Hello,
Am running packetfence on CentOS and alot of snort info gets logged to
/var/log/messages am not sure if this is just a Debian thing that the
messages log are clean.
One other test we could do is eliminate your switch and just plug the
LAN cable from the server directly into your laptop.
Start your torrent and see if you see anything in the violation log.
Lets also cross check /etc/init.d/packetfence status
Alex
On 5/7/2013 6:01 PM, Joe Arcidiacono wrote:
Alex,
After issuing the /etc/init.d/snort status, i receive the following.....
/root@packetfence:~# /etc/init.d/snort status/
/Status of snort daemon(s): eth1 OK./
/root@packetfence:~#/
So it seems that snort is running. Also, below is the output to
/var/log/messages and /usr/local/pf/logs/violation.log.
/var/log/messages:
May 6 10:51:12 packetfence kernel: [ 22.975762] Bridge firewalling
registered
May 6 10:51:12 packetfence kernel: [ 23.080140] Bluetooth: SCO
(Voice Link) ver 0.6
May 6 10:51:12 packetfence kernel: [ 23.080145] Bluetooth: SCO
socket layer initialized
May 6 10:51:13 packetfence kernel: [ 23.680618] lp0: using parport0
(interrupt-driven).
May 6 10:51:13 packetfence kernel: [ 23.862666] ppdev: user-space
parallel port driver
May 6 10:51:22 packetfence kernel: [ 33.089249] ip_set version 4 loaded
May 6 10:51:39 packetfence kernel: [ 49.825421] ip_tables: (C)
2000-2006 Netfilter Core Team
May 6 10:51:40 packetfence kernel: [ 50.700955] nf_conntrack
version 0.5.0 (16384 buckets, 65536 max)
May 6 10:51:40 packetfence kernel: [ 50.702079] CONFIG_NF_CT_ACCT
is deprecated and will be removed soon. Please use
May 6 10:51:40 packetfence kernel: [ 50.702084] nf_conntrack.acct=1
kernel parameter, acct=1 nf_conntrack module option or
May 6 10:51:40 packetfence kernel: [ 50.702087] sysctl
net.netfilter.nf_conntrack_acct=1 to enable it.
May 6 10:52:04 packetfence kernel: [ 74.627188] device eth1 entered
promiscuous mode
May 6 10:52:04 packetfence kernel: [ 74.691502] device eth0 entered
promiscuous mode
May 6 11:13:03 packetfence kernel: [ 1334.081959] device eth0 left
promiscuous mode
May 6 11:13:06 packetfence kernel: [ 1336.547990] device eth1 left
promiscuous mode
May 6 11:13:22 packetfence kernel: [ 1352.517630] device eth1 entered
promiscuous mode
May 6 11:13:22 packetfence kernel: [ 1352.548374] device eth0 entered
promiscuous mode
May 7 07:53:30 packetfence rsyslogd: [origin software="rsyslogd"
swVersion="4.6.4" x-pid="1082" x-info="http://www.rsyslog.com";]
rsyslogd was HUPed, type '$
May 7 08:53:08 packetfence kernel: [79339.256147] e1000e: eth1 NIC
Link is Down
May 7 08:53:12 packetfence kernel: [79342.956962] e1000e: eth1 NIC
Link is Up 1000 Mbps Full Duplex, Flow Control: None
violations.log:
2013-05-07 09:41:16: Disable NATing Routers and APs (1100008) detected
on node xx:xx:xx:xx:xx:xx (172.16.1.116)
I just received my first violation this am about the NAT Routers so it
looks like some violations are working properly but still nothing when
I try to run bittorrents. Also, as you can see, it doesn't look like
anything about snort is showing up inside /var/log/messages
Joe
On Tue, May 7, 2013 at 9:41 AM, Alex Kisakye <[email protected]
<mailto:[email protected]>> wrote:
Hello,
Have you looked at /var/log/messages and
/usr/local/pf/logs/violation.log?
Snort will normally log information there if it sees something.
You could start your torrent app and see is anything appears in
/var/log/messages or /usr/local/pf/logs/violation.log
I know you mentioned that snort is running but can you run
/etc/init.d/snortd status ...just to be sure.
Alex
On 5/7/2013 1:18 AM, Joe Arcidiacono wrote:
Hi Alex,
Thanks for taking the time to look at my config. Below is the
pf.conf output. If you need to view any other files just let me
know and I'll post them. Thanks again.
