:01,computername = 2009-8168-03,dhcp_fingerprint = 
1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp)
Aug 25 11:33:01 pfdhcplistener(8303) INFO: DHCPACK from 10.0.10.10 
(00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp)
Aug 25 11:33:01 pfdhcplistener(8303) INFO: could not resolve 192.168.2.15 to 
mac in ARP table (pf::iplog::ip2macinarp)
Aug 25 11:33:01 pfdhcplistener(8303) WARN: could not resolve 192.168.2.15 to 
mac (pf::iplog::ip2mac)
Aug 25 11:33:01 pfdhcplistener(8303) WARN: unable to resolve 00:21:70:90:4e:2f 
to ip (pf::iplog::mac2ip)
Aug 25 11:33:01 pfdhcplistener(8302) INFO: DHCPACK from 10.0.10.10 
(00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp)
Aug 25 11:33:16 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:16 redir.cgi(0) INFO: Updating node 00:21:70:90:4e:2f user_agent 
with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; 
Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET 
CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)' 
(pf::web::web_node_record_user_agent)
Aug 25 11:33:16 redir.cgi(0) INFO: Static User-Agent lookup data initialized 
(pf::useragent::_init)
Aug 25 11:33:16 redir.cgi(0) INFO: 00:21:70:90:4e:2f redirected to 
authentication page 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:28 register.cgi(0) INFO: 192.168.2.15 - 00:21:70:90:4e:2f 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler)
Aug 25 11:33:28 register.cgi(0) INFO: calling /usr/local/pf/bin/pfcmd 'manage 
register 00:21:70:90:4e:2f "anguyen" pid="1",user_agent="Mozilla 4.0 
compatible; MSIE 8.0; Windows NT 5.1; Trident 4.0; .NET CLR 1.1.4322; .NET CLR 
2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 
3.0.4506.2152; .NET CLR 3.5.30729 "' (pf::web::_sanitize_and_register)
Aug 25 11:33:28 pfcmd(0) INFO: grace expired on violation 1200001 for node 
00:21:70:90:4e:2f (pf::violation::violation_add)
Aug 25 11:33:28 pfcmd(0) INFO: violation 1200001 added for 00:21:70:90:4e:2f 
(pf::violation::violation_add)
Aug 25 11:33:28 pfcmd(0) INFO: executing action 'log' on class 1200001 
(pf::action::action_execute)
Aug 25 11:33:28 pfcmd(0) INFO: /usr/local/pf/logs/violation.log 2011-08-25 
11:33:28: System Scan (1200001) detected on node 00:21:70:90:4e:2f 
(192.168.2.15) (pf::action::action_log)
Aug 25 11:33:28 pfcmd(0) INFO: executing action 'trap' on class 1200001 
(pf::action::action_execute)
Aug 25 11:33:28 pfcmd(0) INFO: re-evaluating access for node 00:21:70:90:4e:2f 
(manage_register called) (pf::enforcement::reevaluate_access)
Aug 25 11:33:28 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at 
10.0.10.2 ifIndex 10105 in VLAN 2 (pf::enforcement::_vlan_reevaluation)
Aug 25 11:33:29 pfcmd(0) INFO: highest priority violation for 00:21:70:90:4e:2f 
is 1200001. Target VLAN for violation: registrationVlan (2) 
(pf::vlan::getViolationVlan)
Aug 25 11:33:29 register.cgi(0) INFO: more violations yet to come for 
00:21:70:90:4e:2f 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler)
Aug 25 11:33:29 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:29 redir.cgi(0) INFO: captive portal redirect on violation vid: 
1200001, redirect url: /remediation.php?template=system_scan 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:29 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:29 redir.cgi(0) INFO: captive portal redirect on violation vid: 
1200001, redirect url: /remediation.php?template=system_scan 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:33 release.pm(0) INFO: scanning 192.168.2.15 by calling 
/usr/local/pf/bin/pfcmd schedule now 192.168.2.15 1>/dev/null 2>&1 
(pf::web::release::handler)
Aug 25 11:33:33 release.pm(0) INFO: violation for mac 00:21:70:90:4e:2f vid 
1200001 modified (pf::violation::violation_modify)
Aug 25 11:33:33 pfcmd(0) INFO: executing HOME=/usr/local/pf/conf/nessus/ 
/opt/nessus/bin/nessus -q -V -x --dot-nessus 
/usr/local/pf/conf/nessus/remotescan.nessus --policy-name RemoteScan 10.0.10.21 
1241 admin <password> --target-file /tmp/pf_nessus_192.168.2.15_2011-08-25 
11:33:33.txt 
/usr/local/pf/html/admin/scan/results/dump_192.168.2.15_2011-08-25-11:33:33.nbe 
(pf::scan::runScan)
　
****pf.conf*****
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=packetfence.local
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the domain in 
Apache rewriting rules and therefore must be resolvable by clients.
hostname=pf
[network]
# mode=vlan
[trapping]
#
# trapping.testing
#
# Disables sending of ARPs - note that this has implications on node detection 
and timeouts.
testing=disabled
#
# trapping.range
#
# Comma-delimited list of address ranges/CIDR blocks that PacketFence will 
monitor/detect/trap on. Gateway, network, and
# broadcast addresses are ignored.
range=192.168.2.0/24,192.168.3.0/24,10.0.10.0/24
#
# trapping.registration
#
# If enabled, nodes will be required to register on first network access. 
Further registration options are configured in the
# registration section.
registration=enabled
#
# trapping.detection
#
# Enables snort-based worm detection. If you don't have a span interface 
available, don't bother enabling it. If you do,
# you'll most definately want this on.
detection=enabled
[database]
pass=pfz3n
　
[vlan]
#
# vlan.dhcpd
#
# Should DHCPd be started ?
#
dhcpd=enabled
#
#
# vlan.named
#
# Should named be started ?
#
named=enabled
[registration]
auth=local
[interface eth0]
mask=255.255.255.0
type=dhcplistener,internal,management,detection,monitor
enforcement=vlan
gateway=10.0.10.1
ip=10.0.10.10
authorizedips=
[scan]
ssl=enabled
pass=password
user=admin
port=1241
host=10.0.10.21
registration=enabled
nessusclient_file=remotescan.nessus
nessusclient_policy=RemoteScan
live_tids=21725
[captive_portal]
network_detection_ip=10.0.10.10,10.0.10.0/24,192.168.2.0/24,192.168.3.0/24

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] Packetfence & Nessus Configuration

Reply via email to