Hello Siddhartha,
you can try to add:
$logger->warn($this->{'_report'});
just after
# Clean the report
And look at the packetfence.log file.
Regards
Le 2013-01-22 13:47, siddhartha mukkamala a écrit :
Below are the logs in both scenarios
with External Nessus Server:
Jan 22 12:23:19 pfcmd.pl <http://pfcmd.pl>(916) INFO: New ID
generated: 135887899994d373 (pf::util::generate_id)
Jan 22 12:23:19 pfcmd.pl <http://pfcmd.pl>(916) INFO: Instantiate a
new vulnerability scanning engine object of type pf::scan::nessus.
(pf::scan::instantiate_scan_engine)
Jan 22 12:23:23 pfcmd.pl <http://pfcmd.pl>(916) INFO: executing Nessus
scan with this policy PCI - Windows (pf::scan::nessus::startScan)
Jan 22 12:23:23 pfcmd.pl <http://pfcmd.pl>(916) INFO: Nessus is
scanning 10.0.103.11 (pf::scan::nessus::startScan)
Jan 22 12:23:38 pfcmd.pl <http://pfcmd.pl>(916) INFO: Nessus is
scanning 10.0.103.11 (pf::scan::nessus::startScan)
Jan 22 12:23:53 pfcmd.pl <http://pfcmd.pl>(916) INFO: Nessus is
scanning 10.0.103.11 (pf::scan::nessus::startScan)
Jan 22 12:24:33 pfcmd.pl <http://pfcmd.pl>(916) INFO: Calling
/usr/local/pf/bin/pfcmd manage vclose 00:26:b9:c0:d3:73 1200001
(pf::scan::parse_scan_report)
With Nessus on the same box as PF
Jan 22 10:18:56 pfcmd.pl <http://pfcmd.pl>(32387) INFO: Nessus is
scanning 10.0.103.11 (pf::scan::nessus::startScan)
Jan 22 10:19:11 pfcmd.pl <http://pfcmd.pl>(32387) INFO: Nessus is
scanning 10.0.103.11 (pf::scan::nessus::startScan)
Jan 22 10:19:15 pfdhcplistener(32230) INFO: 00:26:b9:c0:d3:73
requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP).
Modified node with last_dhcp = 2013-01-22 10:19:15,computername =
ISTXN-CKSW,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
(main::listen_dhcp)
Jan 22 10:19:15 pfdhcplistener(32230) INFO: DHCPACK from 10.0.85.31
(00:15:17:5b:ff:0b) to host 00:26:b9:c0:d3:73 (10.0.103.11) for 300
seconds (main::parse_dhcp_ack)
Jan 22 10:19:36 pfcmd.pl <http://pfcmd.pl>(32387) INFO: Calling
violation_trigger for ip: 10.0.103.11, mac: 00:26:b9:c0:d3:73, type:
nessus, trigger: 57608 (pf::scan::parse_scan_report)
Jan 22 10:19:37 pfcmd.pl <http://pfcmd.pl>(32387) INFO: calling
'/usr/local/pf/bin/pfcmd violation add
vid=1100001,mac=00:26:b9:c0:d3:73,release_date=0' (trigger
nessus::57608) (pf::violation::violation_trigger)
Jan 22 10:19:37 pfcmd.pl <http://pfcmd.pl>(32504) INFO: pfcmd calling
violation_add for 00:26:b9:c0:d3:73 (main::command_param)
Jan 22 10:19:37 pfcmd.pl <http://pfcmd.pl>(32504) INFO: grace expired
on violation 1100001 for node 00:26:b9:c0:d3:73
(pf::violation::violation_add)
Jan 22 10:19:37 pfcmd.pl <http://pfcmd.pl>(32504) INFO: violation
1100001 added for 00:26:b9:c0:d3:73 (pf::violation::violation_add)
Jan 22 10:19:37 pfcmd.pl <http://pfcmd.pl>(32504) INFO: executing
action 'email' on class 1100001 (pf::action::action_execute)
Jan 22 10:19:38 pfcmd.pl <http://pfcmd.pl>(32504) INFO: email
regarding 'PF Alert: Nessus Scan detection on 00:26:b9:c0:d3:73' sent
to txpf01@localhost (pf::util::pfmailer)
Jan 22 10:19:38 pfcmd.pl <http://pfcmd.pl>(32504) INFO: executing
action 'log' on class 1100001 (pf::action::action_execute)
Jan 22 10:19:38 pfcmd.pl <http://pfcmd.pl>(32504) INFO:
/usr/local/pf/logs/violation.log 2013-01-22 10:19:38: Nessus Scan
(1100001) detected on node 00:26:b9:c0:d3:73 (10.0.103.11)
(pf::action::action_log)
Jan 22 10:19:38 pfcmd.pl <http://pfcmd.pl>(32504) INFO: executing
action 'trap' on class 1100001 (pf::action::action_execute)
On Tue, Jan 22, 2013 at 12:31 PM, siddhartha mukkamala
<[email protected]
<mailto:[email protected]>> wrote:
I finally gave up using external nessus server and installed
nessus on the same PF box and it worked perfectly fine. The only
other difference is that the external nessus server is V4.4 and
the new one I installed is V5.2.
Do we have to make any changes for the Packetfence to work with
external nessus server- its scheduling the scan and on the
external server and deleting those reports after the scan is
completed as specified in nessus.pm <http://nessus.pm> but not
parsing the report?
On Mon, Jan 21, 2013 at 5:30 PM, siddhartha mukkamala
<[email protected]
<mailto:[email protected]>> wrote:
Seems like when we connect a host, PF is launching the nessus
scan using XMLRPC and scanning the host and deleting the scan
report from external nessus server but failing to trigger
violations. Where does the PF server stores the downloaded
nessus report? Is there a way to debug the flow?
I commented out the below lines in nessus.pm
<http://nessus.pm> to check the report on nessus server for
plugin ids, it seems like pf::scan::parse_scan_report failed
to trigger the violations based on the plugin_ids..can someone
help...
# Get the report
$this->{'_report'} = $n->report_filenbe_download($scanid);
# Remove report on the server and logout from nessus
#$n->report_delete($scanid);
#$n->DESTROY;
# Clean the report
$this->{'_report'} = [ split("\n", $this->{'_report'}) ];
pf::scan::parse_scan_report($this);
--
Siddhartha
--
Siddhartha
--
Siddhartha
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
