Hi all,
I'm starting to get to the point now where I'm looking to implement the snort
IDS that packetfence ties integrates with but I have a question regarding the
way that the violations are triggered.
I'm fairly sure I understand how snort and packetfence integrate:
Snort contains several rulesets, eg. emerging-worm.rules, each one of these
contains several hundred entries, each one detailing a different worm
behavioural pattern, and an ID relating to each individual pattern.
Oinkmaster, when scheduled, will go off and update all of these rulesets with
the latest available updates.
Now this is where I get confused....
Ideally I would like packetfence to have a violation for a category, eg. Worm
infection, and this violation is triggered by ANY pattern matching the
behaviour within the relevant ruleset. However, each time I come to configure
this it always seems that it actually needs the individual pattern IDs, rather
than the all-encompassing ruleset. In my mind this could potentially mean that
there are thousands of individual IDs to be associated with each violation, and
then when oinkmaster updates the ruleset, the administrator needs to go to each
file and manually add in the new pattern IDs.
This seems like a huge admin burden, if I am indeed reading up on this in the
correct way. Is it possible to, for example, associate the 'Worm Infection'
violation, with the emerging-worm.rules file, and it then reads the entire
ruleset into the violation?
Apologies if I have indeed got this wrong, I'm halfway through the snort admin
guide, and learning more about the way it works, but I think it's unlikely to
tell me exactly how it will tie in with Packetfence violations.
Cheers,
Andi
________________________________
>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan
>University. From the 6th December 2011, as part of this change, all email
>addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All
>emails sent from Cardiff Metropolitan University will now be sent from the new
>@cardiffmet.ac.uk address. Please could you ensure that all of your contact
>records and databases are updated to reflect this change. Further information
>can be found on the website
>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan
Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n
cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a
ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o'r cyfeiriad
@cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion
cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar
y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
