Re: [Packetfence-users] Packetfence & Nessus Configuration

Fri, 26 Aug 2011 05:19:57 -0700 

Hmm, I see here that the Nessus process started :
Aug 25 11:33:33 release.pm(0) INFO: scanning 192.168.2.15 by calling /usr/local/pf/bin/pfcmd schedule now 192.168.2.15 1>/dev/null 2>&1 (pf::web::release::handler) Aug 25 11:33:33 release.pm(0) INFO: violation for mac 00:21:70:90:4e:2f vid 1200001 modified (pf::violation::violation_modify) Aug 25 11:33:33 pfcmd(0) INFO: executing HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x --dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name RemoteScan 10.0.10.21 1241 admin <password> --target-file /tmp/pf_nessus_192.168.2.15_2011-08-25 11:33:33.txt /usr/local/pf/html/admin/scan/results/dump_192.168.2.15_2011-08-25-11:33:33.nbe (pf::scan::runScan) 

I need the logs after that....

On 11-08-25 6:01 PM, andy nguyen wrote:

Francois, Thanks you very much for your help!!! I have dowloaded the 
latest trunk as you suggested & successfully installed (the pf 3.0 
beta). I still have problem when test with Nessus. Again the command ( 
pfcmd schedule now ip) is run fine and I can see my test laptop being 
scan but not when I tried to register the the laptop through 
packetfence. I am not sure this if a bug on 3.0. Below is config file 
and packetfence log file. Any ideas to try???

***packetfence violation tab*** I always see violation 1200001
 

27 _00:21:70:90:4e:2f_ 
<http://us.mg2.mail.yahoo.com/neo/node/lookup.php?view_item=00:21:70:90:4e:2f>2009-8168-03 
open _System Scan _ 
<http://us.mg2.mail.yahoo.com/neo/configuration/violation.php?view_item=1200001>2011-08-25 
11:33:28

 
 
****Violations.conf*****
 
[1100011]
desc=Check Antivirus Updates
priority=5
url=/remediation.php?template=system_scan
actions=log,trap
trigger=Scan::21725
disable=N
vlan=registrationVlan
#
# 1200000 - 120099 Reserved for required administration violations
#
[1200001]
priority=9
desc=System Scan
# someone should always be able to try to scan its system again
max_enable=0
grace=1s
url=/remediation.php?template=system_scan
actions=trap,log
button_text=Scan
disable=Y
# Scan is taking place in the registration vlan don't change this value.
vlan=registrationVlan
 
***Packetfence log *****
 
Aug 25 11:32:35 pfmon(1) INFO: Starting cleanup thread (main::cleanup)