[interface eth1]
enforcement=inline
ip=10.250.0.10
type=internal,monitor
mask=255.255.248.0
[interface eth0]
ip=172.16.4.58
type=management
mask=255.255.0.0
enforcement=
[database]
pass=my_password
[general]
dhcpservers=127.0.0.1,172.16.4.9
domain=mydomain.local
dnsservers=172.16.4.1
timezone=America/Eastern
[alerting]
[email protected] <mailto:[email protected]>
[email protected] <mailto:[email protected]>
smtpserver=x.x.x.x
[guests_self_registration]
modes=sms
access_duration=1D
allow_localdomain=disabled
[expire]
node=1D
iplog=3D
traplog=3D
locationlog=5D
[registration]
range=10.250.0.0/21 <http://10.250.0.0/21>
expire_mode=window
maxnodes=1
nbregpages=1
[trapping]
range=10.250.0.0/21 <http://10.250.0.0/21>
redirecturl=
detection=enabled
[inline]
interfaceSNAT=
On Mon, May 6, 2013 at 3:15 PM, Alex Kisakye
<[email protected] <mailto:[email protected]>> wrote:
Hello,
A copy of your pf.conf should help us see what you missed.
Alex
----- Original Message -----
From: Joe Arcidiacono <[email protected]
<mailto:[email protected]>>
To: [email protected]
<mailto:[email protected]>
Sent: Mon, 06 May 2013 16:23:11 +0300 (EAT)
Subject: Re: [PacketFence-users] Packetfence 3.6.1 Snort help
Hi Fabrice,
Thank you for getting back to me. To answer your question,
yes, I have set
detection=enabled as well as detection_engine=snort. Snort
and pfdetect are
running. As a matter of fact, all services are running with
the exception
of radius(which is fine since I'm not using it at the moment
anyway). If I
start downloading a Ubuntu torrent file on my guest network,
my P2P traffic
is not being trapped by packetfence. I've tried everything I
can think of
with no success. Any help or suggestions would be greatly
appreciated.
Thank you again
Joe
On Mon, May 6, 2013 at 8:37 AM, Fabrice DURAND
<[email protected] <mailto:[email protected]>> wrote:
> Hi,
> did you set:
> [trapping]
> detection=enabled
> detection_engine=snort
>
> If yes, did snort starting when you try to launch packetfence ?
> Is pfdetect running ?
>
> Regards
> Fabrice
>
> Le 2013-05-03 19:59, Joe Arcidiacono a écrit :
>
> Hey All,
>
>
>
> I'm implementing inline enforcement(NAT) with Packetfence
version
> 3.6.1 and
> am having alot of trouble trying to get snort to trap
violations on my
> internal network. This network is going to be used for
guest wireless
> access only. Captive Portal and self registration work
perfectly,
> however,
> I noticed that no trap violations are being generated. I'm
using a Meru
> MC3200 controller for wireless connectivity. I have a
physical server
> running Debian Squeeze
> that has 2 NICs. NIC 1 is my management NIC with IP
172.16.x.x/16.
> NIC 2 is
> assigned 10.250.x.x/21 for the guest wireless network. All
guests
> who receive an IP address has NIC 2's interface as the
gateway address.
> I have set trapping=enabled as well as assign the "monitor"
option to
> my
> 10.250 NIC and enabled P2P violations. When I issue the command
> "snort -i eth1 -v"(eth0 is my 172.16.x.x management card) I
can see
> all of the traffic flowing through but for some
> reason, snort will not pick up on any violations. I ran the
> update_rules.pl <http://update_rules.pl> script to make
sure the rules were updated to no
> avail.
> I believe I am missing an important step or 2.
> Does the snort.conf file have to be edited somehow? If so,
do I edit
> the
> /usr/local/pf/conf/snort.conf file or the
/etc/snort/snort.conf file?
> Also,
> what would need to be edited to get the traps working? I
have read the
> Admin guide for 3.6.1 at least 30 times but with no luck.
Any advice
> would
> be much appreciated. I thank you ahead of time for any
suggestions.
>
>
>
>
> Joe
>
>
>
------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool
for Java/.NET
> Get 100% visibility into your production application - at
no cost.
> Code-level diagnostics for performance bottlenecks with <2%
overhead
> Download for free and get started troubleshooting in
minutes.http://p.sf.net/sfu/appdyn_d2d_ap1
>
>
>
> _______________________________________________
> PacketFence-users mailing
[email protected]://
<mailto:[email protected]://>lists.sourceforge.net/lists/listinfo/packetfence-users
<http://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
>
> --
> Fabrice [email protected]
<mailto:[email protected]> :: +1.514.447.4918
<tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
<http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu)
and PacketFence (http://packetfence.org)
>
>
>
>
------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool
for Java/.NET
> Get 100% visibility into your production application - at
no cost.
> Code-level diagnostics for performance bottlenecks with <2%
overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
<mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph
databases and
their applications. This 200-page book is written by three
acclaimed
leaders in the field. The early access version is available now.
Download your free book today!
http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today!http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
