Below are the logs in both scenarios
with External Nessus Server:
Jan 22 12:23:19 pfcmd.pl(916) INFO: New ID generated: 135887899994d373
(pf::util::generate_id)
Jan 22 12:23:19 pfcmd.pl(916) INFO: Instantiate a new vulnerability
scanning engine object of type pf::scan::nessus.
(pf::scan::instantiate_scan_engine)
Jan 22 12:23:23 pfcmd.pl(916) INFO: executing Nessus scan with this policy
PCI - Windows (pf::scan::nessus::startScan)
Jan 22 12:23:23 pfcmd.pl(916) INFO: Nessus is scanning 10.0.103.11
(pf::scan::nessus::startScan)
Jan 22 12:23:38 pfcmd.pl(916) INFO: Nessus is scanning 10.0.103.11
(pf::scan::nessus::startScan)
Jan 22 12:23:53 pfcmd.pl(916) INFO: Nessus is scanning 10.0.103.11
(pf::scan::nessus::startScan)
Jan 22 12:24:33 pfcmd.pl(916) INFO: Calling /usr/local/pf/bin/pfcmd manage
vclose 00:26:b9:c0:d3:73 1200001 (pf::scan::parse_scan_report)
With Nessus on the same box as PF
Jan 22 10:18:56 pfcmd.pl(32387) INFO: Nessus is scanning 10.0.103.11
(pf::scan::nessus::startScan)
Jan 22 10:19:11 pfcmd.pl(32387) INFO: Nessus is scanning 10.0.103.11
(pf::scan::nessus::startScan)
Jan 22 10:19:15 pfdhcplistener(32230) INFO: 00:26:b9:c0:d3:73 requested an
IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with
last_dhcp = 2013-01-22 10:19:15,computername = ISTXN-CKSW,dhcp_fingerprint
= 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp)
Jan 22 10:19:15 pfdhcplistener(32230) INFO: DHCPACK from 10.0.85.31
(00:15:17:5b:ff:0b) to host 00:26:b9:c0:d3:73 (10.0.103.11) for 300 seconds
(main::parse_dhcp_ack)
Jan 22 10:19:36 pfcmd.pl(32387) INFO: Calling violation_trigger for ip:
10.0.103.11, mac: 00:26:b9:c0:d3:73, type: nessus, trigger: 57608
(pf::scan::parse_scan_report)
Jan 22 10:19:37 pfcmd.pl(32387) INFO: calling '/usr/local/pf/bin/pfcmd
violation add vid=1100001,mac=00:26:b9:c0:d3:73,release_date=0' (trigger
nessus::57608) (pf::violation::violation_trigger)
Jan 22 10:19:37 pfcmd.pl(32504) INFO: pfcmd calling violation_add for
00:26:b9:c0:d3:73 (main::command_param)
Jan 22 10:19:37 pfcmd.pl(32504) INFO: grace expired on violation 1100001
for node 00:26:b9:c0:d3:73 (pf::violation::violation_add)
Jan 22 10:19:37 pfcmd.pl(32504) INFO: violation 1100001 added for
00:26:b9:c0:d3:73 (pf::violation::violation_add)
Jan 22 10:19:37 pfcmd.pl(32504) INFO: executing action 'email' on class
1100001 (pf::action::action_execute)
Jan 22 10:19:38 pfcmd.pl(32504) INFO: email regarding 'PF Alert: Nessus
Scan detection on 00:26:b9:c0:d3:73' sent to
txpf01@localhost(pf::util::pfmailer)
Jan 22 10:19:38 pfcmd.pl(32504) INFO: executing action 'log' on class
1100001 (pf::action::action_execute)
Jan 22 10:19:38 pfcmd.pl(32504) INFO: /usr/local/pf/logs/violation.log
2013-01-22 10:19:38: Nessus Scan (1100001) detected on node
00:26:b9:c0:d3:73 (10.0.103.11) (pf::action::action_log)
Jan 22 10:19:38 pfcmd.pl(32504) INFO: executing action 'trap' on class
1100001 (pf::action::action_execute)
On Tue, Jan 22, 2013 at 12:31 PM, siddhartha mukkamala <
[email protected]> wrote:
> I finally gave up using external nessus server and installed nessus on the
> same PF box and it worked perfectly fine. The only other difference is that
> the external nessus server is V4.4 and the new one I installed is V5.2.
>
> Do we have to make any changes for the Packetfence to work with external
> nessus server- its scheduling the scan and on the external server and
> deleting those reports after the scan is completed as specified in
> nessus.pm but not parsing the report?
>
>
>
>
> On Mon, Jan 21, 2013 at 5:30 PM, siddhartha mukkamala <
> [email protected]> wrote:
>
>> Seems like when we connect a host, PF is launching the nessus scan using
>> XMLRPC and scanning the host and deleting the scan report from external
>> nessus server but failing to trigger violations. Where does the PF server
>> stores the downloaded nessus report? Is there a way to debug the flow?
>>
>> I commented out the below lines in nessus.pm to check the report on
>> nessus server for plugin ids, it seems like pf::scan::parse_scan_report
>> failed to trigger the violations based on the plugin_ids..can someone
>> help...
>>
>> # Get the report
>> $this->{'_report'} = $n->report_filenbe_download($scanid);
>> # Remove report on the server and logout from nessus
>> #$n->report_delete($scanid);
>> #$n->DESTROY;
>> # Clean the report
>> $this->{'_report'} = [ split("\n", $this->{'_report'}) ];
>>
>> pf::scan::parse_scan_report($this);
>>
>>
>>
>> --
>> Siddhartha
>
>
>
>
> --
> Siddhartha
--
Siddhartha
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