Aug 25 11:32:35 pfmon(1) INFO: closing open iplogs (just in case) 
(main::cleanup)
Aug 25 11:32:35 pfmon(1) INFO: closing open iplogs 
(pf::iplog::iplog_shutdown)
Aug 25 11:33:01 pfdhcplistener(8302) INFO: 00:21:70:90:4e:2f requested 
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node 
with last_dhcp = 2011-08-25 11:33:01,computername = 
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 
(main::listen_dhcp)
Aug 25 11:33:01 pfdhcplistener(8303) INFO: 00:21:70:90:4e:2f requested 
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node 
with last_dhcp = 2011-08-25 11:33:01,computername = 
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 
(main::listen_dhcp)
Aug 25 11:33:01 pfdhcplistener(8303) INFO: DHCPACK from 10.0.10.10 
(00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) 
(main::listen_dhcp)
Aug 25 11:33:01 pfdhcplistener(8303) INFO: could not resolve 
192.168.2.15 to mac in ARP table (pf::iplog::ip2macinarp)
Aug 25 11:33:01 pfdhcplistener(8303) WARN: could not resolve 
192.168.2.15 to mac (pf::iplog::ip2mac)
Aug 25 11:33:01 pfdhcplistener(8303) WARN: unable to resolve 
00:21:70:90:4e:2f to ip (pf::iplog::mac2ip)
Aug 25 11:33:01 pfdhcplistener(8302) INFO: DHCPACK from 10.0.10.10 
(00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) 
(main::listen_dhcp)
Aug 25 11:33:16 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:16 redir.cgi(0) INFO: Updating node 00:21:70:90:4e:2f 
user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows 
NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 
3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 
3.5.30729)' (pf::web::web_node_record_user_agent)
Aug 25 11:33:16 redir.cgi(0) INFO: Static User-Agent lookup data 
initialized (pf::useragent::_init)
Aug 25 11:33:16 redir.cgi(0) INFO: 00:21:70:90:4e:2f redirected to 
authentication page 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:28 register.cgi(0) INFO: 192.168.2.15 - 00:21:70:90:4e:2f 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler)
Aug 25 11:33:28 register.cgi(0) INFO: calling /usr/local/pf/bin/pfcmd 
'manage register 00:21:70:90:4e:2f "anguyen" 
pid="1",user_agent="Mozilla 4.0 compatible; MSIE 8.0; Windows NT 5.1; 
Trident 4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 
3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 
3.5.30729 "' (pf::web::_sanitize_and_register)
Aug 25 11:33:28 pfcmd(0) INFO: grace expired on violation 1200001 for 
node 00:21:70:90:4e:2f (pf::violation::violation_add)
Aug 25 11:33:28 pfcmd(0) INFO: violation 1200001 added for 
00:21:70:90:4e:2f (pf::violation::violation_add)
Aug 25 11:33:28 pfcmd(0) INFO: executing action 'log' on class 1200001 
(pf::action::action_execute)
Aug 25 11:33:28 pfcmd(0) INFO: /usr/local/pf/logs/violation.log 
2011-08-25 11:33:28: System Scan (1200001) detected on node 
00:21:70:90:4e:2f (192.168.2.15) (pf::action::action_log)
Aug 25 11:33:28 pfcmd(0) INFO: executing action 'trap' on class 
1200001 (pf::action::action_execute)
Aug 25 11:33:28 pfcmd(0) INFO: re-evaluating access for node 
00:21:70:90:4e:2f (manage_register called) 
(pf::enforcement::reevaluate_access)
Aug 25 11:33:28 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog 
connected at 10.0.10.2 ifIndex 10105 in VLAN 2 
(pf::enforcement::_vlan_reevaluation)
Aug 25 11:33:29 pfcmd(0) INFO: highest priority violation for 
00:21:70:90:4e:2f is 1200001. Target VLAN for violation: 
registrationVlan (2) (pf::vlan::getViolationVlan)
Aug 25 11:33:29 register.cgi(0) INFO: more violations yet to come for 
00:21:70:90:4e:2f 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler)
Aug 25 11:33:29 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:29 redir.cgi(0) INFO: captive portal redirect on 
violation vid: 1200001, redirect url: 
/remediation.php?template=system_scan 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:29 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:29 redir.cgi(0) INFO: captive portal redirect on 
violation vid: 1200001, redirect url: 
/remediation.php?template=system_scan 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Aug 25 11:33:33 release.pm(0) INFO: scanning 192.168.2.15 by calling 
/usr/local/pf/bin/pfcmd schedule now 192.168.2.15 1>/dev/null 2>&1 
(pf::web::release::handler)
Aug 25 11:33:33 release.pm(0) INFO: violation for mac 
00:21:70:90:4e:2f vid 1200001 modified (pf::violation::violation_modify)
Aug 25 11:33:33 pfcmd(0) INFO: executing 
HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x 
--dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name 
RemoteScan 10.0.10.21 1241 admin <password> --target-file 
/tmp/pf_nessus_192.168.2.15_2011-08-25 11:33:33.txt 
/usr/local/pf/html/admin/scan/results/dump_192.168.2.15_2011-08-25-11:33:33.nbe 
(pf::scan::runScan)

 
****pf.conf*****
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=packetfence.local
#
# general.hostname
#

# Hostname of PacketFence system. This is concatenated with the domain 
in Apache rewriting rules and therefore must be resolvable by clients.

hostname=pf
[network]
# mode=vlan
[trapping]
#
# trapping.testing
#

# Disables sending of ARPs - note that this has implications on node 
detection and timeouts.

testing=disabled
#
# trapping.range
#

# Comma-delimited list of address ranges/CIDR blocks that PacketFence 
will monitor/detect/trap on. Gateway, network, and

# broadcast addresses are ignored.
range=192.168.2.0/24,192.168.3.0/24,10.0.10.0/24
#
# trapping.registration
#

# If enabled, nodes will be required to register on first network 
access. Further registration options are configured in the

# registration section.
registration=enabled
#
# trapping.detection
#

# Enables snort-based worm detection. If you don't have a span 
interface available, don't bother enabling it. If you do,

# you'll most definately want this on.
detection=enabled
[database]
pass=pfz3n
 
[vlan]
#
# vlan.dhcpd
#
# Should DHCPd be started ?
#
dhcpd=enabled
#
#
# vlan.named
#
# Should named be started ?
#
named=enabled
[registration]
auth=local
[interface eth0]
mask=255.255.255.0
type=dhcplistener,internal,management,detection,monitor
enforcement=vlan
gateway=10.0.10.1
ip=10.0.10.10
authorizedips=
[scan]
ssl=enabled
pass=password
user=admin
port=1241
host=10.0.10.21
registration=enabled
nessusclient_file=remotescan.nessus
nessusclient_policy=RemoteScan
live_tids=21725
[captive_portal]
network_detection_ip=10.0.10.10,10.0.10.0/24,192.168.2.0/24,192.168.3.0/24
 
 
 
 
 
 


------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev


_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Francois Gaudreault, ing. jr
[email protected]  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users























					Reply via email to