Hi, I'm new to PacketFence and not extremely literate with Linux, though I've been experimenting with Linux off and on for a few years and have the basics.
I've recently set up a PacketFence server (3.5) to assist us in tracking down illegal P2P file-sharing at our student housing complex. My greatest concern is I'm having problems getting the P2P detection working in version 3.5. I had this feature working in a test environment with an earlier version of PacketFence, but I haven't been able to get it working in 3.5. Can anyone here please help or point me in the right direction? To summarize, the problems I'm experiencing are: 1) I'm not confident the auto-register devices violation is working as expected. 2) pfdhcplistener service does not start 3) P2P detection is not working Issue 1: ======== I'm not allowed to make users register their devices, so essentially I've configured our switches for port-security traps and enabled the auto register violation to keep the devices in the normalVLAN for each switch. This appears to be working, however the devices are all added to the nodes table as "unregistered". Is that normal? I would've thought that it would register the device, but perhaps because there is no user associated, it will always appear as unregistered? Here's the pertinent violations.conf info for the auto register device violation: violations.conf ================ [defaults] priority=4 max_enable=3 actions=email,log auto_enable=Y enabled=N grace=120m window=0 button_text=Enable Network snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-virus.rules,emerging-worm.rules # vlan: The vlan parameter allows you to define in what vlan a node with a violation will be put in. # accepted values are the vlan names: isolationVlan, normalVlan, registrationVlan, macDetectionVlan, guestVlan, # customVlan1, customVlan2, customVlan3, customVlan4, customVlan5 # (see switches.conf) vlan=isolationVlan # if you add a category here, nodes in these categories will be immune to the violation whitelisted_categories= [1100007] desc=Auto-register Device example priority=1 trigger=OS::3,OS::6,OS::7,OS::8,OS::10,OS::12,OS::13 actions=autoreg,log enabled=Y window= vclose= url= vlan=normalVlan Issue 2: ======== The pfdhcplistener service does not appear to be running, but I am getting nodes added to the database with DHCP fingerprints. Should I be concerned that the service doesn't appear in the console as running? Issue 3: ======== I have a test machine downloading a Linux ISO via Bittorent, but Snort isn't creating a violation for this traffic. "I have the P2P Isolation (snort example)" violation enabled. I have a dedicated "monitor" interface connected to a span port on my Cisco 3550. I can perform an ifconfig on the machine and see that there's an enormous amount of traffic flowing to that interface (331.8GiB so far), so I'm pretty sure I have the span config correct on the 3550. The console reports that Snort is running. I've downloaded the latest rules using the /usr/local/pf/addons/snort/update_rules.pl script. The pertinent configuration info is below. pf.conf ======== [interface span0] type=dhcp-listener,monitor [trapping] detection=enabled violations.conf ================ [defaults] priority=4 max_enable=3 actions=email,log auto_enable=Y enabled=N grace=120m window=0 button_text=Enable Network snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-virus.rules,emerging-worm.rules # vlan: The vlan parameter allows you to define in what vlan a node with a violation will be put in. # accepted values are the vlan names: isolationVlan, normalVlan, registrationVlan, macDetectionVlan, guestVlan, # customVlan1, customVlan2, customVlan3, customVlan4, customVlan5 # (see switches.conf) vlan=isolationVlan # if you add a category here, nodes in these categories will be immune to the violation whitelisted_categories= [1100006] desc=P2P Isolation (snort example) url=/remediation.php?template=p2p trigger=Detect::2001808,Detect::2000334,Detect::2000357,Detect::2000369,Detect::2000330,Detect::2000331,Detect::2000332,Detect::2000333,Detect::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::2001305,Detect::2001300,Detect::2001664,Detect::2002760,Detect::2002761,Detect::2001796,Detect::2001812 enabled=Y window= vclose= vlan=normalVlan grace=5m Additionally, here's a little more about the environment. We're using all Cisco 3550 and 2950 Catalyst switches. Each building has a switch with its own "normal" VLAN, as well as the registration and isolation VLANs (2 & 3). The building VLANs are 101-112. Each building comes back to a switch in the MDF located in a centralized management building. The MDF switch has a cable modem attached in each VLAN so that each building has its own cable modem, and there is no routing between VLANs. The cable modems are handing out the DHCP addresses for each "normal" VLAN. The PacketFence server is the DHCP server for the registration and isolation VLANs (I created the registration VLAN even though it really isn't currently used in our scenario). Thank you all, your help is greatly appreciated. Please let me know if more information is needed. Sincerely, --------------------------------------------------------------------------------------- Gavin Pyle | Network Engineer | Green River Community College [email protected] ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
