Alex,
After issuing the /etc/init.d/snort status, i receive the following.....
*root@packetfence:~# /etc/init.d/snort status*
*Status of snort daemon(s): eth1 OK.*
*root@packetfence:~#*
So it seems that snort is running. Also, below is the output to
/var/log/messages and /usr/local/pf/logs/violation.log.
/var/log/messages:
May 6 10:51:12 packetfence kernel: [ 22.975762] Bridge firewalling
registered
May 6 10:51:12 packetfence kernel: [ 23.080140] Bluetooth: SCO (Voice
Link) ver 0.6
May 6 10:51:12 packetfence kernel: [ 23.080145] Bluetooth: SCO socket
layer initialized
May 6 10:51:13 packetfence kernel: [ 23.680618] lp0: using parport0
(interrupt-driven).
May 6 10:51:13 packetfence kernel: [ 23.862666] ppdev: user-space
parallel port driver
May 6 10:51:22 packetfence kernel: [ 33.089249] ip_set version 4 loaded
May 6 10:51:39 packetfence kernel: [ 49.825421] ip_tables: (C) 2000-2006
Netfilter Core Team
May 6 10:51:40 packetfence kernel: [ 50.700955] nf_conntrack version
0.5.0 (16384 buckets, 65536 max)
May 6 10:51:40 packetfence kernel: [ 50.702079] CONFIG_NF_CT_ACCT is
deprecated and will be removed soon. Please use
May 6 10:51:40 packetfence kernel: [ 50.702084] nf_conntrack.acct=1
kernel parameter, acct=1 nf_conntrack module option or
May 6 10:51:40 packetfence kernel: [ 50.702087] sysctl
net.netfilter.nf_conntrack_acct=1 to enable it.
May 6 10:52:04 packetfence kernel: [ 74.627188] device eth1 entered
promiscuous mode
May 6 10:52:04 packetfence kernel: [ 74.691502] device eth0 entered
promiscuous mode
May 6 11:13:03 packetfence kernel: [ 1334.081959] device eth0 left
promiscuous mode
May 6 11:13:06 packetfence kernel: [ 1336.547990] device eth1 left
promiscuous mode
May 6 11:13:22 packetfence kernel: [ 1352.517630] device eth1 entered
promiscuous mode
May 6 11:13:22 packetfence kernel: [ 1352.548374] device eth0 entered
promiscuous mode
May 7 07:53:30 packetfence rsyslogd: [origin software="rsyslogd"
swVersion="4.6.4" x-pid="1082" x-info="http://www.rsyslog.com";] rsyslogd
was HUPed, type '$
May 7 08:53:08 packetfence kernel: [79339.256147] e1000e: eth1 NIC Link is
Down
May 7 08:53:12 packetfence kernel: [79342.956962] e1000e: eth1 NIC Link is
Up 1000 Mbps Full Duplex, Flow Control: None
violations.log:
2013-05-07 09:41:16: Disable NATing Routers and APs (1100008) detected on
node xx:xx:xx:xx:xx:xx (172.16.1.116)
I just received my first violation this am about the NAT Routers so it
looks like some violations are working properly but still nothing when I
try to run bittorrents. Also, as you can see, it doesn't look like anything
about snort is showing up inside /var/log/messages
Joe
On Tue, May 7, 2013 at 9:41 AM, Alex Kisakye <[email protected]> wrote:
> Hello,
> Have you looked at /var/log/messages and /usr/local/pf/logs/violation.log?
> Snort will normally log information there if it sees something.
> You could start your torrent app and see is anything appears in
> /var/log/messages or /usr/local/pf/logs/violation.log
> I know you mentioned that snort is running but can you run
> /etc/init.d/snortd status ...just to be sure.
>
> Alex
>
> On 5/7/2013 1:18 AM, Joe Arcidiacono wrote:
>
> Hi Alex,
>
>
>
> Thanks for taking the time to look at my config. Below is the pf.conf
> output. If you need to view any other files just let me know and I'll post
> them. Thanks again.
>
>
>
>
>
>
> [interface eth1]
> enforcement=inline
> ip=10.250.0.10
> type=internal,monitor
> mask=255.255.248.0
>
> [interface eth0]
> ip=172.16.4.58
> type=management
> mask=255.255.0.0
> enforcement=
>
> [database]
> pass=my_password
>
> [general]
> dhcpservers=127.0.0.1,172.16.4.9
> domain=mydomain.local
> dnsservers=172.16.4.1
> timezone=America/Eastern
>
> [alerting]
> [email protected]
> [email protected]
> smtpserver=x.x.x.x
>
> [guests_self_registration]
> modes=sms
> access_duration=1D
> allow_localdomain=disabled
>
> [expire]
> node=1D
> iplog=3D
> traplog=3D
> locationlog=5D
>
> [registration]
> range=10.250.0.0/21
> expire_mode=window
> maxnodes=1
> nbregpages=1
>
> [trapping]
> range=10.250.0.0/21
> redirecturl=
> detection=enabled
>
> [inline]
> interfaceSNAT=
>
>
>
> On Mon, May 6, 2013 at 3:15 PM, Alex Kisakye <[email protected]>wrote:
>
>> Hello,
>> A copy of your pf.conf should help us see what you missed.
>>
>> Alex
>> ----- Original Message -----
>> From: Joe Arcidiacono <[email protected]>
>> To: [email protected]
>> Sent: Mon, 06 May 2013 16:23:11 +0300 (EAT)
>> Subject: Re: [PacketFence-users] Packetfence 3.6.1 Snort help
>>
>> Hi Fabrice,
>>
>>
>>
>> Thank you for getting back to me. To answer your question, yes, I have set
>> detection=enabled as well as detection_engine=snort. Snort and pfdetect
>> are
>> running. As a matter of fact, all services are running with the exception
>> of radius(which is fine since I'm not using it at the moment anyway). If I
>> start downloading a Ubuntu torrent file on my guest network, my P2P
>> traffic
>> is not being trapped by packetfence. I've tried everything I can think of
>> with no success. Any help or suggestions would be greatly appreciated.
>> Thank you again
>>
>>
>>
>> Joe
>>
>>
>> On Mon, May 6, 2013 at 8:37 AM, Fabrice DURAND <[email protected]>
>> wrote:
>>
>> > Hi,
>> > did you set:
>> > [trapping]
>> > detection=enabled
>> > detection_engine=snort
>> >
>> > If yes, did snort starting when you try to launch packetfence ?
>> > Is pfdetect running ?
>> >
>> > Regards
>> > Fabrice
>> >
>> > Le 2013-05-03 19:59, Joe Arcidiacono a écrit :
>> >
>> > Hey All,
>> >
>> >
>> >
>> > I'm implementing inline enforcement(NAT) with Packetfence version
>> > 3.6.1 and
>> > am having alot of trouble trying to get snort to trap violations on my
>> > internal network. This network is going to be used for guest wireless
>> > access only. Captive Portal and self registration work perfectly,
>> > however,
>> > I noticed that no trap violations are being generated. I'm using a Meru
>> > MC3200 controller for wireless connectivity. I have a physical server
>> > running Debian Squeeze
>> > that has 2 NICs. NIC 1 is my management NIC with IP 172.16.x.x/16.
>> > NIC 2 is
>> > assigned 10.250.x.x/21 for the guest wireless network. All guests
>> > who receive an IP address has NIC 2's interface as the gateway address.
>> > I have set trapping=enabled as well as assign the "monitor" option to
>> > my
>> > 10.250 NIC and enabled P2P violations. When I issue the command
>> > "snort -i eth1 -v"(eth0 is my 172.16.x.x management card) I can see
>> > all of the traffic flowing through but for some
>> > reason, snort will not pick up on any violations. I ran the
>> > update_rules.pl script to make sure the rules were updated to no
>> > avail.
>> > I believe I am missing an important step or 2.
>> > Does the snort.conf file have to be edited somehow? If so, do I edit
>> > the
>> > /usr/local/pf/conf/snort.conf file or the /etc/snort/snort.conf file?
>> > Also,
>> > what would need to be edited to get the traps working? I have read the
>> > Admin guide for 3.6.1 at least 30 times but with no luck. Any advice
>> > would
>> > be much appreciated. I thank you ahead of time for any suggestions.
>> >
>> >
>> >
>> >
>> > Joe
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
>> > Get 100% visibility into your production application - at no cost.
>> > Code-level diagnostics for performance bottlenecks with <2% overhead
>> > Download for free and get started troubleshooting in minutes.
>> http://p.sf.net/sfu/appdyn_d2d_ap1
>> >
>> >
>> >
>> > _______________________________________________
>> > PacketFence-users mailing
>> [email protected]://
>> lists.sourceforge.net/lists/listinfo/packetfence-users
>> >
>> >
>> >
>> > --
>> > Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>> PacketFence (http://packetfence.org)
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
>> > Get 100% visibility into your production application - at no cost.
>> > Code-level diagnostics for performance bottlenecks with <2% overhead
>> > Download for free and get started troubleshooting in minutes.
>> > http://p.sf.net/sfu/appdyn_d2d_ap1
>> > _______________________________________________
>> > PacketFence-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> >
>> >
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and
>> their applications. This 200-page book is written by three acclaimed
>> leaders in the field. The early access version is available now.
>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
